[SystemSafety] EUROCAE document 039/ ED-80

Bridal Olof Olof.Bridal at volvo.com
Tue Oct 14 15:12:03 CEST 2014 

Peter,

It feels a bit awkward to have this discussion with you since you are one of the few people who actually understand the definition of SIL in IEC 61508. In fact, we agree a lot more than you might think.

About your statement "a SIL is a safety function reliability condition and does not depend in any way on the severity of the hazard it is intended to mitigate", I have no problem with the "reliability condition" part but disagree with "does not depend in any way on the severity".

For example in IEC 61508-1, clause 7.5.2.3 we find "a target safety integrity requirement shall be determined that will result in the tolerable risk being met". Since risk is defined a combination of the probability and severity of harm, it think it is clear that the severity *does* influence the target safety integrity requirement and thus the required SIL. A safety function intended to prevent the occurrence of very severe consequences will typically be assigned a higher SIL than a safety function that is intended to prevent less severe consequences, all other things being equal.

Taking the on-demand case as an example, let's say that we are worried about some particular potential harm of severity S. The actual risk can be expressed as the combination (P1*P2,S) where P1 is the occurrence probability of the hazard that the safety function is intended to mitigate and P2 is the safety function's on-demand probability of failure. The tolerable risk with respect to the considered potential harm may similarly be expressed as (P3,S). In order to meet the tolerable risk we have now to make sure that P2 < P3/P1 and this simple inequality will be the basis for the determination of the SIL which of course is a discretized representation of P2. It may seem like P3/P1 is independent of S but that is not true since P3 depends on S! As previously stated, the combination (P3,S) represents the tolerable risk and it should be clear that the higher the S, the lower the P3 has to be in order to be 'tolerable'.

But you are of course right in that once the required SIL has been determined and documented somewhere, it does not in itself provide any information about the severity (or the probability for that matter) of the potential harm.

/Olle

-----Original Message-----
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Peter Bernard Ladkin
Sent: den 14 oktober 2014 1:29
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] EUROCAE document 039/ ED-80

Olle,

On 2014-10-14 11:47 , Bridal Olof wrote:
> .... I don't fully agree with the statement that "a SIL is a safety function reliability condition and does not depend in any way on the severity of the hazard it is intended to mitigate".
> 
> Part 5 of IEC 61508, and particularly its appendixes C-G, clearly show that the potential "consequence" (i.e. degree of injury) of a hazard is an important factor in the determination of the *required* SIL for the safety function.

I think it wise to distinguish between what is normative, and what is informative only. The
definition of SIL in Part 1 (Clause 7.6) is normative. That normative process makes no reference to
severity per se, with one exception:

Clause 7.6.2.11 says that if something gets SIL 4 designation then (part a) ) you must consider
whether this designation can be avoided, by considering additional risk-reduction measures,
including specifically considering whether severity can be reduced or likelihood can be reduced.

The examples, and examples of methods, in Part 5 are informative. That means, taken literally, that
it is entirely up to you whether you follow or not, that is, add in particular consideration of
severity or not. Obviously, considering severity is a particular part of considering risk, but it is
the overall risk that the normative part addresses, not severity per se.

This may seem legalistic to some, but my general view of matters is that clarity of concept is
important. Otherwise people (lots of them, in my experience) are going to think, for example, that
SILs and DALs are essentially the same kind of thing. The concept of assigning something a
reliability condition based on (overall) risk, and assigning something a criticality (which is what
I call a measure based on severity) are two different things, because risk and severity are not the
same thing (although one is a component of the other).

As Bertrand says, in practice the two get mushed together. The same might be said of the entire
documentation of which IEC 61508 consists, and I can't think the standard is better for it.

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de




_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE

More information about the systemsafety mailing list