__________________Dr David J .

Smith BSc,PhD,CEng,FIEE,FIQA,HonFSaRS,MIGasE_______________________
1

RELIABILITY & RISK ASSESSMENT
SAFETY INTEGRITY 26 ORCHARD DRIVE,
TRAINING COURSES TONBRIDGE,
KENT,
Tel: 01732 352532 TN10 4LG.
Fax: 01732 360018
[email protected]
www.technis.org.uk

AN OPEN PAPER

IEC 61508 AND RELATED GUIDANCE USES AND ABUSES

DAVID J SMITH

THE BACKGROUND TO FUNCTIONAL SAFETY

For over fifteen years the IEC 61508 guidance has spawned a raft of industry specific
documents disseminating much the same theme. The effect has been to outline the major
aspects of targeting and assessing risk and to radically enhance the awareness of this branch
of engineering. It is now almost unheard of for a major project not to include the
identification of hazards and the subsequent risk engineering activities called for in the above
guidance. This has led to risk targets (usually misleadingly referred to as SILs) being
placed on most of the elements of the supply chain from the systems integrators down to the
suppliers of equipment and instrumentation.

On the plus side there is now almost universal attention to safety integrity and a widening of
assessment to encompass non-quantitative as well as quantitative factors. Cost is seen in
better perspective due to the application of the ALARP principle and there is a wider
availability of quantification tools.

On the negative side there is an obsession with the SIL word without understanding its
limited meaning as a metric for the application of non-quantitative assessment. There has
been a dumbing down of targeting methodology to enable all and sundry to have a go.
This seems strange when all other branches of engineering recognise the role of the
specialist to whom the calculations are entrusted. Not so with safety-integrity. Certification
and the application of SIL targets is often taken to too low a level such that bells and
buzzers are procured with integrity targets. Also there is a frequent lack of focus in the
choice of rigour which leads to the paragraph by paragraph mentality addressing each and
every statement in a standard with equal rigour, thus loosing sight of priorities.

DESIRABLE OUTCOMES

Universal attention to safety integrity
Prior to the development and publication of IEC 61508 quantified risk assessments were
carried out in many industries. They involved the methods and tools described in the text
books of that time and, in some cases, made use of in-house guidance and procedures.

The motivation for this work was to some extent voluntary and driven by realisation, within
an industry or organisation, that potentially hazardous events required analysis and

__________________Dr David J . Smith BSc,PhD,CEng,FIEE,FIQA,HonFSaRS,MIGasE_______________________
2

prediction leading to some visible attempt at mitigation.

Following Flixborough (1974) and Seveso (1976) various aspects of legislation and guidance
(Reference 1) provided additional impetus culminating in the CIMAH (later COMAH)
regulations in the UK. However, those regulations apply only to major industrial hazards
and not the vast range of industrial product areas and applications. IEC 61508 (2000 and
now 2010 version) has become so widely known that it is now rare for a product or process
not to involve functional safety issues. Hazards are routinely identified, targets are set and
assessments carried out to establish if those targets are met.

Widening of assessments to encompass non-quantitative factors
Earlier assessments did not always involve establishing a target (ie risk of fatality) such that
the assessment result could be deemed satisfactory or otherwise.

Furthermore, assessments were largely quantitative. That is to say they predicted the
frequency of the event in question using available component failure rate data. Whilst this
might have been an adequate approach in the 1970s and early 1980s it has long been
understood that such an assessment of random hardware failures alone represents only
part of the picture. The growth of complexity over the last 3 decades has led to the
dominance of systematic failures which cannot be predicted and assessed by quantitative
techniques alone. IEC 61508 has established and codified the need for a raft of techniques
and measures, throughout the lifecycle, to minimise these systematic failures.

Awareness of human factors
A particular benefit, which has arisen from the last 25 years work in this area, is the
understanding of the role of human factors in major incidents. A mass of empirical human
error data has led to robust prediction models and the limitation of the degree of risk
reduction claimed by manual responses to alarms.

Understanding of cost limitations (eg ALARP)
Although only covered as guidance in IEC61508 the practice of setting quantitative integrity
targets has led to the concept of ALARP (as low as reasonably practicable). Because meeting
a quantified target has become the object of an assessment then the question arises as to by
what margin.

The ALARP concept follows with the idea that further risk reduction should only be carried
out until the cost becomes disproportional (References 2 and 5) at which point, it is argued,
additional resources are not justified and could more fruitfully be employed in risk reduction
elsewhere.

Wider availability of quantification tools
The almost universal application of risk assessment has provided the market impetus for the
development of a wide range of failure data and calculation tools. These greatly reduce the
time and effort needed to carry out assessments and therefore the number carried out
increases for the same amount of manpower.

UNDESIRABLE OUTCOMES

Inappropriate use of the SIL term
Obsession with the SIL word has grown amongst a very large number of people
(including many so called experts) without understanding its meaning. It is, in fact,
ONLY an arbitrary metric invented in order to classify the QUALITATIVE techniques and
procedures throughout the life cycle which are deemed to minimise systematic failures.
Integrity targeting (NOT SIL targeting as it is widely described) should establish maximum

__________________Dr David J . Smith BSc,PhD,CEng,FIEE,FIQA,HonFSaRS,MIGasE_______________________
3

tolerable risks and failure rates as targets for the quantitative assessment.

SIL (safety integrity level) is a necessary and useful concept but ONLY as a secondary
consideration during the integrity targeting process.

Only because of the QUALITATIVE activities does it become necessary to have bands of
rigour instead of numerical targets. The choice of 4 SILS is again arbitrary and they
might just as well have been labelled bronze, silver, gold and platinum. The impression of
numeracy, given by the terms SIL 1 to SIL 4, is potentially misleading.

Nevertheless integrity studies are referred to as SIL studies. Integrity targets as SIL
targets and so on. Sadly this trend is worsening as the misunderstanding widens. This is not
helped by consultancies and products seeking to incorporate the SIL mnemonic into their
titles.

Ascribing SILs to hardware rather than to functions
There has become an almost universal practice of describing every aspect of an instrumented
loop and its procurement by means of the SIL. Although theoretically not wrong it promotes
the idea that a piece of hardware (and its software) has a safety integrity level. It DOES
NOT. It is functions which have SILs and the elements of a safety related system need
SUITABILITY for use at a particular SIL and ONLY in respect of a defined failure
mode.

The plethora of misunderstanding embraces the idea that an item can have a SIL without any
mention of how it might fail. It may fail in many ways, each of which relates to a different
potential safety function. Since its rate of failing and proportion of hazardous failures will be
different for each mode it will potentially have a different SIL for each mode.

Dumbing down of targeting methodology
The spread of misunderstanding, emphasised in the earlier sections of this paper, is largely
due to a phenomenon which does not seem to apply to other disciplines within engineering.

That is, the obsession that everyone must have a say and a part in the safety assessment
process. As a result there has been a disturbing trend to dumb down the processes by
creating pocket methodologies that allow non-experts to replace experts. The most
appalling example is the use of risk graphs which enable amateurs to establish so called SIL
targets with no need to establish failure mode details or proper quantified risk targets.
Worse still they, and other makeshift techniques, are so widely used and taught that it is
possible to attend courses in their use and obtain certification giving the impression of
expertise in the subject without any proper understanding of the underlying principles and
mathematics involved. Furthermore, as with other disciplines, experience gained over many
years is vital in order to make effective judgments.

The author frequently encounters experts who can neither explain the difference between a
rate and a probability nor establish an appropriate maximum tolerable risk and calculate the
maximum PFD required of a risk reduction function.

Certification and SIL application to too low a level
Misunderstanding of the SIL term, in its application to simple devices/components, has led
to requests for it to be demonstrated at component levels. The only parameter, related to
functional safety, for an electromechanical relay is its failure rate and the proportion of fail
to open and fail to close modes. To ascribe a SIL at this component level is both
unnecessary and misleading. Any question of SIL relates to the safety function in which it is
used. However, more complex items (eg field detectors) may claim a SIL capability based

__________________Dr David J . Smith BSc,PhD,CEng,FIEE,FIQA,HonFSaRS,MIGasE_______________________
4

on safe failure fraction and design cycle rigour.

The author has been requested (on many occasions) to certify a SIL 2 capability for a
sounder or beacon. Anyone with appropriate expertise knows that these components can
only be part of a human response function which should never claim more than SIL 1. An
example of lack of knowledge and of understanding.

Lack of focus in the choice of rigour
Having already covered the reasons why IEC 61508 (Reference 3) has been an excellent
innovation in principle it has nevertheless to be said that the document is extremely lengthy,
verbose, repetitive and poorly structured. IEC 61511 (Reference 4), despite being couched
in the usual lengthy style of standards, nevertheless achieves a great deal by way of a
simpler approach.

This, together with the page by page mentality of many users, often leads to slavish
rigour to written clauses in the belief that this achieves a robust review.

It needs to be realised that (along with the ALARP principle) there is an optimum resource
for any assessment. Thus a page by page approach is in danger of losing overall
perspective and of watering down the effort in areas where it matters. A robust approach
involves an informed selection of key areas of criticality and then applying the assessment
effort accordingly.

Proliferation of guidance
There seems to be a compulsion for bodies to write their own version of the standard. Most
documents become a re-iteration of the same text with slightly different terminology,
headings and layout. Hence the nightmare of comparing vast quantities of guidance which
essentially say the same thing whilst differing in respect of enormous quantities of trivial
detail. This task of keeping up with the totality of 2
nd
tier guidance is therefore considerable
but adds little to actual safety.

THE WAY FORWARD

Everyone to his own expertise
Industry (and its safety related fraternity) should discourage the practice of non-expert
participation and promote training with some academic content to qualifications. This must
therefore include an understanding of probability and statistics and its underlying
mathematics (Reference 6) and only persons with appropriate aptitudes, along with adequate
experience, should seek to represent themselves as experts in this area.

Have one central standard
Industry should discourage the wasteful use of effort in writing guidance after guidance on a
subject which is already over documented. This effort would be better employed improving
the presentation of the existing standard and, also, in actually carrying out assessments.

References

1 Reliability, Maintainability and Risk, 8th Edition, D J Smith, Elsevier (Butterworth
Heinemann) ISBN 9780080969022.
2 The Safety Critical Systems Handbook (A straightforward guide to functional safety
IEC61508) 3
rd
edition, 2010, Smith DJ and Simpson KGL, Butterworth Heinemann ISBN
9780080967813
3 IEC Standard 61508, 2010, Functional safety: safety related systems - 7 Parts.
4 IEC Standard 61511: Functional safety safety instrumented systems for the process

__________________Dr David J . Smith BSc,PhD,CEng,FIEE,FIQA,HonFSaRS,MIGasE_______________________
5

industry sector.
5 R2P2 Reducing Risks, Protecting People, HSEs decision making process, HSE Books,
2001.
6. www.technis.org.uk

Copyright Technis 2011