SOME PRACTICAL

CONSIDERATIONS WHEN
APPLYING IEC-61508
SIPI workshop
February, 2003

Erik Dom
Nero Engineering
INTRODUCTION
The IEC-61508 standard has now been around for a while, and after the
euphoric reactions of the first years many companies are now applying it in
practice, or at least they are trying. Being a general standard, it doesn’t offer
too many worked out details, especially for the first 5 steps of the lifecycle
model, where reference is made to other standards or current evaluation
methods. For an “IEC” standard, it was even surprising to see these steps
covered.
Being involved with the standard since 1997, I’ve tried out different ways to
apply it myself and as a consultant I’ve seen many different approaches. Even
amongst “specialists” opinions differ and in recent years the standard has
opened new commercial possibilities for companies that are now offering safety
management tools, in some cases covering the whole lifecycle of the standard.
For this short presentation I’ve picked out some items of the lifecycle, but
similar remarks or discussion points could be made for the other steps.

Erik Dom

1
 IEC-61508 LIFECYCLE MODEL
1 Concept

2 Overall scope definition

3 Hazard and risk analysis

4 Overall safety requirements

5 Safety requirements allocation

Overall planning Safety related systems: Safety related

External risk
E/E/PES systems: other
Overall Overall 9 10 11 reduction facilities
Overall Realization (see E/E/PES technologies
operation & installation and
6 7 validation 8 safety lifecycle) Realization Realization
maintenanc commissioning
planning
e planning planning
Overall Installation and
12
commissioning
Back to appropriate
13 Overall safety validation overall safety
life cycle phase

Overall operation and Overall modification

14 15
maintenance and repair and retrofit

Decommissioning or
16
disposal

2
The DIN 19250 risk graph

„ Shown as an example in IEC 61508

„ Applied in several companies, often in a different
way

„ Definition of probability of unwanted occurrence

„ Interpretation of unwanted OCCURRENCE
„ Calibration of the risk graph
„ Interpretation of “a” (“SIL 0”)

3
 RISK GRAPH
W3 W2 W1
C1

P1
a - - a, b, c, d, e, f, g, h represent the
Starting point
F1
P2
b a - necessary minimum risk
for risk reduction C2 c b a reduction. The link between the
estimation P1 necessary minimum risk
F2 d c b reduction and the safety integrity
P2
e d c level is shown in the table.
F1
C3 f e d
F2
g f e
C4
h g f

Necessary
C = Consequence risk parameter
minimum risk Safety integrity level
F = Frequency and exposure time risk reduction
parameter
P = Possibility of avoiding hazard risk
- No safety requirements

a No special safety
parameter requirements
W = Probability of the unwanted b, c 1
occurrence d 2
e, f 3
a, b, c ... h = Estimates of the required risk g 4
reduction for the SRSs h An E/E/PE SRS is not
sufficient

4
Probability of unwanted occurrence
The standard says:

„ W1 (LOW): A very slight probability…….only

a few are likely.
„ W2: A slight probability……. few are likely.
„ W3 (HIGH): A relatively high probability…….
frequent are likely

How is this currently interpreted by users?

5
 Interpretation 1
„ W1 < 10-4/jr
„ 10-2/jr > W2 > 10-4/jr
„ W3 > 10-2/jr

Interpretation 2

„ W1: 3 different independent failures are required for the

occurrence to happen
„ W2: 2 different independent failures are required for the
occurrence to happen
„ W3: 1 failure is sufficient for the occurrence to happen

6
 Interpretation 3

„ W2: this is the “normal” probability for an event,

arguments required to pass from W2 to W3 or W1

Interpretation 4
„ W1: less than 0.03 times per year
„ W2: between 0.3 and 0.03 times per year
„ W3: between 3 and 0.3 times per year

™ Used in IEC-61511 for calibrated matrix

™ Very different from interpretation 1
™ Leads to much lower SIL levels
™ Probability is replaced by “demand rate”

7
Interpretation of “Definition of
unwanted occurrence”
Case: overpressure in vessel containing flammable liquids leading to mechanical
rupture of vessel, release of product and finally a fire or an explosion with
serious injury

Problems when defining the unwanted occurrence:

ƒ Very difficult to predict the final effect of a cloud (impossible to define during
a “SIL” meeting) -> this has a major impact on the C factor
ƒ The case contains different events (rupture -> release -> explosion ->
injury), where only the last event can be treated with the risk matrix (without
injury C1 is always applicable). Releases are also considered as major
risks by the authorities but can’t be covered by the risk graph
ƒ Probabilities are often applied to other cases (i.e. An explosion is defined
as unwanted occurrence while the probability of the overpressure is
considered for the probability).This has a conservative effect on the result.

8
RESIDUAL
RISK
TOLERABLE
RISK
EUC
RISK
Principle of risk
Increasing reduction and
risk
residual risk
Necessary risk reduction

Actual risk reduction

Partial Risk by other non SIS
prevention/mitigation protection
Partial Risk covered Partial Risk by other
layers by SIS protection layers

Risk reduction obtained by all protection layers

RESIDUAL EUC
RISK

?
RISK
RESIDUAL EUC
RISK RISK

Increasing
risk

Risk reduction is known (10, 100, 1000) but

since the calibration is not known, what is
the absolute value of EUC risk and residual
risk??? ?

9
Interpretation of SIL “a”

Definition = “NO SPECIAL

SAFETY REQUIREMENTS”

ƒ Means that the required risk

reduction lies between 1 and
10
EUC
ƒ Mostly interpreted as: can be
installed in DCS
ƒ Most companies don’t define
the EUC, so is not clear if
additional risk reduction is
required (see example)

10
Conclusion
„ Use of risk graph can be emotional/subjective
„ Not suited for complex issues, one risk graph evaluation is often
used for hazards with many different initiating events/scenario’s
„ EUC is rarely defined, leading to a mix-up of control and safety
„ Many interpretations possible (W & P factors)
„ What’s the residual risk?
„ Depends heavily on the experience of the hazard team
„ Results can easily be “manipulated” in view of the required result
„ SIL “a” is often not considered
„ The environmental graph (not shown in this presentation) is very
severe and leads to high SIL’s compared with human injury
„ Definition of demand rate (IEC-61511) is confusing

11
The role of pressure relief valves in SIS

„ Should these be taken into account?

„ If so, what SIL level to be assigned?
- Vendor data is not available
- Valves are used in many different applications so that general reliability data
can’t be given be Vendors
- Feedback from customers is not available since maintenance/repair is done
by specialized shops or customer itself
- Depends strongly on application:
- Clean or dirty/agressive products
- Outlet to safe area (confined) or to atmoshere
- Rupture disc installed (P between disc and valve monitored?)
„ Testing frequency and method?
- How to define test interval?
- Test method verifies only limited number of possible errors (setting).
Calculation errors, installation problems are not verified....

12
A POSSIBLE APPROACH FOR SAFETY VALVES
SIL 3 high pressure risk
allocated to SIS & PSV

YES Clean service NO

to confined
area

SIL 2 SIL 1 NO SIL SIL 3

allocated allocated allocated allocated
to PSV to SIS to PSV to SIS

SIL OVERALL = SIL PSV + SIL SIF

13
Emergency handswitches in the
process industry
Example: emergency stops to isolate plant
areas in case of fire, leakage or explosion

„ To be treated according to IEC Æ test

intervals, calculations,...?
„ Activated by human action + mitigating
„ Do they belong in SIS?
„ Are these the same as the HS’s in the
Machine Directive?

14
ALTERNATIVES FOR THE RISK MATRIX

„ LOPA (Layers of Protection Analysis)

„ EVENT/FAULT TREE ANALYSIS

RISK QUANTIFIED LOPA Rough Event tree

GRAPH or FMEA estimate with Fault tree
other event tree HRA
qualitative
method
SIMPLE ISSUES GOOD GOOD GOOD EXCESSIVE EXCESSIVE
COMPLEX ISSUES POOR POOR FAIR FAIR GOOD

15
What is LOPA?

„ A simplified form of risk assessment

„ Verifies if sufficient layers of protection are
present
„ Limited to evaluating a single cause-
consequence pair as scenario
„ Represents typically one path (worst case)
through an event tree

16
 COMMUNITY RESPONSE

PLANT EMERGENCY
RESPONSE

MITIGATION
Mechanical Mitigation Systems
Safety Instrumented Control Systems
Safety Instrumented Mitigation Systems

PREVENTION
Mechanical Protection System
Process Alarms
Operator Supervision
Safety Instrument System
Basic Process Control Systems
Monitoring Systems (process alarms)
Operator Supervision

Process Design

Concept of layers of protection acc. to IEC-61511-1

17
An example of LOPA
Description Probability Frequency
(per year)
Consequence

Risk tolerance Maximum tolerance for serious fire < 1 x 10-4

criteria Maximum tolerance for fatal injury < 1 x 10-5
Initiating event Failure of DCS 1 x 10-1
Enabling event N/A
Conditional Probability of ignition 0.1
Modifiers Probability of personnel in affected area 0.1
Probability of fatal injury 0.5
Others N/A
Frequency of unmitigated consequence 5 x 10-4
Independent SIF (not yet existing, to be added) 1 x 10-2
Protection layers Human action upon DCS alarm
cannot be taken into account since
DCS failure is the initiating event!
Total PFD for all 1 x 10-2
IPL’s
Frequency of Mitigated Consequence 5 x 10-6
Actions required Install SIF with a PFD of 1 x 10-2
to meet required
risk reduction

18
Another way of representing LOPA

Protection
PAH Operator layer 1:
alarm response PSV

0,9
1. No release of material, 8x10 -2/yr
Success 0,9
2. Release from PSV to flare, 8x10 -3/yr
0,9
0,1
Overpressure

10-1/yr
0,1
3. Release to atmosphere, 9x10 -4 /yr

Failure 0,9
4. Release from PSV to flare, 9x10 -3/yr
0,1

0,1
5. Release to atmosphere, 1x10 -3/yr

19
When can LOPA be used?

„ Typically after a qualitative hazard evaluation

„ The consequences are too severe to rely on qualitative methods
only
„ When a scenario is too complex to use a qualitative method or
when the hazard evaluation team does not fully understand:
• The initiating events
• The sequence of events
• The role of different IPLs (Independent Protection Layer)
„ As a screening tool before quantitative methods
„ To verify the sufficiency of IPLs
„ Always applied to one scenario at a time

„ Never to replace quantitative risk analysis!

20
RELIABILITY DATA for SIL CALCULATIONS

„ OREDA
„ VENDOR DATA (uncertified)
„ CERTIFIED VENDOR DATA
„ MIL (for electric/electronic components)
„ Commercial databases
„ Owner’s database

„ OFTEN CONTRADICTORY!!!!!!!!!!!!!!!!!!!!!!

21
OREDA

„ Conservative (? )
„ Availability of details of types of failure (but
not of type of application)
„ Some populations are (too) small (i.e.
temperature)
„ Instruments are not specified in detail

22
23
UNCERTIFIED VENDOR DATA

„ Based on theoretical calculations

„ Based on lab tests
„ Based on feedback from customers
„ Initial values are often adapted after a few
years Æ use with caution!

24
CERTIFIED VENDOR DATA

„ Few available
„ Sometimes required information missing
„ Should be interpreted with care, reliability
data and details are only valid under certain
conditions
„ Example of certificate for temperature
transmitter

25
COMMERCIAL DATABASES

„ Some very expensive (purchase + support)

„ What’s the basis of the reliability data?
„ Sometimes with integrated safety
management system
„ Not very flexible
„ Some “over-optimistic”, some values are very
different from Oreda
„ Some allow to pick data depending on
application (agressive or dirty fluids,...)

26
OWNER’s DATABASE

„ Requires some internal organization

„ Takes years before data are representative
„ Impossible for smaller companies with small
installed base
„ Why not in Belgian or European context?

27
WORKING WITH STANDARD SIS LOOPS

„ Conservative approach required Æ not the

most economical way
„ Difficult to cover all different applications
„ Design + components must be fixed since
small deviations may lead to important
deterioration of PFD’s (barriers, sensors,...)

28