Annex A
(informative)
Determination of required safety integrity
A.1General
This informative annex provides methods of qualitative approach for risk estimation and SIL
assignment that can be applied for determining the required SIL of 5.2. The method as
described is not intended for functions that operate in low demand mode of operation.
NOTE 1Whenever a risk assessment has indicated a safe control measure is required, the matrix method in
Clause A.2 can be used to determine the required SIL.
Experience in successfully dealing with similar machines/hazards should be taken into account
when estimating the required SIL.
NOTE 2 Other risk estimation methods for specific types of machine can be used as appropriate (e.g. methods are
available in IEC 61508-5 and IEC 61511-3). Therefore, the SIL required by a type-C standard can deviate from that
indicated by the generic approaches given in this annex.
A.2 Matrix assignment for the required SIL
A.2.1Hazard identification/indication
Indicate the hazards, including those from reasonably foreseeable misuse, whose risks are to
be reduced by implementing an SCS. List them in the hazard column in Table A.5.
A.2.2 Risk estimation
Risk estimation should be carried out for each hazard by determining the risk parameters that
as shown in Figure A.1should be derived from the following:
– severity of harm, Se; and
– probability of occurrence of that harm, which is a function of:
• frequency and duration of the exposure of persons to the hazard, Fr;
• probability of occurrence of a hazardous event, Pr; and
• possibilities to avoid or limit the harm, Av.
The estimates entered into Table A.5 should normally be based on worst-case considerations
and need to be justified. However, in a situation where, for example, an irreversible injury is
possible but at a significantly lower probability than a reversible one, then each severity level
should have a separate line on the table. It can be the case that a different SCS is implemented
for each line. If one SCS is implemented to cover both lines, then the highest target SIL or PL
requirement should be used.
Depending on the individual application, available information such as service experience and
incident statistics might be taken into account to select the ranking of the parameters.
A.2.3 Severity (Se)
Severity of injuries or damage to health can be estimated by taking into account reversible
injuries, irreversible injuries and death. Choose the appropriate value of severity from
Table A.1based on the consequences of an injury, where:
4 is a fatal or a significant irreversible injury such that it will be impossible or at least very
difficult to continue the same work after healing, e.g. loss of limbs, pulmonary permanent
damages, loss of an eye or partial or total loss of the sight;
3 is a major or irreversible injury in such a way that it can be possible to continue the same
work after healing such as loss of some fingers or toes. It can also include a severe major
but reversible injury such as broken limbs;
2 is a more severe reversible injury which requires attention from a medical practitioner and
it is possible to resume the work activity after a short period of time, e.g. severe lacerations,
stabbing, and severe bruises;
1is a slight injury where first aid cares without medical intervention are sufficient, e.g. minor
injury including scratches and minor bruises.
NOTE For examples of severity aspects, see also appendix 5 of the EU Guidelines 2010/15/EU (RAPEX).
Select the appropriate row for consequences (Se) of Table A.1. Insert the appropriate number under the Se column in Table A.5.
A.2.4 Probability of occurrence of harm
A.2.4.1General
Each of the three parameters of probability of occurrence of harm (i.e. Fr, Pr and Av) should be
estimated independently of each other. A worst-case assumption needs to be used for each
parameter to ensure that SCS(s) are not incorrectly assigned a lower PL/SIL than is necessary.
Generally, the use of a form of task-based analysis is strongly recommended to ensure that
proper consideration is given to estimation of the probability of occurrence of harm.
A.2.4.2 Frequency and duration of exposure
On determination of the exposure level of people to a hazard, according to 5.5.2.3.1of
ISO 12100:2010, the work situation should be assessed considering factors such as:
– the mode of operation during the access (setting/automatic/manual/special mode);
– nature of access (feeding of materials, correction of malfunction, maintenance or repair);
– time spent in the hazardous area;
– frequency of access to the hazardous area.
The parameter Fr is defined by frequency of presence of the people in the hazardous area and
by the average duration of presence.
It should then be possible to estimate the interval between accesses to a hazardous area and
therefore the frequency of the exposure to a potential hazard (referred to a period ≥ to one
year). This factor does not include consideration of the failure of the SCS.
Select the appropriate row for frequency and duration of exposure (Fr) of Table A.2. Insert the
appropriate number under the Fr column in Table A.5.
A.2.4.3 Probability of occurrence of a hazardous event
The probability of occurrence of harm should be estimated independently of other related
parameters Fr and Av. A worst-case assumption should be used for each parameter to ensure
that SCS(s) are not incorrectly assigned a lower SIL than is necessary. To prevent this
occurring, the use of a form of task-based analysis is strongly recommended to ensure that
proper consideration is given to estimation of the probability of occurrence of harm.
This parameter can be estimated by taking into account:
a) Predictability of the behaviour of component parts of the machine relevant to the hazard in
different modes of use (e.g. normal operation, maintenance, fault finding).
– This will necessitate careful consideration of the control system especially with regard
to the risk of unexpected start up. Do not take into account the protective effect of any
SCS. This is necessary in order to estimate the amount of risk that will be exposed if the
SCS fails. In general terms, it shall be considered whether the machine or material being
processed has the propensity to act in an unexpected manner.
– The machine behaviour will vary from very predictable to not predictable but unexpected
events cannot be discounted.
NOTE 1Predictability is often linked to the complexity of the machine function.
b) The specified or foreseeable characteristics of human behaviour with regard to interaction
with the component parts of the machine as an origin of to the hazard. This can be
characterised by:
– stress (e.g. due to time constraints, work task, perceived damage limitation); and/or
– lack of awareness of information relevant to the hazard. This will be influenced by factors
such as skills, training, experience, and complexity of machine/process.
These attributes are not usually directly under the influence of the SCS designer, but a task
analysis will reveal activities where total awareness of all issues, including unexpected
outcomes, cannot be reasonably assumed.
“Very high” probability of occurrence of a hazardous event should be selected to reflect
normal production constraints and worst case considerations. Positive reasons (e.g. well-
defined application and knowledge of high level of user competences) are required for any
lower values to be used.
Any required or assumed skills, knowledge, etc. should be stated in the information for use.
Select the appropriate row for probability of occurrence of hazardous event (Pr) of Table A.3.
Indicate the appropriate number under the Pr column in Table A.3.
A.2.4.4 Probability of avoiding or limiting harm (Av)
This parameter describes whether harm could be avoided or limited in case of a hazardous
event. For example, the exposure to a hazard can be directly identified by its physical
characteristics, or recognized only by technical means, e.g. indicators. The probability of
avoiding or limiting harm (or the controllability) is predominantly determined by human
intervention and depends to a large extent on individual human abilities. Avoidance shall not
be used as a substitute for basic hazard elimination. Avoiding or limiting harm considers, for
example:
– characteristics of the hazardous event:
• speed/acceleration: evolves quickly or slowly;
• the nature of the component or system, for example a knife is usually sharp, a pipe in a
dairy environment is usually hot, electricity is usually hazardous by its nature but is not
visible;
• possibility of recognition of a hazard, for example electrical hazard: a copper bar does
not change its aspect whether it is under voltage or not; to recognize if one needs an
instrument to establish whether electrical equipment is energised or not; ambient
conditions, for example high noise levels can prevent a person hearing a machine start;
• complexity of the operations (human interaction in terms of numbers of operation and/or
timing available for these operations);
– spatial possibility to withdrawn from the hazard;
– human abilities:
• skills of persons involved;
• abilities to react (e.g. take action, escape, etc.);
• aspects that reduce the ability (e.g. stress, distraction, fatigue).
NOTE Human abilities cannot be accounted more than once for each safety function.
Select the appropriate row for probability of avoidance or limiting harm (Av) of Table A.4. Insert
the appropriate number under the Av column in Table A.4.
Class of probability of harm (CI)
A.2.6 SIL assignment
Using Table A.6, where the severity (Se) row crosses the relevant column (Cl), the intersection
point indicates whether action is required. The black area indicates the SIL assigned as the
target for the SCS. The lighter shaded areas should be used as a recommendation that other measures (OM) be used.
Where function(s) have safety implications but application leads to a required safety integrity less than that required by SIL 1(OM or No SIL), compliance with the requirements of IEC 60204-1or other relevant standards can lead to an adequate performance of the control system.
A.3 Overlapping hazards
If several hazards can be caused in a single zone by the failure of a single safety-related
function, these are called overlapping hazards.
For the quantification of risk, each hazard can be evaluated separately, except when it is
obvious that there is a combination of directly linked hazards which always occur
simultaneously.
EXAMPLE 1A continuous welding robot can create various simultaneous hazardous
situations, for example crushing caused by movement and burning due to the welding process.
This can be considered as a combination of directly linked hazards.
EXAMPLE 2 For a robot cell in which separate robots are working, each robot is considered
separately.