prEN IEC 61508-5:2025

SLOVENSKI STANDARD
01-april-2025
Funkcijska varnost električnih/elektronskih/elektronsko programirljivih varnostnih
sistemov - 5. del: Primeri metod za ugotavljanje ravni celovite varnosti
Functional safety of electrical/electronic/programmable electronic safety-related systems
- Part 5: Examples of methods for the determination of safety integrity levels
Funktionale Sicherheit sicherheitsbezogener
elektrischer/elektronischer/programmierbarer elektronischer Systeme - Teil 5: Beispiele
zur Ermittlung der Stufe der Sicherheitsintegrität (safety integrety level)
Sécurité fonctionnelle des systèmes électriques / électroniques / électroniques
programmables relatifs à la sécurité - Partie 5: Exemples de méthodes pour la
détermination des niveaux d'intégrité de sécurité
Ta slovenski standard je istoveten z: prEN IEC 61508-5:2025
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

65A/1167/CDV
COMMITTEE DRAFT FOR VOTE (CDV)

PROJECT NUMBER:
IEC 61508-5 ED3
DATE OF CIRCULATION: CLOSING DATE FOR VOTING:
2025-02-14 2025-05-09
SUPERSEDES DOCUMENTS:
65A/1060A/CD, 65A/1079A/CC
IEC SC 65A : SYSTEM ASPECTS
SECRETARIAT: SECRETARY:
United Kingdom Ms Stephanie Lavy
OF INTEREST TO THE FOLLOWING COMMITTEES: HORIZONTAL FUNCTION(S):
TC 8,TC 9,TC 22,TC 31,TC 44,TC 45,TC 56,TC 61,TC
62,TC 65,SC 65B,SC 65C,SC 65E,TC 66,TC 72, TC
77,TC 80,TC 108,SyC AAL,SyC SM,SC 41
ASPECTS CONCERNED:
Safety
SUBMITTED FOR CENELEC PARALLEL VOTING NOT SUBMITTED FOR CENELEC PARALLEL VOTING
Attention IEC-CENELEC parallel voting
The attention of IEC National Committees, members of
CENELEC, is drawn to the fact that this Committee Draft
for Vote (CDV) is submitted for parallel voting.
The CENELEC members are invited to vote through the
CENELEC online voting system.
This document is still under study and subject to change. It should not be used for reference purposes.
Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.
Recipients of this document are invited to submit, with their comments, notification of any relevant “In Some
Countries” clauses to be included should this proposal proceed. Recipients are reminded that the CDV stage is
the final stage for submitting ISC clauses. (SEE AC/22/2007 OR NEW GUIDANCE DOC).

TITLE:
Functional safety of electrical/electronic/programmable electronic safety-related systems -
Part 5: Examples of methods for the determination of safety integrity levels

PROPOSED STABILITY DATE: 2028
NOTE FROM TC/SC OFFICERS:
electronic file, to make a copy and to print out the content for the sole purpose of preparing National Committee positions.
You may not copy or "mirror" the file or printed version of the document, or any part of it, for any other purpose without
permission in writing from IEC.

IEC CDV 61508-5  IEC 2025 – 2 – 65A/1167/CDV
1 CONTENTS
2 FOREWORD . 5
3 INTRODUCTION . 7
4 1 Scope . 9
5 2 Normative references . 11
6 3 Definitions and abbreviations . 11
7 Annex A (informative) Risk and safety integrity – General concepts . 12
8 A.1 General . 12
9 A.2 Necessary risk reduction . 12
10 A.2.1 Individual risk . 13
11 A.2.2 Societal risk . 13
12 A.2.3 Continuous improvement . 13
13 A.2.4 Risk profile . 14
14 A.3 Role of E/E/PE safety-related systems . 14
15 A.4 Safety integrity . 14
16 A.5 Modes of operation and SIL determination . 15
17 A.5.1 Safety integrity and risk reduction for low demand mode applications . 15
18 A.5.2 Safety integrity for high demand mode applications . 16
19 A.5.3 Safety integrity for continuous mode applications . 18
20 A.5.4 Common cause and dependency failures . 18
21 A.5.5 Safety integrity levels when multiple layers of protection are used . 20
22 A.5.6 General architecture in this standard . 20
23 A.6 Risk and safety integrity . 22
24 A.7 Safety integrity levels and systematic capability . 23
25 A.8 Allocation of safety requirements . 23
26 A.9 Mitigation systems . 24
27 Annex B (informative) Selection of methods for determining safety integrity level
28 requirements . 25
29 B.1 General . 25
30 B.2 The ALARP method . 25
31 B.3 Quantitative method of SIL determination . 25
32 B.4 The risk graph method . 26
33 B.5 Layer of protection analysis (LOPA) . 26
34 B.6 Hazardous event severity matrix . 27
35 Annex C (informative) ALARP and tolerable risk concepts . 28
36 C.1 General . 28
37 C.2 ALARP model . 28
38 C.2.1 Introduction . 28
39 C.2.2 Tolerable risk target . 29
40 Annex D (informative) Determination of safety integrity levels – A quantitative method . 31
41 D.1 General . 31
42 D.2 General method . 31
43 D.3 Example calculation . 32
44 Annex E (informative) Determination of safety integrity levels – Risk graph methods . 34
45 E.1 General . 34
46 E.2 Risk graph synthesis . 34

IEC CDV 61508-5  IEC 2025 – 3 – 65A/1167/CDV
47 E.3 Calibration . 35
48 E.4 Other possible risk parameters . 36
49 E.5 Risk graph implementation – general scheme . 36
50 E.6 Risk graph example . 37
51 Annex F (informative) Semi-quantitative method using layer of protection analysis
52 (LOPA) . 42
53 F.1 General . 42
54 F.1.1 Description . 42
55 F.1.2 Annex reference . 42
56 F.1.3 Method description . 42
57 F.2 Impact event . 42
58 F.3 Severity level . 42
59 F.4 Initiating cause . 42
60 F.5 Initiation likelihood . 43
61 F.6 Protection layers (PLs) . 46
62 F.6.1 General . 46
63 F.6.2 Basic control system . 46
64 F.6.3 Alarms . 46
65 F.7 Additional mitigation . 47
66 F.8 Intermediate event likelihood . 47
67 F.9 Safety integrity levels (SILs) . 47
68 F.10 Tolerable mitigated event likelihood . 48
69 Annex G (informative) Determination of safety integrity levels – A qualitative method –
70 hazardous event severity matrix . 49
71 G.1 General . 49
72 G.2 Hazardous event severity matrix . 49
73 Bibliography . 51
75 Figure 1 – Overall framework of the IEC 61508 series . 10
76 Figure A.1 – Risk reduction – general concepts (low demand mode of operation) . 16
77 Figure A.2 – Risk and safety integrity concept . 16
78 Figure A.3 – Risk diagram for high demand applications . 17
79 Figure A.4 – Risk diagram for continuous mode operation . 18
80 Figure A.5 – Illustration of common cause failures (CCFs) of elements in the EUC
81 control system and elements in the E/E/PE safety-related system . 19
82 Figure A.6 – Common cause between two E/E/PE safety-related systems . 20
83 Figure A.7 – Architecture where the control functions are not safety functions (EUC
84 control system is not a designated E/E/PE safety-related system) . 21
85 Figure A.8 – Architecture where the control functions are safety functions (EUC control
86 system is a designated E/E/PE safety-related system) . 22
87 Figure A.9 – Allocation of safety requirements to the E/E/PE safety-related systems,
88 and other risk reduction measures . 24
89 Figure C.1 – Tolerable risk and ALARP . 29
90 Figure D.1 – Safety integrity allocation – example for safety-related protection system . 33
91 Figure E.1 – Risk Graph: general scheme . 37
92 Figure E.2 – Risk graph – example (illustrates general principles only) . 38
93 Figure G.1 – Hazardous event severity matrix – example (illustrates general principles
94 only) . 50

IEC CDV 61508-5  IEC 2025 – 4 – 65A/1167/CDV
96 Table C.1 – Example of risk classification of accidents . 30
97 Table C.2 – Interpretation of risk classes . 30
98 Table E.1 – Example of data relating to risk graph (Figure E.2). 38
99 Table E.2 – Example of calibration of the general purpose risk graph . 40
100 Table F.1 – LOPA report . 44
IEC CDV 61508-5  IEC 2025 – 5 – 65A/1167/CDV
103 INTERNATIONAL ELECTROTECHNICAL COMMISSION
104 ____________
106 FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/
107 PROGRAMMABLE ELECTRONIC SAFETY-RELATED SYSTEMS –
109 Part 5: Examples of methods for the determination
110 of safety integrity levels
112 FOREWORD
113 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
114 all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
115 co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
116 in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
117 Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
118 preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
119 may participate in this preparatory work. International, governmental and non-governmental organizations liaising
120 with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
121 Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
122 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
123 consensus of opinion on the relevant subjects since each technical committee has representation from all
124 interested IEC National Committees.
125 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
126 Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
127 Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
128 misinterpretation by any end user.
129 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
130 transparently to the maximum extent possible in their national and regional publications. Any divergence between
131 any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
132 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
133 assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
134 services carried out by independent certification bodies.
135 6) All users should ensure that they have the latest edition of this publication.
136 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
137 members of its technical committees and IEC National Committees for any personal injury, property damage or
138 other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
139 expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
140 Publications.
141 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
142 indispensable for the correct application of this publication.
143 9) IEC draws attention to the possibility that the implementation of this document may involve the use of (a)
144 patent(s). IEC takes no position concerning the evidence, validity or applicability of any claimed patent rights in
145 respect thereof. As of the date of publication of this document, IEC had not received notice of (a) patent(s), which
146 may be required to implement this document. However, implementers are cautioned that this may not represent
147 the latest information, which may be obtained from the patent database available at https://patents.iec.ch. IEC
148 shall not be held responsible for identifying any or all such patent rights.
149 IEC 61508-5 has been prepared by subcommittee 65A: System aspects, of IEC technical
150 committee 65: Industrial-process measurement, control and automation. It is an International
151 Standard.
152 This third edition cancels and replaces the second edition published in 2010. This edition
153 constitutes a technical revision.
154 This edition has been subject to a thorough review and incorporates many comments received
155 at the various revision stages.
156 This edition includes the following significant technical changes with respect to the previous
157 edition (the following list does refer to this document; other parts do mention specific further
158 details):
IEC CDV 61508-5  IEC 2025 – 6 – 65A/1167/CDV
159 a) Document was upgraded to the 2024 version of the ISO/IEC Directives; this does
160 introduce a significant number of editorial changes, clause renumbering and rewording
161 of the information provided in Notes;
162 b) Various minor editorial errors have been corrected, the normative references and the
163 bibliography has been updated.
164 The text of this document is based on the following documents:
Draft Report on voting
65A/XX/FDIS 65A/XX/RVD
166 Full information on the voting for its approval can be found in the report on voting indicated in
167 the above table.
168 The language used for the development of this document is English.
169 This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
170 accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
171 at www.iec.ch/members_experts/refdocs. The main document types developed by IEC are
172 described in greater detail at www.iec.ch/publications.
173 A list of all parts of the IEC 61508 series, published under the general title Functional safety of
174 electrical / electronic / programmable electronic safety-related systems, can be found on the
175 IEC website.
176 The committee has decided that the contents of this document will remain unchanged until the
177 stability date indicated on the IEC website under webstore.iec.ch in the data related to the
178 specific document. At this date, the document will be
179 • reconfirmed,
180 • withdrawn,
181 • replaced by a revised edition, or
182 • amended.
IEC CDV 61508-5  IEC 2025 – 7 – 65A/1167/CDV
185 INTRODUCTION
186 Systems comprised of electrical and/or electronic elements have been used for many years to
187 perform safety functions in most application sectors. Computer-based systems (generically
188 referred to as programmable electronic systems) are being used in all application sectors to
189 perform non-safety functions and, increasingly, to perform safety functions. If computer system
190 technology is to be effectively and safely exploited, it is essential that those responsible for
191 making decisions have sufficient guidance on the safety aspects on which to make these
192 decisions.
193 This document sets out a generic approach for all safety lifecycle activities for systems
194 comprised of electrical and/or electronic and/or programmable electronic (E/E/PE) elements
195 that are used to perform safety functions. This unified approach has been adopted in order that
196 a rational and consistent technical policy be developed for all electrically-based safety-related
197 systems. A major objective is to facilitate the development of product and application sector
198 international standards based on the IEC 61508 series.
199 NOTE 1 Examples of product and application sector international standards based on the IEC 61508 series are
200 given in the Bibliography (see references [1], [2] and [3]).
201 In most situations, safety is achieved by a number of systems which rely on many technologies
202 (for example mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic).
203 Any safety strategy should therefore consider not only all the elements within an individual
204 system (for example sensors, controlling devices and actuators) but also all the safety-related
205 systems making up the total combination of safety-related systems. Therefore, while this
206 document is concerned with E/E/PE safety-related systems, it may also provide a framework
207 within which safety-related systems based on other technologies may be considered.
208 It is recognized that there is a great variety of applications using E/E/PE safety-related systems
209 in a variety of application sectors and covering a wide range of complexity, hazard and risk
210 potentials. In any particular application, the required safety measures will be dependent on
211 many factors specific to the application. This document, by being generic, will enable such
212 measures to be formulated in future product and application sector international standards and
213 in revisions of those that already exist.
214 This International Standard
215 – considers all relevant overall, E/E/PE system and software safety lifecycle phases (for
216 example, from initial concept, though design, implementation, operation and maintenance
217 to decommissioning) when E/E/PE systems are used to perform safety functions;
218 – has been conceived with a rapidly developing technology in mind; the framework is
219 sufficiently robust and comprehensive to cater for future developments;
220 – enables product and application sector international standards, dealing with E/E/PE safety-
221 related systems, to be developed; the development of product and application sector
222 international standards, within the framework of this standard, should lead to a high level of
223 consistency (for example, of underlying principles, terminology etc.) both within application
224 sectors and across application sectors; this will have both safety and economic benefits;
225 – provides a method for the development of the safety requirements specification necessary
226 to achieve the required functional safety for E/E/PE safety-related systems;
227 – adopts a risk-based approach by which the safety integrity requirements can be determined;
228 – introduces safety integrity levels for specifying the target level of safety integrity for the
229 safety functions to be implemented by the E/E/PE safety-related systems;
230 – The standard does not specify the safety integrity level requirements for any safety function,
231 nor does it mandate how the safety integrity level is determined. Instead it provides a risk-
232 based conceptual framework and example techniques.
233 – sets target failure measures for safety functions carried out by E/E/PE safety-related
234 systems, which are linked to the safety integrity levels;

IEC CDV 61508-5  IEC 2025 – 8 – 65A/1167/CDV
235 – sets a lower limit on the target failure measures for a safety function carried out by a single
236 E/E/PE safety-related system. For E/E/PE safety-related systems operating in
237 • a low demand mode of operation, the lower limit is set at an average probability of a
–5
238 dangerous failure on demand of 10 ;
239 • a high demand or a continuous mode of operation, the lower limit is set at an average
–9 -1
240 frequency of a dangerous failure of 10 [h ];
241 NOTE 2 A single E/E/PE safety-related system does not necessarily mean a single-channel architecture.
242 NOTE 3 It may be possible to achieve designs of safety-related systems with lower values for the target safety
243 integrity for non-complex systems, but these limits are considered to represent what can be achieved for relatively
244 complex systems (for example programmable electronic safety-related systems) at the present time.
245 – sets requirements for the avoidance and control of systematic faults, which are based on
246 experience and judgement from practical experience gained in industry. Even though the
247 probability of occurrence of systematic failures cannot in general be quantified the standard
248 does, however, allow a claim to be made, for a specified safety function, that the target
249 failure measure associated with the safety function can be considered to be achieved if all
250 the requirements in the standard have been met;
251 – introduces systematic capability which applies to an element with respect to the confidence
252 that its systematic safety integrity meets the requirements of the specified safety integrity
253 level;
254 – adopts a broad range of principles, techniques and measures to achieve functional safety
255 for E/E/PE safety-related systems, but does not explicitly use the concept of fail safe
256 However, the concepts of “fail safe” and “inherently safe” principles may be applicable and
257 adoption of such concepts is acceptable providing the requirements of the relevant clauses
258 in the standard are met.
IEC CDV 61508-5  IEC 2025 – 9 – 65A/1167/CDV
261 FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/
262 PROGRAMMABLE ELECTRONIC SAFETY-RELATED SYSTEMS –
264 Part 5: Examples of methods for the determination
265 of safety integrity levels
269 1 Scope
270 1.1 This part of IEC 61508 provides information on
271 – the underlying concepts of risk and the relationship of risk to safety integrity (see Annex A);
272 – the criteria in selecting the most appropriate method for determining safety integrity level
273 requirements (see Annex B);
274 – a number of methods that will enable the safety integrity levels for the E/E/PE safety-related
275 systems to be determined (see Annexes C, D, E, F and G).
276 The method selected will depend upon the application sector and the specific circumstances
277 under consideration. Annexes C, D, E, F and G illustrate quantitative and qualitative approaches
278 and have been simplified in order to illustrate the underlying principles. These annexes have
279 been included to illustrate the general principles of a number of methods but do not provide a
280 definitive account.
281 NOTE 1 Those intending to apply the methods indicated in these annexes can consult the source material
282 referenced.
283 NOTE 2 For more information on the approaches illustrated in Annexes B, and E, see references [5] and [8] in the
284 Bibliography. See also reference [6] in the Bibliography for a description of an additional approach.
285 1.2 IEC 61508-1, IEC 61508-2, IEC 61508-3 and IEC 61508-4 are basic safety publications,
286 although this status does not apply in the context of low complexity E/E/PE safety-related
287 systems (see 3.4.3 of IEC 61508-4). This document provides further information to complement
288 these basic safety publications.
289 1.3 One of the responsibilities of a technical committee is, wherever applicable, to make use
290 of basic safety publications in the preparation of its publications. In this context, the
291 requirements, test methods or test conditions of this basic safety publication will not apply
292 unless specifically referred to or included in the publications prepared by those technical
293 committees.
294 1.4 Figure 1 shows the overall framework of the IEC 61508 series and indicates the role that
295 IEC 61508-5 plays in the achievement of functional safety for E/E/PE safety-related systems.
IEC CDV 61508-5  IEC 2025 – 10 – 65A/1167/CDV
Technical Requirements Other Requirements
Part 1
Development of the overall
safety requirements
(concept, scope, definition,
hazard and risk analysis)
7.1 to 7.5
Part 5
Example of methods
for the determination
of safety integrity
levels
Part 1
Allocation of the safety requirements
to the E/E/PE safety-related systems
7.6
Part 1
Specification of the system safety
requirements for the E/E/PE
safety-related systems
7.10
Part 6
Guidelines for the
application of
Parts 2 & 3
Part 3
Part 2
Realisation phase Realisation phase
for E/E/PE for safety-related
safety-related software
systems
Part 7
Overview of
techniques and
measures
Part 1
Installation, commissioning
& safety validation of E/E/PE
safety-related systems
7.13 - 7.14
Part 1
Operation, maintenance,repair,
modification and retrofit,
decommissioning or disposal of
E/E/PE safety-related systems
7.15 - 7.17
298 Figure 1 – Overall framework of the IEC 61508 series

IEC CDV 61508-5  IEC 2025 – 11 – 65A/1167/CDV
299 2 Normative references
300 The following documents are referred to in the text in such a way that some or all of their content
301 constitutes requirements of this document. For dated references, only the edition cited applies.
302 For undated references, the latest edition of the referenced document (including any
303 amendments) applies.
304 IEC 61508-1:20XX, Functional safety of electrical/electronic/programmable electronic safety-
305 related systems – Part 1: General requirements
306 IEC 61508-4:20XX, Functional safety of electrical/electronic/programmable electronic safety-
307 related systems – Part 4: Definitions and abbreviations
308 3 Definitions and abbreviations
309 For the purposes of this document, the definitions and abbreviations given in IEC 61508-4
310 apply.
IEC CDV 61508-5  IEC 2025 – 12 – 65A/1167/CDV
312 Annex A
313 (informative)
315 Risk and safety integrity –
316 General concepts
317 A.1 General
318 This annex provides information on the underlying concepts of risk and the relationship of risk
319 to safety integrity.
320 A.2 Necessary risk reduction
321 The necessary risk reduction is the reduction in risk that has to be achieved to meet the
322 tolerable risk for a specific situation (which may be stated either qualitatively or
323 quantitatively ). The concept of necessary risk reduction is of fundamental importance in the
324 development of the safety requirements specification for the E/E/PE safety-related systems (in
325 particular, the safety integrity requirements part of the safety requirements specification). The
326 purpose of determining the tolerable risk for a specific hazardous event is to state what is
327 deemed reasonable with respect to both the frequency (or probability) of the hazardous event
328 and its specific consequences. Safety-related systems are designed to reduce the frequency
329 (or probability) of the hazardous event and/or the consequences of the hazardous event.
330 The tolerable risk will depend on many factors (for example, severity of injury, the number of
331 people exposed to danger, the frequency at which a person or people are exposed to danger
332 and the duration of the exposure). Important factors will be the perception and views of those
333 exposed to the hazardous event. In arriving at what constitutes a tolerable risk for a specific
334 application, a number of inputs are considered. These include:
335 – legal requirements, both general and those directly relevant to the specific application;
336 – guidelines from the appropriate safety regulatory authority;
337 – discussions and agreements with the different parties involved in the application;
338 – industry standards and guidelines;
339 – international discussions and agreements; the role of national and international standards
340 is becoming increasingly important in arriving at tolerable risk criteria for specific
341 applications;
342 – the best independent industrial, expert and scientific advice from advisory bodies.
343 In determining the safety integrity requirements of the E/E/PE safety-related system(s) and
344 other risk reduction measures, in order to meet the tolerable frequency of a hazardous event,
345 account needs to be taken of the characteristics of the risk that are relevant to the application.
346 The tolerable frequency will depend on the legal requirements in the country of application and
347 on the criteria specified by the user organisation. Issues that may need to be considered
348 together with how they can be applied to E/E/PE safety-related systems are discussed below.
___________
In achieving the tolerable risk, the necessary risk reduction will need to be established. Annexes E and G of this
document outline qualitative methods, although in the examples quoted the necessary risk reduction is
incorporated implicitly by specification of the SIL requirement rather than stated explicitly by a numeric value of
risk reduction required.
For example, that the hazardous event, leading to a specific consequence, can not occur with a frequency greater
than one in 10 h.
IEC CDV 61508-5  IEC 2025 – 13 – 65A/1167/CDV
349 A.2.1 Individual risk
350 Different targets are usually defined for employees and members of the public. The target for
351 individual risk for employees is applied to the most exposed individual and may be expressed
352 as the total risk per year arising from all work activities. The target is applied to a hypothetical
353 person and therefore needs to take into account the percentage of time that the individual
354 spends at work. The target applies to all risks to the exposed person and the tolerable risk for
355 an individual safety function will need to take account of other risks.
356 Assurance that the total risk is reduced below a specified target can be done in a number of
357 ways. One method is to consider and sum all risks to the most exposed individual. This may be
358 difficult in cases where a person is exposed to many risks and early decisions are needed for
359 system development. An alternative approach is to allocate a percentage of the overall
360 individual risk target to each safety function under consideration. The percentage allocated can
361 usually be decided from previous experience of the type of facility under consideration.
362 The target applied to an individual safety function should also take into account the
363 conservatism of the method of risk analysis used. All qualitative methods such as risk graphs
364 involve some evaluation of the critical parameters that contribute to risk. The factors that give
365 rise to risk are the consequence of the hazardous event and its frequency. In determining these
366 factors a number of risk parameters may need to be taken into account such as a vulnerability
367 to the hazardous event, number of people who may be affected by the hazardous event, the
368 probability that a person is present when the hazardous event occurs (i.e. occupancy) and
369 probability of avoiding the hazardous event.
370 Qualitative methods generally involve deciding if a parameter lies within a certain range. The
371 descriptions of the criteria when using such methods will need to be such that there can be a
372 high level of confidence that the target for risks is not exceeded. This can involve setting range
373 boundaries for all parameters so applications with all parameters at the boundary condition will
374 meet the specified risk criteria for safety. This approach to setting the range boundaries is very
375 conservative because there will be very few applications where all parameters will be at the
376 worst case of the range. If members of the public are to be exposed to risk from failure of a
377 E/E/PE safety-related system, then a lower target will normally apply.
378 A.2.2 Societal risk
379 Societal risk arises where multiple fatalities are likely to arise from single events. Such events
380 are called societal because they are likely to provoke a socio-political response. There can be
381 significant public and organisational aversion to high consequence events and this will need to
382 be taken into consideration in some cases. The criterion for societal risk is often expressed as
383 a maximum accumulated frequency for fatal injuries to a specified number of persons. The
384 criterion is normally specified in the form of one or more lines on an F/N plot where F is the
385 cumulative frequency of hazards and N the number of fatalities arising from the hazards. The
386 relationship is normally a straight line when plotted on logarithmic scales. The slope of the line
387 will depend on the extent to which the organisation is risk averse to higher levels of
388 consequence. The requirement will be to ensure the accumulated frequency for a specified
389 number of fatalities is lower than the accumulated frequency expressed in the F/N plot. (see
390 reference [7] in the Bibliography)
391 A.2.3 Continuous improvement
392 The principles of reducing risk to as low as reasonably practicable are discussed in Annex C.
___________
The question arises what the safe state of the society could be if such risks are mitigated by a safety function and
which SIL would be appropriate to mitigate such risks.

IEC CDV 61508-5  IEC 2025 – 14 – 65A/1167/CDV
393 A.2.4 Risk profile
394 In deciding risk criteria to be applied for a specific hazard, the risk profile over the life of the
395 asset may need to be considered. Residual risk will vary from low just after a proof test or a
396 repair has been performed to a maximum just prior to proof testing. This may need to be taken
397 into consideration by organisations that specify the risk criteria to be applied. If proof test
398 intervals are significant, then it may be appropriate to specify the maximum hazard probability
399 that can be accepted just prior to proof testing or that the PFD(t) or PFH(t) is lower than the
400 upper SIL boundary more than a specified percentage of the time (e.g. 90 %).
401 A.3 Role of E/E/PE safety-related systems
402 E/E/PE safety-related systems contribute towards providing the necessary risk reduction in
403 order to meet the tolerable risk.
404 A safety-related system both
405 – implements the required safety functions necessary to achieve a safe state for the
406 equipment under control or to maintain a safe state for the equipment under control; and
407 – is intended to achieve, on its own or with other E/E/PE safety-related systems or other risk
408 reduction measures, the necessary safety integrity for the required safety functions.
409 NOTE 1 The first part of the definition specifies that the safety-related system performs the safety functions which
410 can bespecified in the safety functions requirements specification. For example, the safety functions requirements
411 specification can state that when the temperature reaches x, valve y can open to allow water to enter the vessel.
412 NOTE 2 The second part of the definition specifies that the safety functions can be performed by the safety-related
413 systems with the degree of confidence appropriate to the application, in order that the tolerable risk will be achieved.
414 A person could be an integral part of an E/E/PE safety-related system. For example, a person
415 could receive information, on the state of the EUC, from a display screen and perform a safety
416 action based on this information.
417 E/E/PE safety-related systems can operate in a low demand mode of operation or high demand
418 or continuous mode of operation.
419 A.4 Safety integrity
420 Safety integrity is defined as the probability of a safety-related system satisfactorily performing
421 the required safety functions under all the stated conditions within a stated period of time. Safety
422 integrity relates to the performance of the safety-related systems in carrying out the safety
423 functions (the safety functions to be performed will be specified in the safety functions
424 requirements specification).
425 Safety integrity is considered to be composed of the following two elements.
426 – Hardware safety integrity; that part of safety integrity relating to random hardware failures
427 in a dangerous mode of failure. The achievement of the specified level of safety-related
428 hardware safety integrity can be estimated to a reasonable level of accuracy, and the
429 requirements can therefore be apportioned between subsystems using the normal rules for
430 the combination of probabilities. It may be necessary to use redundant architectures to
431 achieve adequate hardware safety integrity.

IEC CDV 61508-5  IEC 2025 – 15 – 65A/1167/CDV
432 – Systematic safety integrity; that part of safety integrity relating to systematic failures in a
433 dangerous mode of failure. Although the mean failure rate due to systema
...