EN 61508-5:2001

6,67(16/29(16.,MDQXDU67$1'$5'LVWRYHWHQ(1)XQNFLMVNDYDUQRVWHOHNWULþQLKHOHNWURQVNLKSURJUDPLUOMLYLKHOHNWURQVNLKYDUQRVWQLKVLVWHPRYGHO3ULPHULPHWRG]DXJRWDYOMDQMHQLYRMHYFHORYLWHYDUQRVWL,(&SRSUDYHN)XQFWLRQDOVDIHW\RIHOHFWULFDOHOHFWURQLFSURJUDPPDEOHHOHFWURQLFVDIHW\UHODWHGV\VWHPV3DUW([DPSOHVRIPHWKRGVIRUWKHGHWHUPLQDWLRQRIVDIHW\LQWHJULW\OHYHOV,(&&RUULJHQGXP !"#$%&'( )&!*- . 5HIHUHQþQDãWHYLOND6,67(1HQ,&6

EUROPEAN STANDARDEN 61508-5NORME EUROPÉENNEEUROPÄISCHE NORMDecember 2001CENELECEuropean Committee for Electrotechnical StandardizationComité Européen de Normalisation ElectrotechniqueEuropäisches Komitee für Elektrotechnische NormungCentral Secretariat: rue de Stassart 35, B - 1050 Brussels© 2001 CENELEC -All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.Ref. No. EN 61508-5:2001 EICS 25.040.40English versionFunctional safety of electrical/electronic/programmable electronicsafety-related systemsPart 5: Examples of methods for the determinationof safety integrity levels(IEC 61508-5:1998 + corrigendum 1999)Sécurité fonctionnelle des systèmesélectriques/électroniques/électroniquesprogrammables relatifs à la sécuritéPartie 5: Exemples de méthodes dedétermination des niveaux d'intégritéde sécurité(CEI 61508-5:1998 + corrigendum 1999)Funktionale Sicherheitsicherheitsbezogener elektrischer/elektronischer/programmierbarerelektronischer SystemeTeil 5: Beispiele zur Ermittlung derStufe der Sicherheitsintegrität(safety integrity level)(IEC 61508-5:1998 + Corrigendum 1999)This European Standard was approved by CENELEC on 2001-07-03. CENELEC members are bound tocomply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this EuropeanStandard the status of a national standard without any alteration.Up-to-date lists and bibliographical references concerning such national standards may be obtained onapplication to the Central Secretariat or to any CENELEC member.This European Standard exists in three official versions (English, French, German). A version in any otherlanguage made by translation under the responsibility of a CENELEC member into its own language andnotified to the Central Secretariat has the same status as the official versions.CENELEC members are the national electrotechnical committees of Austria, Belgium, Czech Republic,Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands,Norway, Portugal, Spain, Sweden, Switzerland and United Kingdom.

EN 50126 and EN 50128 were based on earlier drafts of IEC 61508.
prEN 50129 is based on the principles of thelatest version of IEC 61508.This list does not preclude other sector implementations of IEC 61508 which could be currently underdevelopment or published within IEC or CENELEC.__________

- 3 -EN 61508-5:2001Endorsement noticeThe text of the International Standard IEC 61508-5:1998 including its corrigendum April 1999 wasapproved by CENELEC as a European Standard without any modification.__________

Functional safety of electrical/electronic/programmable electronic safety-related systems –Part 5:Examples of methods for the determinationof safety integrity levelsFor price, see current catalogue IEC 1998 Copyright - all rights reservedNo part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical,including photocopying and microfilm, without permission in writing from the publisher.International Electrotechnical Commission,
3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, SwitzerlandTelephone: +41 22 919 02 11
Telefax: +41 22 919 03 00
E-mail: inmail@iec.ch
Web: www.iec.chINTERNATIONALSTANDARDIEC61508-5First edition1998-12UCommission Electrotechnique InternationaleInternational Electrotechnical Commission
PRICE CODE
61508-5 ã IEC:1998– 3 –CONTENTSPageFOREWORD.5INTRODUCTION.9Clause1Scope.132Normative references.173Definitions and abbreviations.17AnnexesARisk and safety integrity – General concepts.19BALARP and tolerable risk concepts.31CDetermination of safety integrity levels: a quantitative method.37DDetermination of safety integrity levels – A qualitative method: risk graph.43EDetermination of safety integrity levels – A qualitative method:hazardous event severity matrix.53FBibliography.57Figures1Overall framework of this standard.15A.1Risk reduction: general concepts.25A.2Risk and safety integrity concepts.25A.3Allocation of safety requirements to the E/E/PE safety-related systems,other technology safety-related systems and external risk reduction facilities.29B.1Tolerable risk and ALARP.33C.1Safety integrity allocation: example for safety-related protection system.41D.1Risk graph: general scheme.47D.2Risk graph: example (illustrates general principles only).49E.1Hazardous event severity matrix: example (illustrates general principles only).55TablesB.1Risk classification of accidents.35B.2Interpretation of risk classes.35D.1Example data relating to example risk graph (figure D.2).51

61508-5 ã IEC:1998– 5 –INTERNATIONAL ELECTROTECHNICAL COMMISSION___________FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLEELECTRONIC SAFETY-RELATED SYSTEMS –Part 5: Examples of methods for the determinationof safety integrity levelsFOREWORD1)The IEC (International Electrotechnical Commission) is a worldwide organization for standardization comprisingall national electrotechnical committees (IEC National Committees). The object of the IEC is to promoteinternational co-operation on all questions concerning standardization in the electrical and electronic fields. Tothis end and in addition to other activities, the IEC publishes International Standards. Their preparation isentrusted to technical committees; any IEC National Committee interested in the subject dealt with mayparticipate in this preparatory work. International, governmental and non-governmental organizations liaisingwith the IEC also participate in this preparation. The IEC collaborates closely with the International Organizationfor Standardization (ISO) in accordance with conditions determined by agreement between the twoorganizations.2)The formal decisions or agreements of the IEC on technical matters express, as nearly as possible, aninternational consensus of opinion on the relevant subjects since each technical committee has representationfrom all interested National Committees.3)The documents produced have the form of recommendations for international use and are published in the formof standards, technical reports or guides and they are accepted by the National Committees in that sense.4)In order to promote international unification, IEC National Committees undertake to apply IEC InternationalStandards transparently to the maximum extent possible in their national and regional standards. Anydivergence between the IEC Standard and the corresponding national or regional standard shall be clearlyindicated in the latter.5)The IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for anyequipment declared to be in conformity with one of its standards.6)Attention is drawn to the possibility that some of the elements of this International Standard may be the subjectof patent rights. The IEC shall not be held responsible for identifying any or all such patent rights.International Standard IEC 61508-5 has been prepared by subcommittee 65A: System aspects,of IEC technical committee 65: Industrial-process measurement and control.The text of this standard is based on the following documents:FDISReport on voting65A/266/FDIS65A/276/RVDFull information on the voting for the approval of this standard can be found in the report onvoting indicated in the above table.Annexes A, B, C, D, E and F are for information only.

61508-5 ã IEC:1998– 7 –IEC 61508 consists of the following parts, under the general title Functional safety of electrical/electronic/programmable electronic safety-related systems:–Part 1:General requirements–Part 2:Requirements for electrical/electronic/programmable electronic safety-related systems–Part 3:Software requirements–Part 4:Definitions and abbreviations–Part 5:Examples of methods for the determination of safety integrity levels–Part 6:Guidelines on the application of IEC 61508-2 and IEC 61508-3–Part 7:Overview of techniques and measuresThis part 5 shall be read in conjunction with part 1.It has the status of a basic safety publication in accordance with IEC Guide 104.The contents of the corrigendum of April 1999 have been included in this copy.

61508-5 ã IEC:1998– 9 –INTRODUCTIONSystems comprised of electrical and/or electronic components have been used for many yearsto perform safety functions in most application sectors. Computer-based systems (genericallyreferred to as programmable electronic systems (PESs)) are being used in all applicationsectors to perform non-safety functions and, increasingly, to perform safety functions. Ifcomputer system technology is to be effectively and safely exploited, it is essential that thoseresponsible for making decisions have sufficient guidance on the safety aspects on which tomake those decisions.This International Standard sets out a generic approach for all safety lifecycle activities forsystems comprised of electrical and/or electronic and/or programmable electronic components(electrical/electronic/ programmable electronic systems (E/E/PESs)) that are used to performsafety functions. This unified approach has been adopted in order that a rational and consistenttechnical policy be developed for all electrically-based safety-related systems. A majorobjective is to facilitate the development of application sector standards.In most situations, safety is achieved by a number of protective systems which rely on manytechnologies (for example mechanical, hydraulic, pneumatic, electrical, electronic,programmable electronic). Any safety strategy must therefore consider not only all theelements within an individual system (for example sensors, controlling devices and actuators)but also all the safety-related systems making up the total combination of safety-relatedsystems. Therefore, while this International Standard is concerned with electrical/elec-tronic/programmable electronic (E/E/PE) safety-related systems, it may also provide aframework within which safety-related systems based on other technologies may beconsidered.It is recognised that there is a great variety of E/E/PES applications in a variety of applicationsectors and covering a wide range of complexity, hazard and risk potentials. In any particularapplication, the required safety measures will be dependent on many factors specific to theapplication. This Standard, by being generic, will enable such measures to be formulated infuture application sector international standards.This International Standard:–considers all relevant overall, E/E/PES and software safety lifecycle phases (for example,from initial concept, through design, implementation, operation and maintenance todecommissioning) when E/E/PESs are used to perform safety functions;–has been conceived with a rapidly developing technology in mind; the framework issufficiently robust and comprehensive to cater for future developments;–enables application sector international standards, dealing with safety-related E/E/PESs, tobe developed; the development of application sector international standards, within theframework of this International Standard, should lead to a high level of consistency (forexample, of underlying principles, terminology etc.) both within application sectors andacross application sectors; this will have both safety and economic benefits;–provides a method for the development of the safety requirements specification necessaryto achieve the required functional safety for E/E/PE safety-related systems;

61508-5 ã IEC:1998– 11 ––uses safety integrity levels for specifying the target level of safety integrity for the safetyfunctions to be implemented by the E/E/PE safety-related systems;–adopts a risk-based approach for the determination of the safety integrity levelrequirements;–sets numerical target failure measures for E/E/PE safety-related systems which are linkedto the safety integrity levels;–sets a lower limit on the target failure measures, in a dangerous mode of failure, that canbe claimed for a single E/E/PE safety-related system; for E/E/PE safety-related systemsoperating in:–a low demand mode of operation, the lower limit is set at an average probability offailure of 10–5 to perform its design function on demand;–a high demand or continuous mode of operation, the lower limit is set at a probability ofa dangerous failure of 10–9 per hour;
NOTE – A single E/E/PE safety-related system does not necessarily mean a single-channel architecture.–adopts a broad range of principles, techniques and measures to achieve functional safetyfor E/E/PE safety-related systems, but does not use the concept of fail safe which may beof value when the failure modes are well defined and the level of complexity is relativelylow. The concept of fail safe was considered inappropriate because of the full range ofcomplexity of E/E/PE safety-related systems that are within the scope of the standard.

61508-5 ã IEC:1998– 13 –FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLEELECTRONIC SAFETY-RELATED SYSTEMS –Part 5: Examples of methods for the determinationof safety integrity levels1 Scope1.1
This part of IEC 61508 provides information on–the underlying concepts of risk and the relationship of risk to safety integrity (see annex A);–a number of methods that will enable the safety integrity levels for the E/E/PE safety-relatedsystems, other technology safety-related systems and external risk reduction facilities to bedetermined (see annexes B, C, D and E).1.2
The method selected will depend upon the application sector and the specificcircumstances under consideration. Annexes B, C, D and E illustrate quantitative andqualitative approaches and have been simplified in order to illustrate the underlying principles.These annexes have been included to illustrate the general principles of a number of methodsbut do not provide a definitive account. Those intending to apply the methods indicated in theseannexes should consult the source material referenced.NOTE –For more information on the approaches illustrated in annexes B, D and E, see references [4], [2] and [3]respectively in annex F. See also reference [5] in annex F for a description of an additional approach.1.3
Parts 1, 2, 3 and 4 of this standard are basic safety publications, although this status doesnot apply in the context of low complexity E/E/PE safety-related systems (see 3.4.4 of part 4).As basic safety publications, they are intended for use by technical committees in thepreparation of standards in accordance with the principles contained in IEC Guide 104 andISO/IEC Guide 51. Parts 1, 2, 3, and 4 are also intended for use as stand-alone publications.One of the responsibilities of a technical committee is, wherever applicable, to make use ofbasic safety publications in the preparation of its publications. In this context, the requirements,test methods or test conditions of this basic safety publication will not apply unless specificallyreferred to or included in the publications prepared by those technical committees.NOTE –In the USA and Canada, until the proposed process sector implementation of IEC 61508 (i.e. IEC 61511)is published as an international standard in the USA and Canada, existing national process safety standards basedon IEC 61508 (i.e. ANSI/ISA S84.01-1996) can be applied to the process sector instead of IEC 61508.1.4
Figure 1 shows the overall framework for parts 1 to 7 of IEC 61508 and indicates the rolethat IEC 61508-5 plays in the achievement of functional safety for E/E/PE safety-relatedsystems.

61508-5 ã IEC:1998– 15 –Guidelines for theapplication ofparts 2 and 3Overview oftechniquesand measuresPART 7PART 6Risk based approachesto the development ofthe safety integrityrequirementsPART 57.6Realisationphase forE/E/PE safety-related systemsRealisationphase forsafety-relatedsoftwarePART 3PART 2Allocation of the safetyrequirements to the E/E/PEsafety-related systemsDevelopment of the overall safetyrequirements (concept, scopedefinition, hazard and risk analysis)(E/E/PE safety-related systems, othertechnology safety-related systems andexternal risk reduction facilities)7.1 to 7.5PART 1PART 1Installation and commissioningand safety validation of E/E/PEsafety-related systems7.13 and 7.14PART 1Operation and maintenance,modification and retrofit,decommissioning or disposal ofE/E/PE safety-related systemsPART 17.15 to 7.17Management offunctional safetyPART 1DocumentationPART 1Definitions andabbreviationsPART 4Functional safetyassessmentPART 1Clause 6Clause 8Clause 5 andannex AOtherrequirementsTechnicalrequirementsIEC
1 660/98Figure 1 – Overall framework of this standard

61508-5 ã IEC:1998– 17 –2 Normative referencesThe following normative documents contain provisions which, through reference in this text,constitute provisions of this International Standard. At the time of publication, the editionsindicated were valid. All normative documents are subject to revision, and parties toagreements based on this International Standard are encouraged to investigate the possibilityof applying the most recent editions of the normative documents indicated below. Members ofIEC and ISO maintain registers of currently valid International Standards.IEC 61508-1:1998, Functional safety of electrical/electronical/programmable electronic safety-related systems – Part 1: General requirementsIEC 61508-2,— Functional safety of electrical/electronical/programmable electronic safety-related systems – Part 2: Requirements for electrical/electronical/programmable electronicsafety-related systems 1)IEC 61508-3:1998, Functional safety of electrical/electronical/programmable electronic safety-related systems – Part 3: Software requirementsIEC 61508-4:1998, Functional safety of electrical/electronical/programmable electronic safety-related systems – Part 4: Definitions and abbreviations of termsIEC 61508-6,— Functional safety of electrical/electronical/programmable electronic safety-related systems – Part 6: Guidelines on the application of parts 2 and 3 1)IEC 61508-7,— Functional safety of electrical/electronical/programmable electronic safety-related systems – Part 7: Overview of techniques and measures 1)ISO/IEC Guide 51:1990, Guidelines for the inclusion of safety aspects in standardsIEC Guide 104:1997, Guide to the drafting of safety standards, and the role of Committees withsafety pilot functions and safety group functions3 Definitions and abbreviationsFor the purposes of this standard, the definitions and abbreviations given in part 4 apply.________1)
To be published.
61508-5 ã IEC:1998– 19 –Annex A(informative)Risk and safety integrity – General conceptsA.1
GeneralThis annex provides information on the underlying concepts of risk and the relationship of riskto safety integrity.A.2
Necessary risk reductionThe necessary risk reduction (see 3.5.14 of IEC 61508-4) is the reduction in risk that has to beachieved to meet the tolerable risk for a specific situation (which may be stated eitherqualitatively1) or quantitatively2)). The concept of necessary risk reduction is of fundamentalimportance in the development of the safety requirements specification for the E/E/PE safety-related systems (in particular, the safety integrity requirements part of the safety requirementsspecification). The purpose of determining the tolerable risk for a specific hazardous event is tostate what is deemed reasonable with respect to both the frequency (or probability) of thehazardous event and its specific consequences. Safety-related systems are designed to reducethe frequency (or probability) of the hazardous event and/or the consequences of thehazardous event.The tolerable risk will depend on many factors (for example, severity of injury, the number ofpeople exposed to danger, the frequency at which a person or people are exposed to dangerand the duration of the exposure). Important factors will be the perception and views of thoseexposed to the hazardous event. In arriving at what constitutes a tolerable risk for a specificapplication, a number of inputs are considered. These include:–guidelines from the appropriate safety regulatory authority;–discussions and agreements with the different parties involved in the application;–industry standards and guidelines;–international discussions and agreements; the role of national and international standardsare becoming increasingly important in arriving at tolerable risk criteria for specificapplications;–the best independent industrial, expert and scientific advice from advisory bodies;–legal requirements, both general and those directly relevant to the specific application.________1)In achieving the tolerable risk, the necessary risk reduction will need to be established. Annexes D and E ofIEC 61508-5 outline qualitative methods, although in the examples quoted the necessary risk reduction isincorporated implicitly rather than stated explicitly.2)For example, that the hazardous event, leading to a specific consequence, shall not occur with a frequencygreater than one in 108 h.

61508-5 ã IEC:1998– 21 –A.3
Role of E/E/PE safety-related systemsE/E/PE safety-related systems contribute towards meeting the necessary risk reduction in orderto meet the tolerable risk.A safety-related system both–implements the required safety functions necessary to achieve a safe state for theequipment under control or to maintain a safe state for the equipment under control, and–is intended to achieve, on its own or with other E/E/PE safety-related systems, othertechnology safety-related systems or external risk reduction facilities, the necessary safetyintegrity for the required safety functions (3.4.1 of IEC 61508-4).NOTE 1 – The first part of the definition specifies that the safety-related system must perform the safetyfunctions which would be specified in the safety functions requirements specification. For example, the safetyfunctions requirements specification may state that when the temperature reaches x, valve y shall open to allowwater to enter the vessel.NOTE 2 – The second part of the definition specifies that the safety functions must be performed by the safety-related systems with the degree of confidence appropriate to the application, in order that the tolerable risk willbe achieved.A person could be an integral part of an E/E/PE safety-related system. For example, a personcould receive information, on the state of the EUC, from a display screen and perform a safetyaction based on this information.E/E/PE safety-related systems can operate in a low demand mode of operation or high demandor continuous mode of operation (see 3.5.12 of IEC 61508-4).A.4
Safety integritySafety integrity is defined as the probability of a safety-related system satisfactorily performingthe required safety functions under all the stated conditions within a stated period of time (3.5.2of IEC 61508-4). Safety integrity relates to the performance of the safety-related systems incarrying out the safety functions (the safety functions to be performed will be specified in thesafety functions requirements specification).Safety integrity is considered to be composed of the following two elements.–Hardware safety integrity; that part of safety integrity relating to random hardware failures ina dangerous mode of failure (see 3.5.5 of IEC 61508-4). The achievement of the specifiedlevel of safety-related hardware safety integrity can be estimated to a reasonable level ofaccuracy, and the requirements can therefore be apportioned between subsystems usingthe normal rules for the combination of probabilities. It may be necessary to use redundantarchitectures to achieve adequate hardware safety integrity.–Systematic safety integrity; that part of safety integrity relating to systematic failures in adangerous mode of failure (see 3.5.4 of IEC 61508-4). Although the mean failure rate dueto systematic failures may be capable of estimation, the failure data obtained from designfaults and common cause failures means that the distribution of failures can be hard topredict. This has the effect of increasing the uncertainty in the failure probabilitycalculations for a specific situation (for example the probability of failure of a safety-related

61508-5 ã IEC:1998– 23 –protection system). A judgement therefore has to be made on the selection of the besttechniques to minimise this uncertainty. Note that it is not necessarily the case thatmeasures to reduce the probability of random hardware failure will have a correspondingeffect on the probability of systematic failure. Techniques such as redundant channels ofidentical hardware, which are very effective at controlling random hardware failures, are oflittle use in reducing systematic failures.The required safety integrity of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities, must be of such a level so as to ensurethat–the failure frequency of the safety-related systems is sufficiently low to prevent thehazardous event frequency exceeding that required to meet the tolerable risk, and/or–the safety-related systems modify the consequences of failure to the extent required tomeet the tolerable risk.Figure A.1 illustrates the general concepts of risk reduction. The general model assumes that–there is an EUC and an EUC control system;–there are associated human factor issues;–the safety protective features comprise–external risk reduction facilities,–E/E/PE safety-related systems,–other technology safety-related systems.NOTE –Figure A.1 is a generalised risk model to illustrate the general principles. The risk model for a specificapplication will need to be developed taking into account the specific manner in which the necessary risk reductionis actually being achieved by the E/E/PE safety-related systems and/or other technology safety-related systemsand/or external risk reduction facilities. The resulting risk model may therefore differ from that shown in figure A.1.The various risks indicated in figure A.1 are as follows:–EUC risk: the risk existing for the specified hazardous events for the EUC, the EUC controlsystem and associated human factor issues – no designated safety protective features areconsidered in the determination of this risk (see 3.2.4 of IEC 61508-4);–tolerable risk; the risk which is accepted in a given context based on the current values ofsociety (see 3.1.6 of IEC 61508-4);–residual risk: in the context of this standard, the residual risk is that remaining for thespecified hazardous events for the EUC, the EUC control system, human factor issues butwith the addition of external risk reduction facilities, E/E/PE safety-related systems andother technology safety-related systems (see also 3.1.7 of IEC 61508-4).The EUC risk is a function of the risk associated with the EUC itself but taking into account therisk reduction brought about by the EUC control system. To prevent unreasonable claims forthe safety integrity of the EUC control system, this standard places constraints on the claimsthat can be made (see 7.5.2.5 of IEC 61508-1).The necessary risk reduction is achieved by a combination of all the safety protective features.The necessary risk reduction to achieve the specified tolerable risk, from a starting point of theEUC risk, is shown in figure A.1.

61508-5 ã IEC:1998– 25 – Tolerable riskEUC risk Necessary risk reduction Actual risk reductionIncreasingriskResidualriskPartial risk covered by E/E/PE safety-related systemsPartial risk covered by other technology safety-related systemsPartial risk covered by external risk reduction facilitiesRisk reduction achieved by all safety-relatedsystems and external risk reduction facilitiesFigure A.1 – Risk reduction: general concepts
Othertechnology safety-related systems EUC and the EUC con
...