SIST-TP CLC IEC/TR 63161:2024

SLOVENSKI STANDARD
01-september-2024
Dodelitev zahtev celovite varnosti - Osnovni princip (IEC/TR 63161:2022)
Assignment of safety integrity requirements - Basic rationale (IEC/TR 63161:2022)
Zuordnung der Sicherheitsintegritäts-Anforderungen - Grundlegende Begründungen
(IEC/TR 63161:2022)
Attribution des exigences en matière d'intégrité de la sécurité - Justification
fondamentale (IEC/TR 63161:2022)
Ta slovenski standard je istoveten z: CLC IEC/TR 63161:2024
ICS:
13.110 Varnost strojev Safety of machinery
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT CLC IEC/TR 63161

RAPPORT TECHNIQUE
TECHNISCHER REPORT February 2024
ICS 13.110
English Version
Assignment of safety integrity requirements - Basic rationale
(IEC/TR 63161:2022)
Attribution des exigences en matière d'intégrité de la Zuordnung der Sicherheitsintegritäts-Anforderungen -
sécurité - Justification fondamentale Grundlegende Begründungen
(IEC/TR 63161:2022) (IEC/TR 63161:2022)

This Technical Report was approved by CENELEC on 2024-01-22.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2024 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. CLC IEC/TR 63161:2024 E

European foreword
This document (CLC IEC/TR 63161:2024) consists of the text of IEC/TR 63161:2022 prepared by
IEC/TC 44 "Safety of machinery - Electrotechnical aspects".
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Technical Report IEC/TR 63161:2022 was approved by CENELEC as a
European Technical Report without any modification.
In the official version, for Bibliography, the following notes have to be added for the standard indicated:
IEC 61508-1 NOTE Approved as EN 61508-1
IEC 61508-4:2010 NOTE Approved as EN 61508-4:2010 (not modified)
IEC 61508-5:2010 NOTE Approved as EN 61508-5:2010 (not modified)
IEC 61511-1:2016 NOTE Approved as EN 61511-1:2017 (not modified)
IEC 62061:2021 NOTE Approved as EN IEC 62061:2021 (not modified)
ISO 13849 (series) NOTE Approved as EN ISO 13849 (series)
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod), the
relevant EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cencenelec.eu.
Publication Year Title EN/HD Year
ISO 12100 2010 Safety of machinery – General principles for EN ISO 12100 2010
design – Risk assessment and risk reduction

IEC TR 63161 ®
Edition 1.0 2022-07
TECHNICAL
REPORT
colour
inside
Assignment of safety integrity requirements – Basic rationale

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 13.110 ISBN 978-2-8322-3944-5

– 2 – IEC TR 63161:2022 © IEC 2022
CONTENTS
FOREWORD . 4
INTRODUCTION . 6
1 Scope . 7
2 Normative references . 7
3 Terms and definitions . 7
4 Risk based quantitative approach . 10
4.1 General . 10
4.2 Sequence of steps in functional safety assignment . 10
4.3 Reference information . 12
4.3.1 General . 12
4.3.2 Accident scenario . 13
4.3.3 Hazard zone . 13
4.3.4 Severity of harm . 13
4.3.5 Safety control function . 14
5 Quantified parameters of a functional safety assignment . 14
5.1 General . 14
5.2 Parameter types . 14
5.2.1 General . 14
5.2.2 Probability . 14
5.2.3 Event rate . 14
5.3 Probability of occurrence of harm . 15
5.4 Quantification of risk . 15
5.5 Target failure measure . 15
5.6 Probability of occurrence of a hazardous event – P . 16
r
5.7 Exposure parameter – F . 17
r
5.8 Probability of avoiding or limiting harm – A . 18
v
5.8.1 General . 18
5.8.2 Vulnerability (V) . 18
5.8.3 Avoidability (A) . 19
5.9 Demand types and related event rates . 19
5.9.1 Event classes . 19
5.9.2 Demand and demand rate . 20
5.9.3 Initiating events and rate of initiating events I . 20
R
5.9.4 Safety demands and safety demand rate D . 21
R
5.9.5 Tolerable risk limit – Parameter L . 22
(S)
5.10 Additional parameters . 23
6 General principle of functional safety assignment . 25
6.1 Basics . 25
6.1.1 Applicability to complete functions . 25
6.1.2 Risk relation . 25
6.1.3 Logical independence of parameters . 25
6.2 High demand or continuous mode of operation . 25
6.3 Low demand mode of operation . 26
7 Assignment of the demand mode . 27
7.1 Demand mode – General . 27

IEC TR 63161:2022 © IEC 2022 – 3 –
7.2 Assignment criteria . 30
8 Relation to ISO 12100 . 30
9 Tools for functional safety assignment . 31
9.1 General . 31
9.2 Selection of independent parameters . 32
9.3 Logarithmizing parameters . 32
9.4 Discretization of parameters . 32
9.5 Parameter scores . 33
9.6 Scoring methods in strict sense . 34
Annex A (informative) Examples of SIL assignment tools numerical analysis . 35
A.1 General . 35
A.2 Assignment of score values to parameter entries . 35
A.3 Extraction of tolerable risk limits . 36
A.4 Risk matrix of IEC 62061 . 38
A.5 Risk graph of ISO 13849 . 41
A.6 Risk graphs for low demand mode of operation . 43
Bibliography . 46

Figure 1 – Sequence of steps in functional safety assignment. 12
Figure 2 – Protection layers, event rates and their relation. 22
Figure 3 – Hazard rate according to the Henley / Kumamoto equation . 29
Figure 4 – Elements of risk according to ISO 12100 . 31
Figure 5 – Discretization of parameters . 33
Figure A.1 – Extraction of tolerable risk limits . 37
Figure A.2 – Risk matrix based on IEC 62061 . 38
Figure A.3 – Maximum allowable PFH as function of the score sum for the different
severity levels . 39
Figure A.4 – Representation by a continuous numerical interpolation . 40
Figure A.5 – Risk graph of ISO 13849-1 . 41
Figure A.6 – Interpolation per severity level . 43
Figure A.7 – Risk graph for low demand mode of operation . 44
Figure A.8 – Risk graph for low demand mode of operation – from Figure 7 of VDMA
4315-1 . 45

Table 1 – Parameters overview . 24
Table A.1 – Relation between PLs and ranges in PFH . 42

– 4 – IEC TR 63161:2022 © IEC 2022
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
ASSIGNMENT OF SAFETY INTEGRITY REQUIREMENTS –
BASIC RATIONALE
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC Publication(s)"). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent
rights. IEC shall not be held responsible for identifying any or all such patent rights.
IEC TR 63161 has been prepared by IEC technical committee 44: Safety of machinery –
Electrotechnical aspects. It is a Technical Report.
The text of this Technical Report is based on the following documents:
Draft Report on voting
44/935A/DTR 44/954/RVDTR
Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this Technical Report is English.
This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
at www.iec.ch/members_experts/refdocs. The main document types developed by IEC are
described in greater detail at www.iec.ch/standardsdev/publications.

IEC TR 63161:2022 © IEC 2022 – 5 –
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to
the specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates that it
contains colours which are considered to be useful for the correct understanding of its
contents. Users should therefore print this document using a colour printer.

– 6 – IEC TR 63161:2022 © IEC 2022
INTRODUCTION
This document describes an example basic logical rationale for assigning a safety integrity
requirement to a safety related control function in a risk based approach. The parameters for
the assignment are explained. It is described how these parameters can relate to the risk
assessment according to ISO 12100 and to the safety integrity requirement.

IEC TR 63161:2022 © IEC 2022 – 7 –
ASSIGNMENT OF SAFETY INTEGRITY REQUIREMENTS –
BASIC RATIONALE
1 Scope
This document can be used where a risk assessment according to ISO 12100 has been
conducted for a machine or process plant and where a safety related control function has been
selected for implementation as a protective measure against specified hazards. This document
describes an example basic logical rationale to assign a safety integrity requirement to the
selected function.
The description is generic and as far as reasonably possible independent from any specific tool
or method that can be used for assignment of a safety integrity requirement. The requirement
can be expressed as a safety integrity level (SIL), or performance level (PL).
An example basic rationale is described that is embodied by such methods and tools, as far as
they follow a risk based quantitative approach.
Conversely, the logic described in this document can be used as a reference for assessing
specific methods or tools for safety integrity assignment. This can clarify how far the respective
tool/method is following a risk based quantitative approach, and where deviations from that
approach are imposed by other considerations. In real applications, the quantitative risk based
approach can be modified or overridden by other considerations in many cases and for good
reasons. It is not within the scope of this document to discuss or evaluate such reasons. Usually
the reasons for deviations from a given tool or method from a quantitative logic are provided,
so that this can be discussed in the proper frame.
Examples for such analyses are provided for common assignment tools in the format of risk
graphs and risk matrices.
This document can be used for safety related control functions in all modes of application:
continuous mode, high demand mode and low demand mode of application.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies.
For undated references, the latest edition of the referenced document (including any
amendments) applies.
ISO 12100:2010, Safety of machinery – General principles for design – Risk assessment and
risk reduction
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp

– 8 – IEC TR 63161:2022 © IEC 2022
3.1
probability
real number in the interval 0 to 1 attached to a random event and expressing quantitatively how
likely the occurrence of that event is
Note 1 to entry: See 5.2.2 for more information.
[SOURCE: IEC 60050-103:2009, 103-08-02, modified – Notes 1 and 2 to entry have been
removed and replaced with a new Note 1 to entry.]
3.2
event rate
−1 −1 −1
frequency with the dimension of time , typically given in the units h or year , attached to a
random event and expressing quantitatively how frequently this event is expected to occur
Note 1 to entry: See 5.2.3 for more information.
3.3
tolerable risk
level of risk that is accepted in a given context based on the current values of society
Note 1 to entry: For the purposes of ISO/IEC Guide 51:2014, the terms "acceptable risk" and "tolerable risk" are
considered to be synonymous.
[SOURCE: ISO/IEC Guide 51:2014, 3.15]
3.4
tolerable risk limit
risk which is accepted in the context of a given hazard of machinery or process equipment and
which is quantified as an event rate for the occurrence of harm with a specified level of severity
as a consequence of the hazard
Note 1 to entry: See 5.9.5 for more information.
Note 2 to entry: The harm with the specified level of severity is a necessary attribute of a tolerable risk limit, however
it is not expressed in the limit itself.
Note 3 to entry: This definition adds the element of quantification to the general definition of "tolerable risk", which
is not necessarily implied in the term "tolerable risk" without the modifier "limit".
3.5
hazardous event
event that can cause harm
Note 1 to entry: See 4.3.2 for more information.
[SOURCE: ISO 12100:2010, 3.9, modified – The note to entry has been removed and replaced
by a new one.]
3.6
hazardous situation
circumstance in which a person is exposed to at least one hazard
Note 1 to entry: According to ISO 12100:2010, 3.10.
Note 2 to entry: See 4.3.2 for more information.
[SOURCE: ISO 12100:2010, 3.10, modified – The note to entry has been removed and replaced
by two new ones.]
IEC TR 63161:2022 © IEC 2022 – 9 –
3.7
demand
event that causes the safety control system to perform the safety
control function
Note 1 to entry: See 5.9.2 for more information.
[SOURCE: IEC 62061:2021, 3.2.25, modified – The abbreviated term "SCS" has been replaced
by the words "safety control system", and "a safety function" has been replaced with "the safety
control function".]
3.8
initiating event
situation which, without the safety function, will result in damage
or harm of any sort or severity
Note 1 to entry: See 5.9.3 for more information.
3.9
safety demand
situation where, unless prevented by the safety control function
under assessment, an accident with a specified level of harm to people would occur
Note 1 to entry: See 5.9.4 for more information.
3.10
hazard rate
rate of accidents of a specific severity in conjunction with a specific hazard that occurs although
a safety control function has been installed to prevent this type of accident
3.11
probability of avoiding or limiting harm
probability that potentially exposed persons do not suffer harm of the specified level of severity
during a hazardous event
Note 1 to entry: See 5.8 for more information.
3.12
avoidability
probability that potentially exposed persons avoid exposure to the hazard during a hazardous
event
Note 1 to entry: See 5.8 for more information.
3.13
vulnerability
probability that exposed persons in a hazardous situation do suffer harm of the specified level
of severity
Note 1 to entry: See 5.8 for more information.
3.14
hidden failure
hidden fault
failure or fault in hardware or software that does not announce itself and is not detected by
dedicated methods when it occurs
Note 1 to entry: The term "hidden" in the given sense is complementary to the term "revealed" according to
IEC 61511-1:2016, 3.2.13.
Note 2 to entry: A hardware or software failure or fault announces itself, e.g. by a disturbance of the equipment
under control, its working process, or its surroundings.

– 10 – IEC TR 63161:2022 © IEC 2022
Note 3 to entry: The "hidden status" of a hardware or software failure or fault is terminated when it is either detected
by a dedicated check or method, or when it becomes overt by disturbing the equipment under control, its working
process, or its surroundings. This may be related, e.g. to a change of the operation status or to a person approaching
the equipment. Failures that stay "hidden" without termination are not relevant.
4 Risk based quantitative approach
4.1 General
In a risk based approach, a safety control function can be specified to keep a risk that is caused
by a machine or process below a defined maximum level, the "tolerable risk limit".
The concept of "risk" is defined in ISO 12100:2010, 3.12 as "combination of the probability of
occurrence of harm and the severity of that harm". Although both elements of the definition can
be understood quantitatively, "risk" is not necessarily understood as a quantifiable parameter
in the context of ISO 12100. That holds even more for the "tolerable risk", i.e. the risk which is
accepted in a given context based on the values of society.
On the other hand, the efficiency of a safety control function for mitigating risk, often indicated
as reliability of the control system, is described with the term "safety integrity". This expresses
the degree of reliance that is put on a safety control function. "Safety integrity" has a quantitative
aspect, which is clearly revealed by the complement of safety integrity, the unreliability of a
safety control function. The unreliability is quantified as "target failure measure", i.e. either as
average probability of the function to fail on demand PFD , or as the rate of dangerous
avg
function failures per hour, PFH.
SIL assignment is the process of deriving a target figure for the failure measure of a safety
control function from a risk assessment. As soon as a risk assessment is used as a basis for
specifying a required level of safety integrity, it is implied that elements of this risk assessment
are quantified. After all, a quantitative result is derived as output of the procedure and it is
generally assumed that this is in a logical relation to the assumptions which were used as inputs.
Consequently, there is a basic logical rationale of functional safety assignment, which captures
all relevant aspects of the application of a safety control function in quantified parameters and
sets them in a logical relation to the tolerable risk limit and the target failure measure for the
function.
NOTE Information on risk management can be found in ISO 31000:2018.
4.2 Sequence of steps in functional safety assignment
The following steps can be used to lead to a functional safety assignment in the context of a
risk analysis for a machine or process. In this context, "SIL" is used as generic placeholder for
any type of safety integrity indicator.
1) A hazard is identified by the analysis.
2) Accident scenarios with that hazard can be developed: It is stated which persons could
suffer which type of harm, by which parts or functions of the machine, in which operation
modes of the machine or process, etc. – see 4.3.2 for the elements of an accident scenario.
3) Mitigation measures can be devised conceptually. According to ISO 12100:2010, 6.1, the
priority of measures decreases from inherently safe design measures (step 1) over
safeguarding and/or complementary protective measures (step 2) to information for use
(step 3). Safety functions are a form of "safeguarding and/or complementary protective
measures".
4) The iteration of the overall design of the machine or process leads to the decision that an
instrumented control function will be implemented. At the latest at this point, the
functionalities of the control function are defined.

IEC TR 63161:2022 © IEC 2022 – 11 –
5) The safety related parts of the instrumented control function can be identified. With respect
to the hazard in step 1 above, the function will be capable of preventing the given hazard
from causing harm, if it works as devised.
NOTE 1 The required SIL is relevant for the functionality according to step 5. With this step 5, the preconditions
for a SIL-assignment can be given. The following steps comprise the assignment in a strict sense. Typically, this
can be done using a graphical tool, table or scoring system. The current description assumes that no such pre-
designed tool is available, but the basic logic of the process can be followed in a "quantitative approach",
meaning that the parameters are assigned numerical values and their relation to the "target failure measure" is
expressed in explicit equations.
6) The severity class of the representative accident scenario can be determined – see 4.3.4.
7) The rate of initiating events for the accident scenarios can be determined – see 5.9.3.
8) From the risk analysis, the circumstances and conditions can be extracted, which could
prevent an accident of the given severity or higher, once an initiating event is given, but
without assuming the safety function as effective. These circumstances and conditions can
be assigned to the factors P , F , or A and are estimated quantitatively (see 5.6, 5.7, and
r r v
5.8). Each of the given factors is a probability in the strict sense according to 5.2.2.
Consequently, each of these parameters will be quantified as a real number, in the range of
0 to 1.
NOTE 2 In graphical tool and scoring methods, the numerical range is typically "discretized". This means only
discrete values are used, each of which represents a certain range of the continuous range between 0 and 1.
9) The expected rate of accidents without safety function – the "safety demand rate" – can be
determined according to Formula (4).
10) The expected rate of accidents with safety function – the "hazard rate" – can be determined
according to Formula (6).
11) The allowable failure rate of the safety function PFH can be obtained from Formula (7). This
for the
implies that the expected rate of accidents is compared with a tolerable limit L
(S)
given severity class.
12) Demand mode assignment: Up to this point, the safety function has been treated as a
function in high demand mode of application. Accordingly, the initiating event rate has so
far not been used for determining the requirement. See Formula (7) in 6.2 and the
explanation given there. Still, initiating event rate I and safety demand rate D can be
R R
determined:
• I and D are input for the decision between high demand mode of operation and low
R R
demand mode of operation.
• I is needed for specifying and/or evaluating the rates and reaction times of diagnostic
R
measures.
With the information about initiating event rate I , safety demand rate D and other
R R
particulars of the application such as feasibility of regular proof tests, it can now be decided
whether the function be treated as a function in a low demand mode of operation. See
Clause 7.
NOTE 3 More information on demand rate and determination of the required SIL level can be found in
IEC TR 63039:2016.
The flow chart in Figure 1 describes the steps above mentioned.

– 12 – IEC TR 63161:2022 © IEC 2022

Figure 1 – Sequence of steps in functional safety assignment
NOTE 4 More information on techniques to be applied for the individual steps in Figure 1 can be found in
ISO 31010:2019.
4.3 Reference information
4.3.1 General
The quantified parameters in a risk assessment are always related to reference information that
is not in itself quantitative in nature. This information does not itself appear in the shape of
parameters with a value in the risk assessment and SIL assignment. However, it provides the
reference and justification for those parameters that can be quantified.

IEC TR 63161:2022 © IEC 2022 – 13 –
4.3.2 Accident scenario
A safety function can be defined as a safeguard against certain accidents. An "accident
scenario" can be given as a short, generalized narrative that connects in a simple
comprehensible story all the aspects that are common to the accidents under discussion. An
accident scenario can identify:
• which type of machinery or equipment is involved in the accident;
• which aspect of the equipment or its operation is giving raise to the accident; what the
"hazard" is; examples of how hazards can be described with their origin, consequences and
situation sketches are given in ISO 12100:2010, Annex B;
• who can be affected, in which operation situation of the equipment;
• in which way people could be affected – which harm would they suffer, in which level of
severity;
• which initial events can lead to the accident: failures of parts, human errors, and external
influences?
• in which way would the event proceed from initial events to the final accidents; are there
specific intermediate stages that could be identified as typical steps? Are there specific
boundary conditions that influence the progress of events?
In the sequence of events of an accident scenario, two stages have specific definitions in
ISO 12100. See also Table 1 in 5.10.
• Hazardous event: event that can cause harm (ISO 12100:2010, 3.9): This implies that the
machinery does exert potentially dangerous effects to a "hazard zone", while the access of
persons to that hazard zone is not prevented.
• Hazardous situation: circumstance in which a person is exposed to at least one hazard
(ISO 12100:2010, 3.10): This is a "hazardous event" with the additional condition that a
person is indeed situated entirely within the hazard zone or with body parts within the hazard
zone.
4.3.3 Hazard zone
In the context of an accident scenario, the hazard zone can be given as the volume and/or
ground in or around the machine where people could come into contact with the hazard caused
by the machine. The hazard zone can be defined as reference for the "exposure parameter".
See also ISO 12100:2010, 3.11.
4.3.4 Severity of harm
"Risk" is defined in ISO 12100:2010, 3.12 as a "combination of the probability of occurrence of
harm and the severity of that harm". The "severity of harm" is generally expressed in "severity
classes": S1, S2, and so on. These classes are defined each with an exemplary description of
the harm, such as:
• Severity class S1: minor injury including scratches and minor bruises that require attention
by first aid means without medical intervention;
• Severity class S2: reversible injury, including severe lacerations, stabbing, and severe
bruises that requires attention from a medical practitioner;
• and so on.
It is generally avoided to express the "severity" quantitatively, with a number and a unit.
Accordingly, it is not established practice to express risk in a specific unit either. Instead, the
hazard and risk assessment identifies the applicable severity class as a qualitative descriptor
of the risk. As such, the severity is a boundary condition of the quantitative assessment,
however not explicitly included in it.

– 14 – IEC TR 63161:2022 © IEC 2022
4.3.5 Safety control function
To assign a SIL, it would need to be known which types of accidents the function under
assessment can prevent. The assignment of a SIL to a safety function is related to the risk that
the safety function can mitigate. Therefore, a short functional description of the function would
be used as a boundary condition for the assignment: for example, which signals at which levels
or values trigger the function (process signals), what does it do (stop a certain movement,
interrupt an electrical line, close a media line, bring something into a specific position, etc.).
5 Quantified parameters of a functional safety assignment
5.1 General
The parameters which are described in this Clause 5 describe either the frequency of certain
events in time, or the likelihood of events under given initial conditions. These items can be
quantified on a numerical scale.
5.2 Parameter types
5.2.1 General
Quantified parameters in risk estimation can be separated into two distinct types:
• as probability in a strict sense;
• as event rate.
For quantitative risk assessment and SIL assignment, this distinction can be seen as being
essential.
5.2.2 Probability
A probability in a strict sense quantifies the expectancy that a given statement is true under
given conditions. That can be expressed with a real number between 0 and 1, without unit.
EXAMPLE
How likely is it that a person will suffer at least a severe injury if it occurs inside a building when this building
collapses?
Statement: A person will suffer at least a severe injury.
Precondition: The person is inside a building when it collapses.
The answer would be given in terms of a probability value:
0 would indicate that the collapse of the building would never inflict severe injuries or worse to the person inside
the building;
1 would indicate that the collapse would inflict with certainty at least a severe injury.
In this example, the available information would not be sufficient to decide on a probability value with any confidence.
The answer would depend critically, e.g. on the specifics of the building and the situation of the person inside it.
5.2.3 Event rate
An event rate can be used to quantify the expectancy of how frequently a given event will occur
at a given time and a given reference frame. This is expressed as a ratio of the expected number
−1
of events to the length of the time. The dimension of an event rate is (time ), typically in the
units 1/h or 1/year.
IEC TR 63161:2022 © IEC 2022 – 15 –
A failure rate, for example, is an event rate that quantifies for a specified equipment unit the
expected number of failures in relation to the use time of that unit. The "reference frame" in that
case is "one unit of the specified equipment". For an equipment failure rate, the reference frame
is self-evident – "one unit of the equipment under investigation". Event rates in risk assessment
are related to accident events. These may involve various persons and various pieces of
equipment. Event rates can be quantified and are meaningful only if in these cases the
"reference frame" is described sufficiently exactly.
5.3 Probability of occurrence of harm
The "probability of occurrence of harm" is generally expressed in the format "number of events
connected with the given severity, per unit of time". This can be applied to a given scope of
machinery or process. The given format can take the characteristics of an "event rate" as
defined in 5.2.3. The "probability of occurrence of harm" is accordingly not a probability in a
strict sense, it is rather an event rate. As such, the probability of the occurrence of harm is a
function of other parameters. See Clause 8 for the relations.
5.4 Quantification of risk
With the understanding of severity of harm and probability of occurrence of harm as described
in 4.3.4 and 5.3, the definition of risk in ISO 12100 can be expressed in a quantitative framework
as follows:
R = S × E (1)
R
where
R is the risk;
S is the severity;
is the rate for the events under consideration with harm of the given severity.
E
R
With the severity as boundary condition, the "risk" is accordingly quantified as event rate.
Different levels of risk can be defined for a single risk assessment, depending on the risk
mitigating measures and factors which are assumed. Where such assumptions are not related
to different levels of severity, they can be quantitatively expressed in different event rates.
Accordingly, different types of risk can be given as follows – each in relation to the relevant
event rate:
• risk before mitigation by any factors: initiating event rate I (see 5.10);
R
• risk without safety function: safety demand rate D (see 5.9.4);
R
• risk "after" safety function: hazard rate H (see 3.10);
R
• tolerable risk: tolerable risk limit L (see 5.10).
(S)
See also Figure 2.
5.5 Target failure measure
The "target failure measure" for a safety function can be given as the quantitative measure for
the unreliability that is conceded to the function.
NOTE 1 The following definition of "target failure measure" is given in IEC 61508-4:2010, 3.5.17: target probability
of dangerous mode failures to be achieved in respect of the safety integrity requirements.

– 16 – IEC TR 63161:2022 © IEC 2022
Depending on the mode of application, continuous, high demand or low demand, the target
failure measure can be defined either as event rate, or as probability in a strict sense as follows:
– High demand or continuous mode of operation: Failure rate of the safety function – PFH.
PFH is the rate of dangerous failures of the safety fu
...