Safety by Design

IEC 61508 - Initial Phases of

the Safety Lifecycle in the
Process Industry
by Alan King
The initial Phases of the Safety Lifecycle in the standard IEC 61508 are
crucial to achieving a demonstrable level of safety. This article looks at
key aspects of those phases of the Safety Lifecycle and how they apply
in the process industry.

he standard IEC 615081 appears quite

T
eliminate, intensify, attenuate, and separate.
daunting at first glance with its seven parts Guidance on inherent safety can be found in a
of detailed text. This article aims to number of publications, for example: "Improving
provide a straightforward introduction to key Inherent Safety" published by HSE2, and "
aspects within the initial phases (Figure 1) of the Process Plants: a Handbook for Inherently Safer
safety lifecycle in the standard. The approach Design" written by Trevor Kletz3.
outlined in the article is one that has been tried
and tested over a number of years and matches
the requirements of the standard. The article also
aims to highlight a number of key issues to 1 Concept
stimulate further discussion.
It should be noted that the approach outlined
in this article is based on IEC 61508 but it is 2 Overall Scope Definition
anticipated that the same approach will be
directly applicable to the requirements of the
3 Hazard and Risk Analysis
Process Sector standard IEC 61511 once that is
published.
Overall Safety
4
Requirements
Inherent Safety
The first phases of the safety lifecycle are Safety Requirements
involved with "Concept" and "Overall Scope 5
Allocation
Definition". In these phases, it is vitally
important to identify hazards associated with the
process. These hazards may be associated with
the nature of the materials - e.g. flammable or
toxic - or the nature of the processing conditions - Figure 1 - Safety Lifecycle Phases 1 to 5
e.g. high pressure or high temperature. Once the
main hazards have been identified the first tasks Having applied the principles of inherent
to apply the key principles of inherent safety - safety to the proposed design and modified the

1
Safety by Design

Hazardous
Safeguards Event

Initiating
Cause

Figure 2 - Hazardous Event Scenario

design to improve safety as much as possible,

some hazards may nevertheless remain.
Potential Hazardous Events
Identification of the potential hazardous
event is the key next step. This should be carried
out on a "top down" basis, looking at each section
of the proposed plant design in turn and listing all
the potential hazardous events that could occur
with that section of plant. Typical events may
include release of toxic materials, fire, or
explosion - essentially, any event that could harm
people or the environment. It could also include
any event that has the potential to cause
significant financial loss to the business.4
Each event identified should be listed
together with details of the consequences and the
possible initiating causes. Some assessment of
the potential available safeguards should also be
included at this stage.
Hazard and Risk Analysis
Phase 3 of the safety lifecycle involves
detailed hazard and risk analysis. For this, it is
necessary to take each identified specific
hazardous event in turn and to identify all the
possible initiating causes that could lead to that
hazardous event. For each initiating cause, we
need to identify any safeguards that could prevent
the hazardous event from taking place despite the
occurrence of that initiating cause - see Figure 2.
In some instances all the initiating causes for
a specific hazardous event may all have the same
safeguards; in other situations, there may be
different safeguards for each initiating cause.
For each initiating cause, we need to
calculate the contribution to the hazardous event
frequency. Figure 3 shows how to calculate the
contribution from one such cause.
The overall hazardous event frequency will

Frequency of Frequency of Probability that none of

Hazardous Event Initiating Cause 1 the safeguards for
= ×
contribution from happening Initiating Cause 1 is
Initiating Cause 1 effective

Figure 3 - Calculation of contribution to Hazardous Event Frequency

2
 Safety by Design

be the sum of the contributions from

each of the initiating causes. This is
illustrated in Figure 4: Safeguards A, A B C
B, and C are all effective for Cause Cause 1

Hazardous Event
1, but for Cause 2 only A and C are
effective, whilst only A and B
effective for Cause 3. Cause 2

Existing Plants
For existing plants, this type of Cause 3
assessment will be carried out with
the inclusion of all relevant
safeguards - instrumented
safeguards, other technology and Safeguards
external risk reduction means. (For
definitions see IEC 61508-Part 4). Figure 4 - Combination of Causes and Safeguards
The overall hazardous event
Where a hazardous event has the potential to
frequency is then compared with the site criteria
impact more than one of these three aspects, then
for such an event on the chosen plant.
the event frequency should be compared with
each relevant target - all relevant targets should
Site Criteria be met.
Site Criteria will represent the maximum
frequency targets for particular types of events.
Design of New Plant
For example, environmental hazardous events
When it comes to the design of new plant or
may be classed according to severity and criteria
new aspects of existing plant, the question arises
assigned to each category:
as to whether any protective systems are needed
§ Category 1 = 1/yr. and what would be appropriate.
The earlier in the design process that
§ Category 2 = 0.1/yr
potential hazardous events can be identified and
§ Category 3 = 0.01/yr. some consideration given to the required degree
of risk reduction to meet the target criteria, the
These figures would represent the targets for
better. This keeps down the cost of any design
the site as a whole. For a particular plant, there
changes, and minimises the need to revisit and
would be assigned a proportion of each site
check aspects of design when changes are made
target. The proportion chosen would depend
subsequently.
upon the number of plants on the site with
Initial assessment involves consideration of
potential to cause that category of event.
the identified hazardous events, the potential
In some instances, the target may be further
frequency of each event and how this compares
apportioned within the plant.
with the risk criteria. If the risk targets will not
Without criteria, the guidance of IEC 61508
be met without some risk reduction, then there
cannot be applied; so it is important for the site
needs to be consideration of what means could be
management to establish site criteria targets for
used to reduce the level of risk. This is the
the use of those trying to design safe systems. In
activity covered in Phase 4 of the IEC 61508
practice, it is often those who are trying to apply
safety lifecycle.
IEC 61508, who are the first to realise the need
for criteria.
Safety Requirements Allocation
Comparison with Criteria Phase 5 of the IEC 61508 lifecycle is then
concerned with the allocation of the safety
Site Criteria will usually cover three distinct
requirements. General guidance would be to
aspects of activity: (a) safety of people, (b) risk to
determine whether there was sufficient risk
the environment and (c) risk to the business.
reduction to meet the target criteria without an

3
Safety by Design
instrumented protective system. This would be
making use of external risk reduction and other
technology means. If the target cannot be
achieved without an instrumented protective
system, then it is relatively easy to see what risk
reduction factor is required from an instrumented
protective system in order to meet the criteria.
Hazardous Event Frequency
Risk without instrumented system
Reduction =
Target Criteria
Issues for Discussion
Having outlined some of the activities
involved in the initial phases of the safety
lifecycle, I would like to turn the spotlight on to
some specific issues that receive little detailed
attention in the standard itself, but which are
nevertheless important to the attainment of proper
risk management. This is not to say that these
issues are overlooked by the standard, but rather
that consideration of the issues is implicit in what
IEC 61508 states and requires.
Humans
There is usually significant focus on the
contribution from equipment and instrumentation
when assessing levels of risk. However, the
human influence can have significant impact in a
large number of ways, and if not
included, will undermine the attempt
to manage risk.
Human actions can cause
demands on protective systems.
Human failures can render protective
systems ineffective, through errors in
maintenance, calibration, over-rides,
and failure to respond to system
indications of minor faults. Claims
are often made for protective system
diagnostics, but if no effective
corrective occurs then the claim can
be over-optimistic.
In some instances, humans are
included as part of the protective
system - to respond to alarms and
take action. This needs careful
thought as to whether reliance on an
operator to act in the circumstances is
reasonable. Operators need to
"receive" the alarm (not just
4
acknowledge it by pressing a button), understand
what it means, know what action is required,
have the means of acting which is still in a
functioning state when it is needed, and then have
time to act.
Other layers
We have mentioned that Phase 5 of the safety
lifecycle focuses on safety allocation. Whilst the
standard is primarily concerned with electrical,
electronic and programmable electronic systems,
any consideration of the need for such systems
can only be achieved when due consideration is
made of the contributions from other protective
means and layers - see Figure 5. There needs to
be realistic inclusion of the benefit. Here,
realistic does not mean optimistic, but implies
proper evaluation that may conclude that there is
no additional benefit.
Dependency
When considering protective features of one
layer to act as a safeguard against failure in
another layer, the question of potential for
dependent failure needs to be addressed.
Dependent failure is when there is a similarity or
link between layers that would cause failure of
those layers to occur together. This does not
have to cause failure at exactly the same time.
For example, two pressure sensors suffering from
External Risk
Reduction
Other Technology
Protective
Systems
Automatic
Instrumented
Protective Systems
Critical Alarms and
Operator
Intervention
Control System
Process
Hazards
Figure 5 - Protection Layers

impulse line blockage from the material in the
process. This cause could lead to failure on
different days.
Dependency means that we cannot simply
multiply the failure probabilities of the layers to
calculate the effect of all of them together.
Cascade failures
When we consider the consequences of a trip
failure, we may only look at the initial
consequences. It is important that we look
beyond those initial consequences and include
what might be termed cascade failures - the
"knock-on" effects. A typical situation could
occur within a tank farm where loss of
containment from one tank could lead to a fire
that could then affect other tanks in the area.
This sort of escalation of consequence requires us
to look at the effectiveness of mitigation and
emergency procedures - to make some
assessment of the likelihood of successful
containment of the initial event.
Misconceptions
"When is a SIL not a SIL"? Sounds like a
riddle! The answer is "when it does not cover the
whole safety function". We need to remember
that the safety integrity level (SIL) applies to the
whole of a safety function from sensor to
actuator, not to any individual component.
Describing a component as a "SIL 1 level sensor"
or another as a "SIL 2 Pressure Transmitter" is to
misunderstand the concept of safety integrity
levels - worse still, such a description misleads
the reader.
For a component, the key information is the
undetected dangerous failure rate. This is what
the user needs to know in order to design a
system to meet their requirements.
It is also necessary to include the contribution
of human errors in the assessment of the SIL for a
safety function. These may not be significant at
SIL 1, but they can be highly significant at SIL 2
and above. Depending on the design of the
system and the human interaction with it, human
error can be the limiting factor on the achievable
SIL for a safety function.
Setting of risk targets
Each assessment of the required safety
integrity level for a trip looks at the consequences
Safety by Design
of failure of that trip and the frequency criteria
for those consequences. We have discussed
above the need to sub-divide a site environmental
target and to apportion this as targets for
individual plants. It may, in some circumstances,
be necessary to assign a proportion of plant
targets to individual trips.
The same issue applies to the setting of
business risk targets for plants on a site.
When considering the application of safety
risk targets, the usual criteria consider the "person
most at risk" from the hazardous event and the
risk of fatality for that person. This is straight-
forward when there is only one hazardous event
that could give rise to a fatal injury to the person
most at risk. However, where the person most at
risk could be subject to more than one hazardous
event, then the tolerable risk target for the person
needs to be apportioned across the different
events.
This is a difficult area but it is important to
consider this despite the difficulty. It also needs
to be understood properly by the higher levels of
company management - the senior managers have
overall responsibility for safe operation of a
plant.
Conclusions
This article has intentionally raised a number
of difficult issues, which relate to the application
of the standard. I encourage anyone with thought
on other difficult areas (e.g. software standards
and contribution to system reliability) to share
their thoughts.
Dr Alan G King is a hazard and reliability specialist with
ABB Eutech, PO Box 99, Belasis Hall Technology Park,
Billingham, Cleveland. TS23 4YS. (Previously with ICI
Technology, Wilton, Cleveland, England.)
E.mail: alan.g.king@gb.abb.com; agking@iee.org
References
1
IEC 61508: Functional Safety of Electrical/
Electronic/Programmable Electronic Safety-
Related Systems.
2
Improving Inherent Safety, Offshore Technology
Report, OTH 96 521, Health & Safety Executive,
ISBN 0717613070.
3
Process Plants: a Handbook for Inherently Safer
Design: A User-friendly Approach, Trevor A.
Kletz, Taylor & Francis Inc, ISBN: 1560326190,
1998.
4
IEC 61508: Part 1 Clause 1.2(e)