Telecom and Informatics

ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE

Odd Nordland SINTEF, Trondheim, Norway

odd.nordland@sintef.no www.informatics.sintef.no/~nordland

PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE

Introduction
Safety Integrity Safety Integrity Levels Risk Acceptability Allocating SILs Problems Conclusions
PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE

Safety Integrity
Things can go wrong, so we need additional functionality

Safety Functions to reduce the risks

Safety functions can have varied implementation measures

active functionality design properties administrative measures any combination of the above

Failure of part of the implementation does not mean total loss of the safety function Safety Integrity = Ability of a safety function to continue to be effective in spite of deterioration of its implementation
PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE

Safety Integrity Levels
Degree of Safety Integrity is determined by

number of implementation measures how effective they are how vulnerable they are how independent they are ...

Many different degrees of safety integrity, grouped into 5 levels:

SIL 0 = no safety integrity at all ... SIL 4 = highest possible level

For "important" safety functions, a high SIL will be demanded

Safety Integrity Levels depend on Risk Acceptability

PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE

Risk Acceptability
ALARP Risk shall be brought As Low As Reasonably Practicable 3 risk zones: unacceptable, acceptable, negligible assumes that we know where the acceptable limit is GAMAB Any modification shall leave a system globally at least as good ("Globalement Au Moins Aussi Bon") as it was allows for redistribution of risks assumes current level is already acceptable MEM Starts with lowest technological mortality rate in the population (Minimum Endogenous Mortality) a new system should not increase that mortality rate significantly assumes that the current mortality rate is acceptable
PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE

Allocating SILs
Determine risks Determine acceptable risk levels Identify safety functions

Based on risk acceptance level, determine safety integrity level for

each safety function Identify implementation measures for each safety function Based on the safety integrity level for each function, determine tolerable failure rates for each implementation measure

OR JUST DEMAND SIL 4 BY DEFAULT!

PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE

Problems
SIL 4 is EXPENSIVE Systems that have been working satisfactorily don't necessarily

fulfil SIL 4 requirements

Do we always need SIL 4?
The relationship between failure rates and SILs is often

misunderstood:
SILs depend on failure rates of safety functions
Exaggerated demands on equipment because non-technical measures are ignored

Risk acceptability is controversial

PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE

Conclusions
Agreed methods for determining acceptable risk levels must be determined Demanding the highest safety integrity level by default is a political decision; a proper analysis could show that a lower safety integrity level is sufficient Non-technical measures for implementing safety functions must be included in the analyses Apply the standards correctly:
perform risk acceptability analyses first identify the safety functions next then allocate SILs
PSAM6, San Juan, Puerto Rico, USA - June 2002