Telecom and Informatics

ALLOCATING SAFETY INTEGRITY

LEVELS IN PRACTICE

Odd Nordland
SINTEF, Trondheim, Norway
odd.nordland@sintef.no
www.informatics.sintef.no/~nordland

PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY

LEVELS IN PRACTICE
Introduction
Safety Integrity
Safety Integrity Levels
Risk Acceptability
Allocating SILs
Problems
Conclusions
PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY

LEVELS IN PRACTICE
Safety Integrity
Things can go wrong, so we need additional functionality

Safety Functions to reduce the risks

Safety functions can have varied implementation measures

active functionality
design properties
administrative measures
any combination of the above

Failure of part of the implementation does not mean total loss of the
safety function
Safety Integrity = Ability of a safety function to continue to be
effective in spite of deterioration of its implementation
PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY

LEVELS IN PRACTICE
Safety Integrity Levels
Degree of Safety Integrity is determined by

number of implementation measures

how effective they are
how vulnerable they are
how independent they are
...

Many different degrees of safety integrity, grouped into 5 levels:

SIL
... 0 = no safety integrity at all
SIL 4 = highest possible level

For "important" safety functions, a high SIL will be demanded

Safety Integrity Levels depend on Risk Acceptability

PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY

LEVELS IN PRACTICE
Risk Acceptability
ALARP
Risk shall be brought As Low As Reasonably Practicable
3 risk zones: unacceptable, acceptable, negligible
assumes that we know where the acceptable limit is
GAMAB
Any modification shall leave a system globally at least as good
("Globalement Au Moins Aussi Bon") as it was
allows for redistribution of risks
assumes current level is already acceptable
MEM
Starts with lowest technological mortality rate in the population (Minimum
Endogenous Mortality)
a new system should not increase that mortality rate significantly
assumes that the current mortality rate is acceptable
PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY

LEVELS IN PRACTICE
Allocating SILs
Determine risks
Determine acceptable risk levels
Identify safety functions
Based on risk acceptance level, determine safety integrity level for

each safety function

Identify implementation measures for each safety function
Based on the safety integrity level for each function, determine
tolerable failure rates for each implementation measure

OR JUST DEMAND SIL 4 BY DEFAULT!

PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY

LEVELS IN PRACTICE
Problems
SIL 4 is EXPENSIVE
Systems that have been working satisfactorily don't necessarily

fulfil SIL 4 requirements

Do we always need SIL 4?
The relationship between failure rates and SILs is often

misunderstood:
SILs depend on failure rates of safety functions
Exaggerated demands on equipment
because non-technical measures are ignored

Risk acceptability is controversial

PSAM6, San Juan, Puerto Rico, USA - June 2002

Telecom and Informatics

ALLOCATING SAFETY INTEGRITY

LEVELS IN PRACTICE
Conclusions
Agreed methods for determining acceptable risk levels must be
determined
Demanding the highest safety integrity level by default is a political
decision; a proper analysis could show that a lower safety integrity
level is sufficient
Non-technical measures for implementing safety functions must be
included in the analyses
Apply the standards correctly:
perform risk acceptability analyses first
identify the safety functions next
then allocate SILs
PSAM6, San Juan, Puerto Rico, USA - June 2002