SIL Allocation
The rise of IEC/AS 61508 the functional safety assessment standard for electronic equipment, and its derivative standards 61511 for the process industry and 62061 for the safety of machinery seems to have caught much of Australian industry 'on the hop'.
IEC 61508 appears to be an attempt by the IT industry to come to grips with the role of safety critical electronic equipment and software. The purpose of the standard is to minimise the dangerous failures in electrical and/or electronic and/or programmable electronic (E/E/PE) safety-related systems. Functional safety is defined as part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. Although strictly a safety standard, 61508 seems to be regularly used in Australia for other reliability specification purposes.
In R2A's experience, the difficulty primarily arises because the SIL allocation process required by the standard is usually done bottom-up outside the context of the Australian legal framework which includes OHS legislation and common law liability provisions. The bottom-up approach tends to miss the overall risk context necessitating a higher E/E/PE SIL rating for what can only be seen to be the primary safety barrier.
IEC (AS) 61508 and its derivatives IEC (AS) 61511 and IEC (AS) 62061 are being referred to (but are not yet mandated) in regulation in some Australian jurisdictions. At least until mandated, these standards necessarily remain subordinated to OH&S and other Acts and the common law in Australian jurisdictions, meaning the hierarchy of controls needs to be applied. In Australia the legislated hierarchical of risk control is typically:
i) Elimination or removal;
ii) Design or engineering;
iii) Administration; and
iv) Training
This means that usually civil and mechanical design is logically prior and normally dictates SIL requirements, if any, since if a hazard or problem can be eliminated or engineered out then a SIL rated electronic control system to manage such a hazard ought not to be required. Following the hierarchy of controls, it is actually illegal in Australia to adopt an active control system when an elimination option, on balance, is available (see the scales below).
To satisfy common law requirement for E/E/PE SIL allocation and therefore judges and juries in the event of an incident, R2A have developed the following 6 step process for the development of a transparent and robust SIL allocation argument:
1. Establish all credible, critical safety threat scenarios.
2. Develop relevant threat-barrier sequences for each credible, critical safety threat scenario.
3. Determine the SIL rating for all barriers.
4. Establish the E/E/PE SIL contribution to each barrier.
5. Complete an E/E/PE SIL hazard control system failure analysis.
6. Complete a generative review sign-off.
Such an approach has significant benefits. In addition to satisfying common law requirements, in very many cases barriers will not have an E/E/PE aspect. That is, barriers will be exclusively civil or mechanical design barriers. However, if required, the potential contribution of the individual E/E/PE SIL to each barrier is then determined. If there is an E/E/PE contribution then it is subject to two further constraints:
The rise of IEC/AS 61508 the functional safety assessment standard for electronic equipment, and its derivative standards 61511 for the process industry and 62061 for the safety of machinery seems to have caught much of Australian industry 'on the hop'.
IEC 61508 appears to be an attempt by the IT industry to come to grips with the role of safety critical electronic equipment and software. The purpose of the standard is to minimise the dangerous failures in electrical and/or electronic and/or programmable electronic (E/E/PE) safety-related systems. Functional safety is defined as part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. Although strictly a safety standard, 61508 seems to be regularly used in Australia for other reliability specification purposes.
In R2A's experience, the difficulty primarily arises because the SIL allocation process required by the standard is usually done bottom-up outside the context of the Australian legal framework which includes OHS legislation and common law liability provisions. The bottom-up approach tends to miss the overall risk context necessitating a higher E/E/PE SIL rating for what can only be seen to be the primary safety barrier.
IEC (AS) 61508 and its derivatives IEC (AS) 61511 and IEC (AS) 62061 are being referred to (but are not yet mandated) in regulation in some Australian jurisdictions. At least until mandated, these standards necessarily remain subordinated to OH&S and other Acts and the common law in Australian jurisdictions, meaning the hierarchy of controls needs to be applied. In Australia the legislated hierarchical of risk control is typically:
i) Elimination or removal;
ii) Design or engineering;
iii) Administration; and
iv) Training
This means that usually civil and mechanical design is logically prior and normally dictates SIL requirements, if any, since if a hazard or problem can be eliminated or engineered out then a SIL rated electronic control system to manage such a hazard ought not to be required. Following the hierarchy of controls, it is actually illegal in Australia to adopt an active control system when an elimination option, on balance, is available (see the scales below).
To satisfy common law requirement for E/E/PE SIL allocation and therefore judges and juries in the event of an incident, R2A have developed the following 6 step process for the development of a transparent and robust SIL allocation argument:
1. Establish all credible, critical safety threat scenarios.
2. Develop relevant threat-barrier sequences for each credible, critical safety threat scenario.
3. Determine the SIL rating for all barriers.
4. Establish the E/E/PE SIL contribution to each barrier.
5. Complete an E/E/PE SIL hazard control system failure analysis.
6. Complete a generative review sign-off.
Such an approach has significant benefits. In addition to satisfying common law requirements, in very many cases barriers will not have an E/E/PE aspect. That is, barriers will be exclusively civil or mechanical design barriers. However, if required, the potential contribution of the individual E/E/PE SIL to each barrier is then determined. If there is an E/E/PE contribution then it is subject to two further constraints:
| a) | There is no point in having an E/E/PE SIL more reliable than the individual barrier is constrained to by, for example, the reliability of the mechanical aspects of the barriers. |
| b) | The safety outcomes of a particular threat scenario are determined by the collective independent barriers, there may be little point in having a barrier with an elevated E/E/PE SIL contribution or alternatively another barrier (external risk reduction facility (ERRF)) may be best. As an observation on risk design philosophy, it is almost always better and cheaper to have a larger number of low reliability, independent barriers than to have one or two highly reliable gold plated barriers. |