Technical Due Diligence

SIL Allocation

The rise of IEC (now also AS) 61508 the functional safety assessment standard for electronic equipment, and its derivative standards 61511 for the process industry and 62061 for the safety of machinery seems to have caught much of Australian industry 'on the hop'.

In R2A's experience, the difficulty chiefly arises because the SIL Allocation process required is usually done bottom-up outside the context of the Australian legal framework which includes OHS legislation and common law liability provisions. The bottom-up approach tends to miss the overal risk context necessitating a higher E/E/PE SIL rating for what can only be seen to be the primary safety barrier. The result is a test of negotiating strength between the contracting parties with SIL allocations being more a result of agreement by exhaustion than positive common consent. Needless to say, such a result is time consuming, frustrating and invariably expensive.

In order to put the SIL Allocation process in context, R2A developed the following 6 step process based on previous experiences:

  1. Establish all credible, critical safety threat scenarios.
  2. Develop relevant threat-barrier sequences for each of credible, critical safety threat scenario.
  3. Determine the SIL rating for all barriers.
  4. Establish the Electrical/Electronic/Programable Electeronic (E/E/PE) SIL contribution to each barrier.
  5. Complete an E/E/PE SIL hazard control system failure analysis.
  6. Complete a generative review sign-off.

Such an approach has significant benefits. In very many cases barriers will not have an E/E/PE aspect, that is, these will be exclusively civil or mechanical design barriers. However, if required, the potential contribution of the individual E/E/PE SIL to each barrier is then determined. If there is an E/E/PE contribution then it is subject to two further constraints:

  1. There is no point in having an E/E/PE SIL more reliable than the individual barrier is constrained to by, for example, the reliability of the mechanical aspects of the barrier.

  2. The safety outcomes of a particular threat scenario are determined by the collective independent barriers, especially those prior to the loss of control point. If there are multiple barriers, there may be little point in having a barrier with an elevated E/E/PE SIL contribution or alternatively another barrier (external risk reduction facility (ERRF)) may be best. As an observation on risk design philosophy, it is almost always better (and cheaper) to have a large number of low reliability, independent barriers than to have one or two highly reliable (gold plated) barriers.