International Standards and Conformity Assessment for all electrical, electronic and related technologies
Functional Safety and the IEC

IEC 61508

Functional Safety

 

Edition 2.0

F) Hazard and risk analysis

 

F1) Is IEC 61508 only concerned about ensuring safety by improving reliability?

No. A vital first step in the safety lifecycle is that the necessary safety functions are derived from an analysis of the hazards and risks. It is not only the safety integrity of the safety functions that is important, but also the effective and correct specification of the safety functions themselves.

F2) Does IEC 61508 cover the elimination of hazards at source?

The standard requires that consideration shall be given to the elimination of the hazards and emphasizes the primary importance of eliminating hazards at source (7.4.2.2 and note 2 of 7.4.2.4 of IEC 61508-1). This could be, for example, by the application of inherent safety principles or the application of good engineering practice. However, detailed guidance on hazard elimination is not provided in the standard.

F3) Does IEC 61508 require a quantitative risk analysis to be carried out in order to determine safety integrity levels?

No. It allows both quantitative and qualitative approaches (see annexes B, D, E, F and G of IEC 61508-5).

 

Note that risk analysis generally requires a wide range of expertise. It will usually be necessary for a team to work together and reach agreement.

F4) What factors should I take into account when planning to use a risk graph method for determining safety integrity levels?

Annex B of IEC 61508-5 provides guidance on the selection methods for determining safety integrity level requirements and Annex E of IEC 61508-5 describes in principle a risk graph method for determining safety integrity levels, using a generalised example. The example figures in annex E are not definitive and their use will not necessarily result in an adequate level of safety for any particular application.

 

It is essential that a risk graph is designed so that it takes into account the relevant influences on the risk (i.e. the risk parameters) associated with the target application. The process of validating that the use of a risk graph will lead to tolerable residual risks is sometimes referred to as calibration.

 

If a risk graph is used for applications where authoritative good practice in considering the safety of plant and operations has traditionally included quantitative risk assessment, it should be calibrated in quantitative terms. This will include describing all the risk parameters in numerical terms and basing the design of the risk graph on explicit, quantified tolerable residual risk targets. A properly calibrated risk graph will lead to quantified residual risks that are at, or below, the tolerable risk targets.

 

Otherwise, if a risk graph is used for applications where qualitative techniques for risk assessment are more appropriate, it will be necessary to demonstrate that it will lead to solutions that are consistent with authoritative good practice.

 

The restricted range of applications for which the risk graph applies should be clearly stated so that users of the risk graph are aware of its limitations.

F5) How do I take account of hazards that are introduced by the E/E/PE safety-related system?

Undertake further hazard and risk analysis when developing the E/E/PE system safety requirements. This should identify any of the states of an E/E/PE safety-related system that could lead to a hazardous event. 7.4.2.1 of IEC 61508-1 highlights the need to undertake further hazard and risk analyses when decisions are taken which may change the basis on which earlier decisions were made.