EN 61508-5:2001

6,67(16/29(16.,MDQXDU67$1'$5'LVWRYHWHQ(1)XQNFLMVNDYDUQRVWHOHNWULþQLKHOHNWURQVNLKSURJUDPLUOMLYLKHOHNWURQVNLKYDUQRVWQLKVLVWHPRYGHO3ULPHULPHWRG]DXJRWDYOMDQMHQLYRMHYFHORYLWHYDUQRVWL,(&SRSUDYHN)XQFWLRQDOVDIHW\RIHOHFWULFDOHOHFWURQLFSURJUDPPDEOHHOHFWURQLFVDIHW\UHODWHGV\VWHPV3DUW([DPSOHVRIPHWKRGVIRUWKHGHWHUPLQDWLRQRIVDIHW\LQWHJULW\OHYHOV,(&&RUULJHQGXP !"#$%&'( )&!*- . 5HIHUHQþQDãWHYLOND6,67(1HQ,&6

EUROPEAN STANDARDEN 61508-5NORME EUROPÉENNEEUROPÄISCHE NORMDecember 2001CENELECEuropean Committee for Electrotechnical StandardizationComité Européen de Normalisation ElectrotechniqueEuropäisches Komitee für Elektrotechnische NormungCentral Secretariat: rue de Stassart 35, B - 1050 Brussels© 2001 CENELEC -All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.Ref. No. EN 61508-5:2001 EICS 25.040.40English versionFunctional safety of electrical/electronic/programmable electronicsafety-related systemsPart 5: Examples of methods for the determinationof safety integrity levels(IEC 61508-5:1998 + corrigendum 1999)Sécurité fonctionnelle des systèmesélectriques/électroniques/électroniquesprogrammables relatifs à la sécuritéPartie 5: Exemples de méthodes dedétermination des niveaux d'intégritéde sécurité(CEI 61508-5:1998 + corrigendum 1999)Funktionale Sicherheitsicherheitsbezogener elektrischer/elektronischer/programmierbarerelektronischer SystemeTeil 5: Beispiele zur Ermittlung derStufe der Sicherheitsintegrität(safety integrity level)(IEC 61508-5:1998 + Corrigendum 1999)This European Standard was approved by CENELEC on 2001-07-03. CENELEC members are bound tocomply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this EuropeanStandard the status of a national standard without any alteration.Up-to-date lists and bibliographical references concerning such national standards may be obtained onapplication to the Central Secretariat or to any CENELEC member.This European Standard exists in three official versions (English, French, German). A version in any otherlanguage made by translation under the responsibility of a CENELEC member into its own language andnotified to the Central Secretariat has the same status as the official versions.CENELEC members are the national electrotechnical committees of Austria, Belgium, Czech Republic,Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands,Norway, Portugal, Spain, Sweden, Switzerland and United Kingdom.

EN 50126 and EN 50128 were based on earlier drafts of IEC 61508.
prEN 50129 is based on the principles of thelatest version of IEC 61508.This list does not preclude other sector implementations of IEC 61508 which could be currently underdevelopment or published within IEC or CENELEC.__________

- 3 -EN 61508-5:2001Endorsement noticeThe text of the International Standard IEC 61508-5:1998 including its corrigendum April 1999 wasapproved by CENELEC as a European Standard without any modification.__________

Functional safety of electrical/electronic/programmable electronic safety-related systems –Part 5:Examples of methods for the determinationof safety integrity levelsFor price, see current catalogue IEC 1998 Copyright - all rights reservedNo part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical,including photocopying and microfilm, without permission in writing from the publisher.International Electrotechnical Commission,
3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, SwitzerlandTelephone: +41 22 919 02 11
Telefax: +41 22 919 03 00
E-mail: inmail@iec.ch
Web: www.iec.chINTERNATIONALSTANDARDIEC61508-5First edition1998-12UCommission Electrotechnique InternationaleInternational Electrotechnical Commission
PRICE CODE
61508-5 ã IEC:1998– 3 –CONTENTSPageFOREWORD.5INTRODUCTION.9Clause1Scope.132Normative references.173Definitions and abbreviations.17AnnexesARisk and safety integrity – General concepts.19BALARP and tolerable risk concepts.31CDetermination of safety integrity levels: a quantitative method.37DDetermination of safety integrity levels – A qualitative method: risk graph.43EDetermination of safety integrity levels – A qualitative method:hazardous event severity matrix.53FBibliography.57Figures1Overall framework of this standard.15A.1Risk reduction: general concepts.25A.2Risk and safety integrity concepts.25A.3Allocation of safety requirements to the E/E/PE safety-related systems,other technology safety-related systems and external risk reduction facilities.29B.1Tolerable risk and ALARP.33C.1Safety integrity allocation: example for safety-related protection system.41D.1Risk graph: general scheme.47D.2Risk graph: example (illustrates general principles only).49E.1Hazardous event severity matrix: example (illustrates general principles only).55TablesB.1Risk classification of accidents.35B.2Interpretation of risk classes.35D.1Example data relating to example risk graph (figure D.2).51

61508-5 ã IEC:1998– 5 –INTERNATIONAL ELECTROTECHNICAL COMMISSION___________FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLEELECTRONIC SAFETY-RELATED SYSTEMS –Part 5: Examples of methods for the determinationof safety integrity levelsFOREWORD1)The IEC (International Electrotechnical Commission) is a worldwide organization for standardization comprisingall national electrotechnical committees (IEC National Committees). The object of the IEC is to promoteinternational co-operation on all questions concerning standardization in the electrical and electronic fields. Tothis end and in addition to other activities, the IEC publishes International Standards. Their preparation isentrusted to technical committees; any IEC National Committee interested in the subject dealt with mayparticipate in this preparatory work. International, governmental and non-governmental organizations liaisingwith the IEC also participate in this preparation. The IEC collaborates closely with the International Organizationfor Standardization (ISO) in accordance with conditions determined by agreement between the twoorganizations.2)The formal decisions or agreements of the IEC on technical matters express, as nearly as possible, aninternational consensus of opinion on the relevant subjects since each technical committee has representationfrom all interested National Committees.3)The documents produced have the form of recommendations for international use and are published in the formof standards, technical reports or guides and they are accepted by the National Committees in that sense.4)In order to promote international unification, IEC National Committees undertake to apply IEC InternationalStandards transparently to the maximum extent possible in their national and regional standards. Anydivergence between the IEC Standard and the corresponding national or regional standard shall be clearlyindicated in the latter.5)The IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for anyequipment declared to be in conformity with one of its standards.6)Attention is drawn to the possibility that some of the elements of this International Standard may be the subjectof patent rights. The IEC shall not be held responsible for identifying any or all such patent rights.International Standard IEC 61508-5 has been prepared by subcommittee 65A: System aspects,of IEC technical committee 65: Industrial-process measurement and control.The text of this standard is based on the following documents:FDISReport on voting65A/266/FDIS65A/276/RVDFull information on the voting for the approval of this standard can be found in the report onvoting indicated in the above table.Annexes A, B, C, D, E and F are for information only.

61508-5 ã IEC:1998– 7 –IEC 61508 consists of the following parts, under the general title Functional safety of electrical/electronic/programmable electronic safety-related systems:–Part 1:General requirements–Part 2:Requirements for electrical/electronic/programmable electronic safety-related systems–Part 3:Software requirements–Part 4:Definitions and abbreviations–Part 5:Examples of methods for the determination of safety integrity levels–Part 6:Guidelines on the application of IEC 61508-2 and IEC 61508-3–Part 7:Overview of techniques and measuresThis part 5 shall be read in conjunction with part 1.It has the status of a basic safety publication in accordance with IEC Guide 104.The contents of the corrigendum of April 1999 have been included in this copy.

61508-5 ã IEC:1998– 9 –INTRODUCTIONSystems comprised of electrical and/or electronic components have been used for many yearsto perform safety functions in most application sectors. Computer-based systems (genericallyreferred to as programmable electronic systems (PESs)) are being used in all applicationsectors to perform non-safety functions and, increasingly, to perform safety functions. Ifcomputer system technology is to be effectively and safely exploited, it is essential that thoseresponsible for making decisions have sufficient guidance on the safety aspects on which tomake those decisions.This International Standard sets out a generic approach for all safety lifecycle activities forsystems comprised of electrical and/or electronic and/or programmable electronic components(electrical/electronic/ programmable electronic systems (E/E/PESs)) that are used to performsafety
...