IEC 61511-3:2003

INTERNATIONAL IEC
STANDARD
61511-3
First edition
2003-03
Functional safety –
Safety instrumented systems
for the process industry sector –
Part 3:
Guidance for the determination of the required
safety integrity levels
Sécurité fonctionnelle -
Systèmes instrumentés de sécurité pour le secteur
des industries de transformation
Partie 3:
Conseils pour la détermination des niveaux d'intégrité
de sécurité requis
Reference number
Publication numbering
As from 1 January 1997 all IEC publications are issued with a designation in the
60000 series. For example, IEC 34-1 is now referred to as IEC 60034-1.

Consolidated editions
The IEC is now publishing consolidated versions of its publications. For example,

edition numbers 1.0, 1.1 and 1.2 refer, respectively, to the base publication, the
base publication incorporating amendment 1 and the base publication incorporating
amendments 1 and 2.
Further information on IEC publications
The technical content of IEC publications is kept under constant review by the IEC,
thus ensuring that the content reflects current technology. Information relating to
this publication, including its validity, is available in the IEC Catalogue of
publications (see below) in addition to new editions, amendments and corrigenda.
Information on the subjects under consideration and work in progress undertaken
by the technical committee which has prepared this publication, as well as the list
of publications issued, is also available from the following:
• IEC Web Site (www.iec.ch)
• Catalogue of IEC publications
The on-line catalogue on the IEC web site (http://www.iec.ch/searchpub/cur_fut.htm)
enables you to search by a variety of criteria including text searches, technical
committees and date of publication. On-line information is also available on
recently issued publications, withdrawn and replaced publications, as well as
corrigenda.
• IEC Just Published
This summary of recently issued publications (http://www.iec.ch/online_news/
justpub/jp_entry.htm) is also available by email. Please contact the Customer
Service Centre (see below) for further information.
• Customer Service Centre
If you have any questions regarding this publication or need further assistance,
please contact the Customer Service Centre:
Email: custserv@iec.ch
Tel: +41 22 919 02 11
Fax: +41 22 919 03 00
INTERNATIONAL IEC
STANDARD
61511-3
First edition
2003-03
Functional safety –
Safety instrumented systems
for the process industry sector –
Part 3:
Guidance for the determination of the required
safety integrity levels
Sécurité fonctionnelle -
Systèmes instrumentés de sécurité pour le secteur
des industries de transformation
Partie 3:
Conseils pour la détermination des niveaux d'intégrité
de sécurité requis
 IEC 2003  Copyright - all rights reserved
No part of this publication may be reproduced or utilized in any form or by any means, electronic or
mechanical, including photocopying and microfilm, without permission in writing from the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch  Web: www.iec.ch
PRICE CODE
Commission Electrotechnique Internationale
XA
International Electrotechnical Commission
Международная Электротехническая Комиссия
For price, see current catalogue

– 2 – 61511-3  IEC:2003(E)
CONTENTS
FOREWORD . 4

INTRODUCTION .6

1 Scope . 9

2 Terms, definitions and abbreviations.10

3 Risk and safety integrity – general guidance .10

3.1 General .10

3.2 Necessary risk reduction.11

3.3 Role of safety instrumented systems .11
3.4 Safety integrity .11
3.5 Risk and safety integrity .13
3.6 Allocation of safety requirements .14
3.7 Safety integrity levels .14
3.8 Selection of the method for determining the required safety integrity level .15
Annex A (informative) As Low As Reasonably Practicable (ALARP) and tolerable
risk concepts.16
Annex B (informative) Semi-quantitative method .19
Annex C (informative) The safety layer matrix method.27
Annex D (informative) Determination of the required safety integrity levels – a semi-
qualitative method: calibrated risk graph .33
Annex E (informative) Determination of the required safety integrity levels –
a qualitative method: risk graph.41
Annex F (informative) Layer of protection analysis (LOPA).46
Figure 1 – Overall framework of this standard . 8
Figure 2 – Typical risk reduction methods found in process plants .10
Figure 3 – Risk reduction: general concepts.13
Figure 4 – Risk and safety integrity concepts .13
Figure 5 – Allocation of safety requirements to the Safety Instrumented Systems,
non-SIS prevention/mitigation protection layers and other protection layers .14
Figure A.1 – Tolerable risk and ALARP .17
Figure B.1 – Pressurized Vessel with Existing Safety Systems.20

Figure B.2 – Fault Tree for Overpressure of the Vessel.23
Figure B.3 – Hazardous Events with Existing Safety Systems .24
Figure B.4 – Hazardous Events with Redundant Protection Layer .25
Figure B.5 – Hazardous Events with SIL 2 SIS Safety Function.26
Figure C.1 – Protection Layers.27
Figure C.2 – Example Safety Layer Matrix.31
Figure D.1 – Risk graph: general scheme.37
Figure D.2 – Risk Graph: Environmental Loss .39
Figure E.1 – DIN V 19250 Risk graph – personnel protection (see Table E.1) .44
Figure E.2 – Relationship IEC 61511, DIN 19250 and VDI/VDE 2180 .45
Figure F.1 – Layer of Protection Analysis (LOPA) Report .47

61511-3  IEC:2003(E) – 3 –
Table A.1 – Example of risk classification of incidents.18

Table A.2 – Interpretation of risk classes.18

Table B.1 – HAZOP analysis results.21

Table C.1 – Frequency of hazardous event likelihood (without considering PLs) .30

Table C.2 – Criteria for rating the severity of impact of hazardous events .30

Table D.1 – Descriptions of process industry risk graph parameters.34

Table D.2 – Example calibration of the general purpose risk graph .37

Table D.3 – General environmental consequences.39

Table E.1 – Data relating to risk graph (see Figure E.1) .44
Table F.1 – HAZOP developed data for LOPA.47
Table F.2 – Impact event severity levels.48
Table F.3 – Typical protection layer (prevention and mitigation) PFDs .49
Table F.4 – Initiation Likelihood.48

– 4 – 61511-3  IEC:2003(E)
INTERNATIONAL ELECTROTECHNICAL COMMISSION

____________
FUNCTIONAL SAFETY–
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –

Part 3: Guidance for the determination

of the required safety integrity levels

FOREWORD
1) The IEC (International Electrotechnical Commission) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of the IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, the IEC publishes International Standards. Their preparation is
entrusted to technical committees; any IEC National Committee interested in the subject dealt with may
participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. The IEC collaborates closely with the International
Organization for Standardization (ISO) in accordance with conditions determined by agreement between the
two organizations.
2) The formal decisions or agreements of the IEC on technical matters express, as nearly as possible, an
international consensus of opinion on the relevant subjects since each technical committee has representation
from all interested National Committees.
3) The documents produced have the form of recommendations for international use and are published in the form
of standards, technical specifications, technical reports or guides and they are accepted by the National
Committees in that sense.
4) In order to promote international unification, IEC National Committees undertake to apply IEC International
Standards transparently to the maximum extent possible in their national and regional standards. Any
divergence between the IEC Standard and the corresponding national or regional standard shall be clearly
indicated in the latter.
5) The IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with one of its standards.
6) Attention is drawn to the possibility that some of the elements of this International Standard may be the subject
of patent rights. The IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 61511-3 has been prepared by subcommittee 65A: System
aspects, of IEC technical committee 65: Industrial-process measurement and control.
The text of this standard is based on the following documents:

FDIS Report on voting
65A/367/FDIS 65A/370/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
IEC 61511 series has been developed as a process sector implementation of IEC 61508
series.
61511-3  IEC:2003(E) – 5 –
IEC 61511 consists of the following parts, under the general title Functional safety – Safety
Instrumented Systems for the process industry sector (see Figure 1):

Part 1: Framework, definitions, system, hardware and software requirements

Part 2: Guidelines for the application of IEC 61511-1

Part 3: Guidance for the determination of the required safety integrity levels

The committee has decided that the contents of this publication will remain unchanged until

2007. At this date, the publication will be

• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
The contents of the corrigendum of October 2004 have been included in this copy.

– 6 – 61511-3  IEC:2003(E)
INTRODUCTION
Safety instrumented systems have been used for many years to perform safety instrumented

functions in the process industries. If instrumentation is to be effectively used for safety

instrumented functions, it is essential that this instrumentation achieves certain minimum

standards and performance levels.

This International Standard addresses the application of safety instrumented systems for the

Process Industries. It also requires a process hazard and risk assessment to be carried out to

enable the specification for safety instrumented systems to be derived. Other safety systems

are only considered so that their contribution can be taken into account when considering the

performance requirements for the safety instrumented systems. The safety instrumented
system includes all components and subsystems necessary to carry out the safety
instrumented function from sensor(s) to final element(s).
This International Standard has two concepts which are fundamental to its application; safety
lifecycle and safety integrity levels.
This International Standard addresses safety instrumented systems which are based on the
use of Electrical (E)/Electronic (E)/Programmable Electronic (PE) technology. Where other
technologies are used for logic solvers, the basic principles of this standard should be
applied. This standard also addresses the safety instrumented system sensors and final
elements regardless of the technology used. This International Standard is process industry
specific within the framework of IEC 61508 (see Annex A of IEC 61511-1).
This International Standard sets out an approach for safety lifecycle activities to achieve
these minimum standards. This approach has been adopted in order that a rational and
consistent technical policy be used.
In most situations, safety is best achieved by an inherently safe process design. If necessary,
this may be combined with a protective system or systems to address any residual identified
risk. Protective systems can rely on different technologies (chemical, mechanical, hydraulic,
pneumatic, electrical, electronic, programmable electronic). Any safety strategy should
consider each individual safety instrumented system in the context of the other protective
systems. To facilitate this approach, this standard
– requires that a hazard and risk assessment is carried out to identify the overall safety
requirements;
– requires that an allocation of the safety requirements to the safety instrumented system(s)
is carried out;
– works within a framework which is applicable to all instrumented methods of achieving

functional safety;
– details the use of certain activities, such as safety management, which may be applicable
to all methods of achieving functional safety.
This International Standard on safety instrumented systems for the process industry:
– addresses all safety life cycle phases from initial concept, design, implementation,
operation and maintenance through to decommissioning;
– enables existing or new country specific process industry standards to be harmonized with
this standard.
This standard is intended to lead to a high level of consistency (for example, of underlying
principles, terminology, information) within the process industries. This should have both
safety and economic benefits.
61511-3  IEC:2003(E) – 7 –
In jurisdictions where the governing authorities (for example national, federal, state, province,

county, city) have established process safety design, process safety management, or other

requirements, these take precedence over the requirements defined in this standard.

This standard deals with guidance in the area of determining the required SIL in hazards and

risk analysis (H & RA). The information herein is intended to provide a broad overview of the

wide range of global methods used to implement H & RA. The information provided is not of

sufficient detail to implement any of these approaches.

Before proceeding, the concept and determination of safety integrity level(s) (SIL) provided in

IEC 61511-1 should be reviewed. The annexes in this standard address the following:

Annex A provides an overview of the concepts of tolerable risk and ALARP.
Annex B provides an overview of a semi-quantitative method used to determine the
required SIL.
Annex C provides an overview of a safety matrix method to determine the required SIL.
Annex D provides an overview of a method using a semi-qualitative risk graph approach
to determine the required SIL.
Annex E provides an overview of a method using a qualitative risk graph approach to
determine the required SIL.
Annex F provides an overview of a method using a layer of protection analysis (LOPA)
approach to select the required SIL.

– 8 – 61511-3  IEC:2003(E)
Support
Technical
Parts
requirements
PART 1
References
Clause 2
Development of the overall safety
PART 1
requirements (concept, scope definition,
hazard and risk assessment)
Definitions and
Clause 8
abbreviations
Clause 3
PART 1
PART 1
Conformance
Allocation of the safety requirements to
Clause 4
the safety instrumented functions and
development of safety requirements
PART 1
Specification
Management of
Clauses 9 and 10
functional safety
Clause 5
PART 1
PART 1
Safety lifecycle
Design phase for
Design phase for
requirements
safety safety
Clause 6
instrumented
instrumented
PART 1
systems system software
Clause 11 Clause 12
Verification
Clause 7
PART 1
PART 1
Information
Factory acceptance testing,
requirements
installation and commissioning and
Clause 19
safety validation of safety
instrumented systems PART 1
Clauses 13, 14, and 15
Differences
Annex A
PART 1
PART 1
Operation and maintenance,
Guidelines for the
modification and retrofit,
application of part 1
decommissioning or disposal of
Clause 2
safety instrumented systems
PART 2
Clauses 16, 17, and 18
Guidance for the
determination of the
required safety
integrity levels
PART 3
IEC  3008/02
Figure 1 – Overall framework of this standard

61511-3  IEC:2003(E) – 9 –
FUNCTIONAL SAFETY–
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –

Part 3: Guidance for the determination

of the required safety integrity levels

1 Scope
1.1 This part provides information on
– the underlying concepts of risk, the relationship of risk to safety integrity, see Clause 3;
– the determination of tolerable risk, see Annex A;
– a number of different methods that enable the safety integrity levels for the safety instru-
mented functions to be determined, see Annexes B, C, D, E, and F.
In particular, this part
a) applies when functional safety is achieved using one or more safety instrumented
functions for the protection of either personnel, the general public, or the environment;
b) may be applied in non-safety applications such as asset protection;
c) illustrates typical hazard and risk assessment methods that may be carried out to define
the safety functional requirements and safety integrity levels of each safety instrumented
function;
d) illustrates techniques/measures available for determining the required safety integrity
levels;
e) provides a framework for establishing safety integrity levels but does not specify the safety
integrity levels required for specific applications;
f) does not give examples of determining the requirements for other methods of risk
reduction.
1.2 Annexes B, C, D, E, and F illustrate quantitative and qualitative approaches and have
been simplified in order to illustrate the underlying principles. These annexes have been
included to illustrate the general principles of a number of methods but do not provide a
definitive account.
NOTE Those intending to apply the methods indicated in these annexes should consult the source material
referenced in each annex.
1.3 Figure 1 shows the overall framework for IEC 61511-1, IEC 61511-2 and IEC 61511-3
and indicates the role that this standard plays in the achievement of functional safety for
safety instrumented systems.
Figure 2 gives an overview of risk reduction methods.

– 10 – 61511-3  IEC:2003(E)
COMMUNITY EMERGENCY RESPONSE
Emergency broadcasting
PLANT EMERGENCY RESPONSE
Evacuation procedures
MITIGATION
Mechanical mitigation systems
Safety instrumented control systems
Safety instrumented mitigation systems
Operator supervision
PREVENTION
Mechanical protection system
Process alarms with operator corrective action
Safety instrumented control systems
Safety instrumented prevention systems
CONTROL and MONITORING
Basic process control systems
Monitoring systems (process alarms)
Operator supervision
PROCESS
IEC  3009/02
Figure 2 – Typical risk reduction methods found in process plants
(for example, protection layer model)

2 Terms, definitions and abbreviations
For the purposes of this document, the definitions and abbreviations given in Clause 3 of
IEC 61511-1 apply.
3 Risk and safety integrity – general guidance
3.1 General
This clause provides information on the underlying concepts of risk and the relationship of risk
to safety integrity. This information is common to each of the diverse hazard and risk analysis
(H & RA) methods shown herein.

61511-3  IEC:2003(E) – 11 –
3.2 Necessary risk reduction
1 2
The necessary risk reduction (which may be stated either qualitatively or quantitatively ) is

the reduction in risk that has to be achieved to meet the tolerable risk (process safety target

level) for a specific situation. The concept of necessary risk reduction is of fundamental

importance in the development of the safety requirements specification for the Safety Instru-
mented Function (SIF) (in particular, the safety integrity requirements part of the safety

requirements specification). The purpose of determining the tolerable risk (process safety

target level) for a specific hazardous event is to state what is deemed reasonable with respect

to both the frequency of the hazardous event and its specific consequences. Protection layers

(see Figure 3) are designed to reduce the frequency of the hazardous event and/or the

consequences of the hazardous event.

Important factors in assessing tolerable risk include the perception and views of those
exposed to the hazardous event. In arriving at what constitutes a tolerable risk for a specific
application, a number of inputs can be considered. These may include:
– guidelines from the appropriate regulatory authorities;
– discussions and agreements with the different parties involved in the application;
– industry standards and guidelines;
– industry, expert and scientific advice;
– legal and regulatory requirements – both general and those directly relevant to the specific
application.
3.3 Role of safety instrumented systems
A safety instrumented system implements the safety instrumented functions required to
achieve or to maintain a safe state of the process and, as such, contributes towards the
necessary risk reduction to meet the tolerable risk. For example, the safety functions
requirements specification may state that when the temperature reaches a value of x, valve y
opens to allow water to enter the vessel.
The necessary risk reduction may be achieved by either one or a combination of Safety
Instrumented Systems (SIS) or other protection layers.
A person could be an integral part of a safety function. For example, a person could receive
information, on the state of the process, and perform a safety action based on this
information. If a person is part of a safety function, then all human factors should be
considered.
Safety instrumented functions can operate in a demand mode of operation or a continuous
mode of operation.
3.4 Safety integrity
Safety integrity is considered to be composed of the following two elements.
a) Hardware safety integrity – that part of safety integrity relating to random hardware
failures in a dangerous mode of failure. The achievement of the specified level of
hardware safety integrity can be estimated to a reasonable level of accuracy, and the
requirements can therefore be apportioned between subsystems using the established
rules for the combination of probabilities and considering common cause failures. It may
be necessary to use redundant architectures to achieve the required hardware safety
integrity.
___________
In determining the necessary risk reduction, the tolerable risk needs to be established. Annexes D and E of
IEC 61508-5 outline qualitative methods, although in the examples quoted the necessary risk reduction is
incorporated implicitly rather than stated explicitly.
For example, that a hazardous event, leading to a specific consequence, would typically be expressed as
a maximum frequency of occurrence per year.

– 12 – 61511-3  IEC:2003(E)
b) Systematic safety integrity – that part of safety integrity relating to systematic failures in

a dangerous mode of failure. Although the contribution due to some systematic failures

may be estimated, the failure data obtained from design faults and common cause

failures means that the distribution of failures can be hard to predict. This has the effect

of increasing the uncertainty in the failure probability calculations for a specific situation

(for example the probability of failure of a SIS). Therefore a judgement has to be made on

the selection of the best techniques to minimize this uncertainty. Note that taking
measures to reduce the probability of random hardware failures may not necessarily

reduce the probability of systematic failure. Techniques such as redundant channels of

identical hardware, which are very effective at controlling random hardware failures, are of

little use in reducing systematic failures.

The total risk reduction provided by the safety instrumented function(s) together with any
other protection layers has to be such as to ensure that:
– the failure frequency of the safety functions is sufficiently low to prevent the hazardous
event frequency from exceeding that required to meet the tolerable risk; and/or
– the safety functions modify the consequences of failure to the extent required to meet the
tolerable risk.
Figure 3 illustrates the general concepts of risk reduction. The general model assumes that:
– there is a process and an associated basic process control system (BPCS);
– there are associated human factor issues;
– the safety protection layers features comprise:
1) mechanical protection system;
2) safety instrumented systems;
3) mechanical mitigation system.
NOTE Figure 3 is a generalized risk model to illustrate the general principles. The risk model for a specific
application needs to be developed taking into account the specific manner in which the necessary risk reduction is
actually being achieved by the Safety Instrumented Systems and/or other protection layers. The resulting risk
model may therefore differ from that shown in Figure 3.
The various risks indicated in Figures 3 and 4 are as follows:
– Process risk – the risk existing for the specified hazardous events for the process, the
basic process control system and associated human factor issues – no designated safety
protective features are considered in the determination of this risk;
– Tolerable risk (process safety target level) – the risk which is accepted in a given context
based on the current values of society;
– Residual risk – in the context of this standard, the residual risk is the risk of hazardous

events occurring after the addition of protection layers.
The process risk is a function of the risk associated with the process itself but it takes into
account the risk reduction brought about by the process control system. To prevent
unreasonable claims for the safety integrity of the basic process control system, this standard
places constraints on the claims that can be made.
The necessary risk reduction is the minimum level of risk reduction that has to be achieved to
meet the tolerable risk. It may be achieved by one or a combination of risk reduction
techniques. The necessary risk reduction to achieve the specified tolerable risk, from
a starting point of the process risk, is shown in Figure 3.

61511-3  IEC:2003(E) – 13 –
Residual Tolerable Process
risk risk risk
Increasing
Necessary risk reduction
risk
Actual risk reduction
Partial risk covered
Partial risk
by other non-SIS
Partial risk
covered by other
prevention/
covered by SIS
protection layers
mitigation
protection layers
Risk reduction achieved by all protection layers
IEC  3010/02
Figure 3 – Risk reduction: general concepts
3.5 Risk and safety integrity
It is important that the distinction between risk and safety integrity is fully appreciated. Risk is
a measure of the frequency and consequence of a specified hazardous event occurring.
This can be evaluated for different situations (process risk, tolerable risk, residual risk - see
Figure 3). The tolerable risk involves consideration of societal and political factors. Safety
integrity is a measure of the likelihood that the SIF and other protection layers will achieve the
specified safety functions. Once the tolerable risk has been set, and the necessary risk
reduction estimated, the safety integrity requirements for the SIS can be allocated.
NOTE The allocation may be iterative in order to optimise the design to meet the various requirements.
The role that safety functions play in achieving the necessary risk reduction is illustrated in
Figures 3 and 4.
Consequence
of hazardous
event
Non-SIS
Tolerable
Other
prevention/
Process
risk
protection
SIS
mitigation
risk
target
layers
protection layers
Frequency of
hazardous
Necessary risk reduction
event
Process and the
basic process
control system
Safety integrity of non-SIS prevention/mitigation
protection layers, other protection layers, and SIS
matched to the necessary risk reduction
IEC  3011/02
Figure 4 – Risk and safety integrity concepts

– 14 – 61511-3  IEC:2003(E)
3.6 Allocation of safety requirements

The allocation of safety requirements (both the safety functions and the safety integrity

requirements) to the safety instrumented systems and other protection layers is shown in

Figure 5. The requirements for the safety requirements allocation phase are given in Clause 9

of IEC 61511−1.
The methods used to allocate the safety integrity requirements to the safety instrumented

systems, other technology safety-related systems and external risk reduction facilities
depend, primarily, upon whether the necessary risk reduction is specified explicitly in a
numerical manner or in a qualitative manner. These approaches are termed semi-quantitative,

semi-qualitative, and qualitative methods respectively (see Annexes B, C, D, E, and F).

3.7 Safety integrity levels
In this standard, four safety integrity levels are specified, with safety integrity level 4 being the
highest level and safety integrity level 1 being the lowest.
The safety integrity level target failure measures for the four safety integrity levels are speci-
fied in Tables 3 and 4 of IEC 61511−1. Two parameters are specified, one for SIS operating in
a demand mode of operation and one for SIS operating in a continuous mode of operation.
NOTE For SIS operating in a demand mode of operation, the safety integrity measure of interest is the average
probability of failure to perform its designed function on demand. For SIS operating in a continuous mode of
operation, the safety integrity measure of interest is the frequency of a dangerous failure per hour, see 3.2.43
of IEC 61511-1.
Method of specifying Allocation of each safety
function and its associated
safety requirements
safety integrity requirement
Appropriate national
Non-SIS prevention/
Other protection
or international
mitigation
layers
standards
protection layers
SIF
a) necessary risk
#1
reduction to all
#2
SIF
b) necessary risk SIF
SIF
reduction to
#2
#1
specific SIF
SIF SIF
c) safety integrity
#1 #2
levels
For SIS design requirements
see IEC 61511−−−−1
IEC  3012/02
NOTE Safety integrity requirements are associated with each safety instrumented function before allocation
(see IEC 61511-1, Clause 9).
Figure 5 – Allocation of safety requirements to the safety instrumented systems,
non-SIS prevention/mitigation protection layers and other protection layers

61511-3  IEC:2003(E) – 15 –
3.8 Selection of the method for determining the required safety integrity level

There are a number of ways of establishing the required safety integrity level for a specific

application. Annexes B to F present information on a number of methods that have been

used. The method selected for a specific application will depend on many factors, including:

– the complexity of the application;

– the guidelines from regulatory authorities;

– the nature of the risk and the required risk reduction;

– the experience and skills of the persons available to undertake the work;

– the information available on the parameters relevant to the risk.
In some applications more than one method may be used. A qualitative method may be used
as a first pass to determine the required SIL of all SIFs. Those which are assigned a SIL 3
or 4 by this method should then be considered in greater detail using a quantitative method to
gain a more rigorous understanding of their required safety integrity.

– 16 – 61511-3  IEC:2003(E)
Annex A
(informative)
As Low As Reasonably Practicable (ALARP)

and tolerable risk concepts
A.1 General
This annex considers one particular principle (ALARP) which can be applied during the
determination of tolerable risk and safety integrity levels. ALARP is a concept which can be
applied during the determination of safety integrity levels. It is not, in itself, a method for
determining safety integrity levels. Those intending to apply the principles indicated in this
annex should consult the following references:
Reducing Risks, Protecting People, HSE, London, 2001 (ISBN 0 7176 2151 0)
Assessment principles for offshore safety cases, HSE London, 1998 (ref. HSG 181) (ISBN 0
7176 1238 4)
Safety assessment principles for nuclear plants, HSE London, 1992  (ISBN 0 11 882043 5)
Tolerability of risks from nuclear power stations, HMSO, London, 1992 (ISBN 0 11 886368 1)
The use of computers in safety-critical applications, Health and Safety Commission, London,
1998 (ISBN 0 7176 1620 7)
A.2 ALARP model
A.2.1 Introduction
Subclause 3.2 outlines the main criteria that are applied in regulating industrial risks and
indicates that the activities involve determining whether:
a) the risk is so great that it is refused altogether; or
b) the risk is, or has been made, so small as to be insignificant; or
c) the risk falls between the two states specified in a) and b) above and has been reduced to
the lowest practicable level, bearing in mind the benefits resulting from its acceptance and
taking into account the costs of any further reduction.
With respect to c), the ALARP principle recommends that risks be reduced “so far as is
reasonably practicable,” or to a level which is “As Low As Reasonably Practicable” (ALARP).

If a risk falls between the two extremes (that is, the unacceptable region and broadly
acceptable region) and the ALARP principle has been applied, then the resulting risk is the
tolerable risk for that specific application. According to this approach, a risk is considered to
fall into one of 3 regions classified as “unacceptable”, “tolerable” or “broadly acceptable” (see
Figure A.1).
Above a certain level, a risk is regarded as unacceptable. Such a risk cannot be justified in
any ordinary circumstances. If such a risk exists it should be reduced so that it falls in either
the “tolerable” or “broadly acceptable” regions, or the associated hazard has to be eliminated.
Below that level, a risk is considered to be “tolerable” provided that it has been reduced to the
point where the benefit gained from further risk reduction is outweighed by the cost of
achieving that risk reduction, and provided that generally accepted standards have been
applied towards the control of the risk. The higher the risk, the more would be expected to be
spent to reduce it. A risk which has been reduced in this way is considered to have been
reduced to a level which is as “low as is reasonably practicable” (ALARP).

61511-3  IEC:2003(E) – 17 –
Below the tolerable region, the levels of risk are regarded as so insignificant that the regulator

need not ask for further improvements. This is the broadly acceptable region where the risks

are small in comparison with the everyday risks we all experience. While in the broadly

acceptable region, there is no need for a detailed working to demonstrate ALARP; however, it

is necessary to remain vigilant to ensure that the risk remains at this level.

Risk cannot be justified except in
extraordinary circumstances
Unacceptable region
I
Risk is tolerable only if:
a) further risk reduction is
impracticable or if its cost is
grossly disproportionate to the
improvement gained and
Tolerable region
II
b) society desires the benefit of
the activity given the
associated risk.
Level of residual risk regarded as
Broadly acceptable negligible and further measures to
reduce risk not usually required. No
III
region
need for detailed working to
demonstrate ALARP.
Risk Class
(see Tables A.1
Negligible risk
and A.2) IEC  3013/02
Figure A.1 – Tolerable risk and ALARP
The concept of ALARP can be used when qualitative or quantitative risk targets are adopted.
Subclause A.2.2 outlines a method for quantitative risk targets. (Annex C outlines a semi-
quantitative method and Annexes D and E outline qualitative methods for the determination of
the necessary risk reduction for a specific hazard. The methods indicated could incorporate
the concept of ALARP in the decision making).
When using the ALARP principle, care should be taken to ensure that all assumptions are
justified and documented.
A.2.2 Tolerable risk target
In order to apply the ALARP principle, it is necessary to define the 3 regions of Figure A.1 in
terms of the probability and consequence of an incident . This definition would take place by
discussion and agreement between the interested parties (for example safety regulatory
authorities, those producing the risks and those exposed to the risks).
To take into account ALARP concepts, the matching of a consequence with a tolerable
frequency can be done through risk classes. Table A.1 is an example showing three risk
classes (I, II, III) for a number of consequences and frequencies. Table A.2 interprets each of
the risk classes using the concept of ALARP. That is, the descriptions for each of the four risk
classes are based on Figure A.1. The risks within these risk class definitions are the risks that
are present when risk reduction measures have been put in place. With respect to Figure A.1,
the risk classes are as follows:
Increasing Individual risks and societal concerns

– 18 – 61511-3  IEC:2003(E)
– risk class I is in the unacceptable region;

– risk class II is in the ALARP region;

– risk class III is in the broadly acceptable region.

For each specific situation, or industry sub-sectors, a table similar to Table A.1 would be

developed taking into account a wide range of social, political and economic factors. Each

consequence would be matched against a probability and the table populated by the risk

classes. For example, likely in Table A.1 could denote an event that is likely to be

experienced at a frequency greater than 10 per year. A critical consequence could be a single

death and/or multiple severe injuries or severe occupational illness.

Having determined the tolerable risk target, it is then possible to determine the safety integrity
levels of safety instrumented functions using, for example, one of the methods outlined in
Annexes C to F.
Table A.1 – Example of risk classification of incidents
Risk class
Probability
Catastrophic Critical Marginal Negligible
consequence consequence consequence consequence
Likely I I I II
Probable I I II II
Possible I II II II
Remote II II II III
Improbable II III III III
Incredible II III III III
NOTE 1 See Table A.2 for interpretation or risk classes I to III.
NOTE 2 The actual population of this table with risk classes I, II and III will be
application dependent and also depends upon what the actual probabilities are for likely,
probable, etc. Therefore, this table should be seen as an example of how such a table
could be populated, rather than as a specification for future use.
Table A.2 – Interpretation of risk classes
Risk class Interpretation
Class I Intolerable risk
Class II Undesirable risk, and tolerable only if risk reduction is impracticable or if
the costs are grossly disproportionate to the improvement gained
Class III Negligible risk
NOTE There is no relationship between risk class and safety integrity level (SIL). SIL is
determined by the risk reduction associated with a particular safety instrumented function,
see Annexes B to F.
61511-3  IEC:2003(E) – 19 –
Annex B
(informative)
Semi-quantitative method
B.1 General
This annex outlines how the safety integrity levels can be determined if a semi-quantitative

approach is adopted. A semi-quantitative approach is of particular value when the tolerable
risk is to be specified in a numerical manner (for example that a specified consequence
should not occur with a greater frequency than 1 in 100 years).
This annex is not intended to be a definitive account of the method but is intended to illustrate
the general principles. It is based on a method described in more detail in the following
reference:
CONTINI, S., Benchmark Exercise on Major Hazard Analysis, Commission of European
Communities, 1992.
B.2 Compliance to IEC 61511-1
The overall objective of the annex is to outline a procedure to identify the required safety
instrumented functions and establish their SILs. The basic steps required to comply are the
following:
1) Establish the safety target (tolerable risk) of the process.
2) Perform a hazard and risk analysis to evaluate existing risk.
3) Identify safety function(s) needed.
4) Allocate safety function(s) to prote
...