Integrity levels

Historically, little industry guidance has been available for qualifying or quantifying safety integrity levels to achieve to achieve a requisite risk reduction.

Guidance related to determination of suitable integrity of programmable electronic systems in terms of configuration, reliability (quantitative and qualitative), and quality has been available in the HSE document Programmable Electronic Systems in safety related applications (PES 1 and 2) since 1987.

Additional guidance has also been available in EEMUA 160 Safety related instrument systems for the process industries.

However, most major companies will have developed internal standards which relate safety related system integrity to required risk reduction. These standards are likely to address the design process, system configuration, and demonstration that the required risk reduction has been achieved by qualitative or quantitative analysis of the failure rate of the design. They will also have procedures to ensure that the integrity is maintained during commissioning, operation, maintenance, and modification.

The latest applicable standard is BS IEC 61508 ‘Functional safety of electrical/electronic/programmable electronic safety-related systems’ which is in 7 parts. Parts 1, 3, 4, are published as British Standards, Part 5 is issued as an international IEC standard, and Parts 2, 6 and 7 remain in draft form.

Underlying philosophy

Integrity levels for safety related systems may be determined from the hazard and risk analysis of the equipment under control. A number of different methodologies are available, but the process includes identification of hazards and the mechanisms which can initiate them, risk estimation (likelihood of occurrence), and risk evaluation (overall risk based on likelihood and consequences). The risk estimation provides a measure of the risk reduction required to reduce the risk to a tolerable level.

Hazard identification results in the identification of safety functions which are required to control the risk.

The safety functions may then be allocated to a number of different systems including E/E/PES, other technology and external measures.

For each system providing a safety function, a failure rate measure can be assigned which in turn determines the integrity required of the system. alternatively, a qualitative approach (based on the likelihood and consequence of the hazard, and the frequency and level of exposure and avoidability) may be used to define the required integrity.