Dependency issues during SIL determination

The IEC 61508 and IEC 61511 requires common cause to be considered during safety system design. Common cause between redundant elements within the safety system can be the most significant factor when calculating the probability of failure on demand. The standards provide guidance on how common cause should be taken into account during system design and there is good recognition among those applying the standard that common cause should be taken into account. The standard also requires safety systems to be independent of other safety measures and independent from causes of demand unless the lack of independence is taken into account. There is however very little advice within the standards on how to take into account dependency issues between the safety systems and causes of demand or between safety systems and other risk reduction measures. This can be a dominant issue when determining SIL particularly in cases where SIL requirements are high or when demand rates are low. This is not well recognised by those who are applying the standard. Examples of where dependency may be significant during SIL determination will be considered together with ways to evaluate the effects.