Journal of Loss Prevention in the Process Industries 19 (2006) 298–305

www.elsevier.com/locate/jlp

Functional safety concept for hazardous systems and new challenges

Kazimierz T. Kosmowski*
Gdansk University of Technology, Narutowicza 11/12, 80-952 Gdansk, Poland
Received 6 March 2005; received in revised form 6 June 2005; accepted 6 June 2005

Abstract
Selected issues associated with the functional safety analysis according to the international standards IEC 61508 and IEC 61511 are
presented. Determining the safety integrity level (SIL) of electric/electronic/programmable electronic (E/E/PE) safety-related systems is
outlined. The importance of quantitative probabilistic modeling of these systems in verifying SIL is emphasized. Some aspects concerning
the functional safety analysis of systems for detecting the combustible or toxic gases in relation to a CENELEC draft standard prEN 50402
are shortly discussed. Basic principles of methodology for the functional safety assessment of protective systems for potentially explosive
atmospheres proposed in a CEN draft standard prEN 15233 are addressed.
q 2005 Elsevier Ltd. All rights reserved.

Keywords: Safety-related systems; Functional safety; Safety integrity; System-oriented analysis; Risk analysis; Risk-based decision making

1. Introduction electronic (E/E/PE) safety-related systems is outlined. The

The European Commission initiated the international
discussion and a review of the sector safety-oriented topics
during the workshop (Kirchsteiger & Cojazzi, 2000), aimed
at recognising the state of the art of the risk analysis
methodologies and identifying the need for standardisation
and development of the ‘top-level’ risk assessment
standards across different technologies. The internationally
recognised experts covering various industrial sectors (the
chemical process industry, nuclear power, civil structures,
transport, food industry, health care etc.) have deliberated
on the benefits and difficulties of standardisation for
supporting the risk-informed decision making processes.
The aim of this paper is to discuss selected problems of
the safety analysis of technical systems and new challenges,
concentrating the attention on the functional safety aspects
(IEC 61508, 1998; IEC 61511, 2000; SIPI, 2003). The
fundamental aspects of the functional safety analysis
according to the international standards IEC 61508 and
IEC 61511 are examined. Determining the safety integrity
level (SIL) of the electric/electronic/programmable
* Tel.: C48 58 3472439; fax: C48 58 3472487
E-mail address: kazimierz.kosmowski@ely.pg.gda.pl.
0950-4230/$ - see front matter q 2005 Elsevier Ltd. All rights reserved.
doi:10.1016/j.jlp.2005.06.003
importance of quantitative probabilistic modeling of the E/
E/PE systems in verifying this level is emphasized. Some
aspects concerning the functional safety analysis of systems
for detecting the combustible or toxic gases in relation to the
CENELEC draft standard prEN 50402 (2002) are discussed.
Basic principles of methodology for the functional safety
assessment of protective systems for potentially explosive
atmospheres proposed in the CEN draft standard prEN
15233 (2005) are also addressed.
2. Risk analysis of technical systems
2.1. System oriented approach for the risk analysis
Practitioners dealing with the risk analysis and the
insurance companies recognized that the safety of
hazardous systems depends on various influencing factors
and ‘soft’ factors play an important role. However, only in
few methodologies for the predictive risk assessments the
influence factors characterising given technical system are
treated with marked attention. These factors should be
properly identified in the system under consideration and
included in the qualitative or quantitative risk models to
enable correct risk assessment and adequate system specific
safety-related decision-making (Kosmowski, 2002; Ras-
mussen & Svedung, 2000). An important issue is to include
 K.T. Kosmowski / Journal of Loss Prevention in the Process Industries 19 (2006) 298–305 299

properly the human and organisational factors (Embray, Table 1

1992; Kosmowski, 2001; Kosmowski & Kwiesielewicz, An example of the matrix for categorizing the risk of potential accidents

2002). Consequence
In the system-oriented risk analysis it is assumed that Frequency Cata- Critical Marginal Negligible
safety of technical systems is influenced to a certain extent strophic
by: man/organization-technology/software-environment Frequent I I I II
(M/O-T/S-E). The relations within such system are Probable I I II III
Occasional I II III III
schematically shown in Fig. 1. Such system oriented
Remote II III III IV
approach is also justified for the safety assessment of Improbable III III IV IV
electric/electronic/programmable electronic (E/E/PE) Incredible IV IV IV IV
safety-related systems (IEC 61508, 1998). The method-
ology for integrated risk analysis (ZAR) was developed by
‘as low as reasonably practicable’ taking into account the
Kosmowski (2002) for systematic incorporating various
technical and economic aspects (IEC 61508).
influencing factors into the qualitative and/or quantitative The statements included in Table 1 for the frequency and
probabilistic modeling of technical systems and the risk consequences require defining and calibrating on the
evaluations. quantitative scales, usually logarithmic. Otherwise, the
risk analyses will be principally subjective, with substantial
2.2. Qualitative risk assessment limitations for the risk assessment and safety-related
decision making.
The complexity of modern technical systems, limited
time and financial resources for the risk analysis contributes 2.3. Quantitative risk measures of societal risk
often in practice in developing only the qualitative risk
models. However, such models are valuable rather only at The societal risk associated with operation of given
the preliminary stage of the risk assessment and safety complex technical system is evaluated on the basis of a set
management. An example of the risk matrix (IEC 61508) of of following triples (Kosmowski, 2002)
a qualitative risk model is shown in Table 1.
The interpretation of risk classes specified in Table 1 is as R Z f!Sk ; Fk ; NkOg (1)
follows: where: Sk is k-th accident scenario (usually representing an
accident category) defined in the deterministic modelling
† the risk class I is in an unacceptable region,
process, Fk is the frequency of this scenario (evaluated as
† the risk class II is in an undesirable area, and tolerable
probability per time unit, usually one year), and Nk denotes
only if the risk reduction is impracticable or if the cost the consequences of k-th scenario, i.e. potential losses (the
are grossly disproportionate to the improvement gained, number of injuries and fatalities) or financial losses.
† the risk class III in the region indicated is tolerable if the On the basis of (1) the F–N curve (CCDF: complemen-
cost of risk reduction would exceed the improvement tary cumulative distribution function) is to be drawn. Fig. 2
gained,
† risk class IV represents a negligible risk, as is situated in
broadly acceptable region.

Risk classes II and III are in the ALARP (as low as

reasonably practicable) region. The ALARP principle
requires that any risk should be reduced to a level that is

Fig. 1. Relations within M/O-T/S-E system. Fig. 2. Examples of the F–N curve and criteria functions for societal risk.
300 K.T. Kosmowski / Journal of Loss Prevention in the Process Industries 19 (2006) 298–305

illustrates an example of such curve in double logarithmic

co-ordinates to be compared with criteria lines: D (lower
line) and G (upper line). The social risk for given technical
system is accepted when F–N curve is below the criterion
line D (a defined function with regard to societal
preferences) for all N. If the F–N curve is situated between
criteria lines D and G, then the ALARP principle should be
applied to indicate the ways to reduce risk. If for any N the
F–N curve is above the upper criteria line G, the risk is
intolerable and the system must re-designed (e.g. function-
ally and structurally modified) to reduce risk as required.
A measure of societal risk can be the average rate of
death evaluated according to the formula
X
RZ Fk N k (2)
k

where: Fk is the frequency of k-th accident scenario [aK1];

and Nk is the number of fatalities resulting from k-th
scenario.

Fig. 4. General scheme of the risk graph.

3. Functional safety analysis and risk-based decision

making
3.1. Functional safety concept and determining
the safety integrity level
Known standards that support designing of the E/E/PE
safety-related systems taking into account the functional
safety concept of programmable systems (as regards
hardware and software) are IEC 61508 and IEC 61511.
The standard IEC 61508 is a generic one. This standard is
devoted to some fundamental aspects of functional safety,
both for the control and protection systems consisting of
programmable units. An example of the programmable
electronic system and its interfaces are shown in Fig. 3.
An important term in IEC 61508 is the safety integrity,
understood as probability that a safety-related system will
satisfactorily perform the required safety functions under all
stated conditions within a given period of time.
The safety integrity level (SIL) is a discrete level (one of
possible four) for specifying the safety integrity
requirements of given safety function to be allocated to
the E/E/PE safety-related system. The safety integrity level
4 (SIL4) is the highest level and the safety integrity level 1
(SIL1) is the lowest one. The standard IEC 61508 proposes
the risk graph method for determining qualitatively SIL for
given safety-related system (Fig. 4).
Fig. 4 illustrates an example of the risk graph given in the
standard IEC 61508. The SIL to be indicated as a result of
simplified qualitative analysis depends on four parameters:
the consequence risk parameter (Ci), the frequency and
exposure time (Fj), the possibility of failing to avoid hazard
(Pk), and the probability of unwanted occurrence (Wl) of
potential events that demand the operation of given E/E/PE
safety-related system. These parameters are defined quali-
tatively for the system under consideration in the form of
table. Examples of such tables are given in IEC 61508 and
IEC 61511, respectively for a generic safety-related system
and a typical case of the risk analysis in the process industry.
3.2. Safety integrity levels and probabilistic criteria

For each SIL two probabilistic criteria are defined in IEC

61508, namely:

† the average probability of failure to perform the design

function on demand for the system operating in a low
demand mode of operation,
† the probability of a dangerous failure per hour (the
frequency) for the system operating in a high demand or
continuous mode of operation.

These numeric probabilistic criteria are presented in

Fig. 3. Programmable electronic system (IEC 61508). Table 2.
 K.T. Kosmowski / Journal of Loss Prevention in the Process Industries 19 (2006) 298–305 301

Table 2
Safety integrity levels and probabilistic criteria for a safety function to be allocated according to IEC 61508 to the E/E/PE safety-related systems

Safety integrity level Average probability of failure to perform its design function on Probability of a dangerous failure per hour for the system
(SIL) demand for the system operating in low demand mode of operating in high demand or continuous mode of operation
operation
SIL4 [10minus;5, 10K4) [10K9, 10K8)
SIL3 [10K4, 10K3) [10K8, 10K7)
SIL2 [10K3, 10K2) [10K7, 10K6)
SIL1 [10K2, 10K1) [10K6, 10K5)

In the standard IEC 61508 two types of elements/sub-
systems are distinguished, namely A and B. Subsystem is
classified as type A if it is characterised in performing given
safety-related function as follows:
(a) failure modes of all constituent components are well
defined,
(b) behaviour of the subsystem under fault conditions can
be completely determined, and
(c) sufficient failure records are available from the field
experience showing that claimed rates for detected and
undetected dangerous failures can be assessed.
If a subsystem does not satisfy these requirements, then
this subsystem must be regarded as type B, for which the
failure rates have to be assessed by experts using relevant
sources of information. The highest safety integrity levels
(SILs) that can be claimed for the safety-related subsystems
of type A and (B) are specified in Table 3. The safe failure
fraction of the subsystem is defined in IEC 61508 as follows
P P
lS C lDD
Sff Z P P (3)
lS C lD
where: lS, the probability of safe failure (per time unit); lD,
the probability of dangerous failure; lDD, the probability of
dangerous failure per time unit which is detected by the
diagnostic tests.
Verifying SIL for the designed safety-related system is
often challenging task due to lack of numerical data to be
used in probabilistic models. The standard IEC 61508
proposes in such cases a qualitative evaluating method
based on some rules applied for defined reliability block
diagram. An example of such evaluating is shown in Fig. 5.
Table 3
The highest SILs that can be claimed for safety-related subsystems of type
A and (B)
Using these rules have been verified in several cases using
the quantitative method for relevant reliability block
diagram with blocks defined quantitatively (evaluated
values of PFD -probability of failure on demand for
consecutive subsystems represented by blocks).
3.3. Quantitative method for determining SIL
A general quantitative method for determining SIL
proposed in IEC 61508 is as follows:
– determine the tolerable risk, e.g. from defined risk
matrix (similar to that in Table 1);
– determine the EUC (equipment under control)
risk;
– determine the necessary risk reduction to meet the
tolerable risk level;
– allocate the necessary risk reduction to the E/E/PE
safety-related systems, other technology safety-
related systems and external risk reduction
facilities.
The concept of risk reduction to a tolerable level is
illustrated in Fig. 6. The relative risk reduction (for the
consequence NZconst) is evaluated from the formula
r F Z Rt =Rnp Z Ft =Fnp Z PFDavg (4)
where: Ft, a numerical frequency target (specified for a
tolerable risk level); Fnp, the frequency of a hazardous event
could occur without the protective system present; PFDavg,
the average probability of failure on demand (the criteria
range values for consecutive SILs are presented in the
second column of Table 2).

Safe failure Hardware fault tolerance - N

fraction
Sff 0 1 2
!60% SIL1 (not SIL2 (SIL1) SIL3 (SIL2)
allowed)
60–!90% SIL2 (SIL1) SIL3 (SIL2) SIL4 (SIL3)
90–!99% SIL3 (SIL2) SIL4 (SIL3) SIL4 (SIL4)
R99% SIL3 (SIL3) SIL4 (SIL4) SIL4 (SIL4)

A hardware fault tolerance of N means that NC1 faults could cause a loss Fig. 5. Qualitative evaluating of the safety integrity level for an E/E/PE
of the safety function. system for multiple-channel safety function.
302 K.T. Kosmowski / Journal of Loss Prevention in the Process Industries 19 (2006) 298–305
Fig. 6. General concept of the risk reduction according to IEC 61508.
Taking into account (4) the relation can be written:
PFDavg % Ft =Fnp Z r F
The necessary steps for obtaining the safety integrity
level are as follows:
– determine the frequency Fnp (from the EUC risk
without the addition of any protective features);
– determine the consequence (N) without the
addition of any protective features;
– determine, by use of the risk matrix (e.g. as in
Table 1), whether for the frequency (Fnp) and the
consequence (N) a tolerable risk level is achieved;
if this leads to the risk class I, then further risk
reduction is required; the risk class IV would be
the tolerable risk; the risk class II and III would
require further investigation (using the ALARP
principle);
– determine the probability of failure on demand
(PFDavg) for the safety–related protection system
to meet the necessary relative risk reduction (rF);
for given consequence of situation considered
PFDavg Z Ft =Fnp Z r F ;
– for evaluated PFDavg, the safety integrity level
can be determined from Table 2 (second column -
for the low demand mode); for example, if
PFDavg 2!10K3 O 10K2 ) then the safety integrity
level is SIL2.
3.4. Safety validation and SIL verification
According to IEC 61508 the safety validation should
be performed in terms of the overall safety function
requirements and the overall safety integrity requirements,
taking into account the safety requirements allocation for
the E/E/PE safety-related system in designing. In particular
the PFD value must be verified in the probabilistic
(5) modelling process for architectures considered of given
E/E/PE safety-related system taking into account the
probabilistic criteria given in Table 2 for selected SIL.
3.5. Assessment of the protection system as the risk
control option
Some risk assessment problems have been encountered
when the safety integrity level of the E/E/PE safety-related
system, in particular the safety instrumented system (SIS)
(see IEC 61511), was determined during the design as SIL3
or SIL4. In such cases, for supporting the ALARP analysis
and the assessment of the E/E/PE architectures considered,
the cost-benefit analysis of the risk control options (RCOs)
is useful (Kosmowski, 2002). A risk control option being
considered during the design or operation phase can include
a different technical and/or organisational solution in
comparison to a basis solution.
The implementation effect of given RCO results in the
risk reduction, evaluated for the period of one year
(Kosmowski, 2002), as follows
X B x;B
DRx;RCO Z Fk Nk ð1 K rkF;RCO rkN;RCO Þ (6)
k
where: Nkx;B , the frequency [aK1] and the consequence
FkB ,
[units of consequence] of k-th accident scenario (or accident
category) for the basis solution B; rkF;RCO , the relative
reduction of the frequency for k-th accident scenario after
implementing given RCO ðrkF;RCO Z FkRCO =FkB Þ; rkN;RCO , the
relative reduction of the consequence x for k-th accident
scenario after implementing given RCO
ðrkN;RCO Z Nkx;RCO =Nkx;B Þ.
The cost-benefit analysis of RCO considered for given
hazardous system (in design or operation) is carried out for
 K.T. Kosmowski / Journal of Loss Prevention in the Process Industries 19 (2006) 298–305
the period of one year. The cost per unit risk reduction
(CURR) is evaluated according to following formula
RCO DK RCO
kDRx Z
DRx;RCO
where: DKOSR, the increment of annual costs to be covered
implementing given RCO, $/a; DRx;RCO, the risk reduction
due to implementing RCO, units of consequence/a,
evaluated according to (6).
The increment of annual costs DKRCO is determined as
follows
DK RCO Z rdL DKIn
RCO RCO
C DKEk RCO
K DKKo
RCO
where: DKIn , additional investment costs for given RCO,
RCO
$; DKEk , the increment of operation costs (expected
RCO
increase), $/a; DKKo , the increment of financial benefits
after implementing RCO (e.g. lowering the insurance
premium or reducing the preventive maintenance costs),
$/a; rLd , the coefficient of annual capital costs, a-1, calculated
for the period L [a] and the discounting rate d according to
formula
dð1 C dÞL
rdL Z
ð1 C dÞL K 1
For RCOs [1,2,.] considered the set of CURR indices
x ; kDRx ; k
DRx ; .g is evaluated and RCOs with lower
1 2 3
fkDR
values of CURRs are candidates for implementing in given
hazardous installation/plant to reduce risk. Most effective
risk control option as regards the results of the cost-benefit
analysis can be the E/E/PE safety-related systems (or SISs)
designed for determined levels of SILs. The analysis and
design of SISs of higher SILs (SIL3 and SIL4) in a process
industry plant should be performed in the context of
assessment of the protection layers (IEC 61511).
It can be noticed that the method of risk-related analysis
outlined above is an extension of the approach described in
the international standard IEC 61508. It is worth to mention
that this standard not only deals with the E/E/PE systems but
also emphasizes that the risk reduction can be also obtained
by other technology safety-related systems and external risk
reduction facilities (see Fig. 6). Including in the safety-
related analysis also the human and organizational factors
seems to be an important issue, due to known observation
that human errors are significant root causes of accidents,
even in 70–90% of cases depending on the industrial sector.
4. Functional safety and examples of the sector standards
4.1. Functional safety standard for the process industry
IEC 61511 is a sector standard that concerns the
functional safety concept for the process industry. It consists
of 3 parts. General relationship between IEC 61511 and IEC
303
(7)
(8)
Fig. 7. General relationship between IEC 61511 and IEC 61508.
61508 illustrates Fig. 7. Relationship between these
standards for hardware and software is shown in Fig. 8.
In the standard IEC 61511 there are not distinguished
within SISs the devices/subsystems of class A and class B.
However, there are defined conditions that must fulfill given
device (subsystem) to be implemented in protecting
systems. Conditions are described to classify devices as
proven-in-use. Devices containing microprocessors, such as
(9) smart positioning adjusters, can be considered as proven-in-
use after fulfilling several conditions. It became possible
due to distinguishing three classes of software used in
designing SISs:
† high variability (CC, Fortran, Pascal),
† limited variability (FBI, LLD according to IEC 61511-
3),
† regular structure, requiring only introducing parameters.
Digital devices using languages of a regular structure
were considered in fact as non-programmed. If a device
might be classified as proven-in-use, it is necessary to show
detailed assessment of its ability to realize assumed
functions and specify hazards associated with its using.
For this purpose it is necessary to take into account
according to IEC 61511:
† technical credibility of producer and its quality manage-
ment program;
† previous applications of identical devices in similar
conditions.
The devices should be equipped with relevant
documentation to make possible their appropriate use
during all stages of the operation, with description of the
failure modes and principles of safe maintenance. There
should be also gathered the statistical data of failures for
updating the reliability data base of devices. Total
operation time of installed devices should allow
estimating their reliability parameters on the confidence
level no less than 70% (see IEC 61508 and IEC 61511
for details).
304 K.T. Kosmowski / Journal of Loss Prevention in the Process Industries 19 (2006) 298–305
Fig. 8. Relationship between IEC 61511 and IEC 61508 for hardware and software.
4.2. Issues of functional safety of fixed gas detection systems
The standard prEN 50402 (draft) describes the require-
ments on functional safety of fixed gas detection systems. It
recalls in many places the generic standard IEC 61508 and
the sector standard IEC 61511. This draft standard
introduces TYPE instead of SIL. The number of TYPE
(numbers from 1 to 4) can be ascribed to individual modules
or entire gas detecting system. The numbers of TYPE
corresponds with SILs in IEC 61508 and TYPE4 concerns
the highest safety integrity level. This standard prEN 50402
contains also requirements concerning individual modules
of the gas detecting system. It proposes rather complicated
method for transforming the reliability block diagrams for
final qualitative assessment of the safety-related system. It
seems that verifying of this method will be required with
regard to selected method of quantitative reliability
modeling, e.g. the reliability block diagram (RDB) method.
4.3. Issues of functional safety assessment of protective
systems for potentially explosive atmospheres
The standard prEN 15233 (draft) describes the method-
ology for functional safety assessment of protective systems
for potentially explosive atmospheres. This standard gives
guidance on the procedure and information required to
allow the functional safety assessment to be carried out for
the design of protective systems by the manufacturer. A
sufficient level of functional safety is characterized by the
objectives: (1) the system can stop an explosion at a very
early stage or reduce the impact of an explosion to an
acceptable level, and (2) in the event of faults, failures
and/or interference (external disturbances) the capacity of
the system to function remains effective by use e.g. of fail-
safe techniques or redundancy.
This European Standard does not cover identification of
possible ignition sources which is covered by prEN 15198.
It provides advice for decision to be undertaken for all types
of protective systems referred to in 94/EC Directive (1994)
but does not provide means to prove the conformity of a
given type of protective systems.
The definition of functional safety according to this
standard is as follows: part of the overall safety relating to
the reliable functioning of the protective system including
any safety related control systems. This definition deviates
from the definition in European standard EN 61508-4
(identical to IEC 61508-4) to reflect differences in explosion
safety terminology.
The assessment includes the following four steps: (a)
description of the protective system, (b) identification of
failures, (c) functional safety estimation as regards
functionality and reliability, and (d) functional safety
evaluation. If prior use of the protective system cannot be
documented or for novel or more complex systems,
including safety related control systems and devices, a
more comprehensive approach using appropriate methods
for reliability calculations have to be used (e.g. in
accordance with EN 61508, EN 954-1 and prEN 62061).
5. Conclusions
The international generic standard IEC 61508 was
adopted without changes as European standard EN 61508.
It has significant practical meaning in the design and
operation of the E/E/PE safety-related systems in technical
systems and hazardous installations. The paper outlines
 K.T. Kosmowski / Journal of Loss Prevention in the Process Industries 19 (2006) 298–305
selected issues of using this standard for determining the
safety integrity level (SIL) and its verifying in the process of
probabilistic modeling of the E/E/PE safety-related system.
The significance of quantitative probabilistic modeling and
risk evaluations was emphasized, especially when higher
levels of SILs (SIL3 or SIL4) are justified according to
qualitative methodology proposed in IEC 61508. The cost-
benefit analysis method of the risk control options was
outlined that supports selecting the most effective options, e.
g. the E/E/PE system (or SIS according to IEC 61511) of the
safety integrity level SIL3 or SIL4. It was emphasized that
the concept of risk control options enables to include into
the risk evaluations not only the technical aspects/factors
but also the human factors (related to organizational factors)
that are, according to experience, the main contributors of
accidents in technical systems. Thus, it is a new challenge in
the functional safety analysis.
On the basis of the generic standard IEC 61508 several
sector standards have been developed. An example of such
standard is IEC 61511 worked out for the process industry.
The relations between these standards have been examined.
Some aspects concerning the functional safety analysis of
systems for detecting the combustible or toxic gases in
relation to the CENELEC draft standard prEN 50402 have
been shortly discussed. Basic principles of methodology for
the functional safety assessment of protective systems for
potentially explosive atmospheres proposed in the CEN
draft standard prEN 15233 are also addressed. These draft
standards cover some safety-related issues included in the
ATEX Directive (1994).
There are significant challenges of using of these
standards in industrial practice due to complexity of IEC
61508 and omission of some topics (human/organizational
factors). There are also difficulties in determining SILs of
SISs according to IEC 61511 (the process industry sector)
especially when the analyses should include the protection
layers. Proposing new functional safety standards, such as
pr EN 50402 and pr EN 15233 gives some sector specific
indication in the design and operation process of the safety-
related systems with regard to relevant European Directives
(e.g. the ATEX Directive) on one hand, but on other hand
some simplifications and interpreting difficulties are
noticed. Thus, there are still legal and methodological
challenges to be undertaken in successful introducing
305
the functional safety concept into the design analysis
process and industrial practice.
References
Directive. (1994). Directive 94/9/EC of the European Parliament and of the
council of 23 March 1994 on the approximation of the laws of the
Member States concerning equipment and protective systems intended
for use in potentially explosive atmospheres (ATEX) OJ L100 of
19/04/94.
Embrey, D. E. (1992). Incorporating management and organisational
factors into probabilistic safety assessment. Reliability Engineering and
System Safety, 38.
IEC 61508 (1998). Functional safety of electrical/electronic/program-
mable electronic (E/E/PE) safety related systems. Parts 1–7.
International Electrotechnical Commission (IEC).
IEC 61511 (2000). Functional safety: Safety instrumented systems for the
process industry sector. Parts 1–3. International Electrotechnical
Commission.
Promotion of technical harmonization on risk-based decision-making. In
Ch. Kirchsteiger, & G. Cojazzi (Eds.). (2000). Proceedings of a
workshop (22–24 May 2000, Stresa, Italy). Parts 1 & 2. Ispra: European
Commission, DG JRC.
Kosmowski, K. T. (2001). An approach for assessment of influence factors
and risk control strategies in safety management of industrial systems.
In I. Svedung, & G. M. Cojazzi, Risk management and human
reliability in social context. ESReDA. Luxembourg: Office for Official
Publications of the European Communities.
Kosmowski, K. T. (2002). Methodology for the risk analysis in reliability
and safety management of nuclear power plants (in Polish). Gdansk:
Gdansk University of Technology.
Kosmowski, K. T., & Kwiesielewicz, M. (2002). Hierarchical influence
diagrams for incorporating human and organisational factors in risk
assessment of hazardous industrial systems Risk decision and policy.
Cambridge: Cambridge University Press.
prEN 50402 (2002). Electrical apparatus for the detection and
measurement of combustible or toxic gases vapours or of oxygen—
requirements on the functional safety of fixed gas detection systems.
CENELEC (European Committee for Electrotechnical
Standardization).
prEN 15233 (2005). Methodology for functional safety assessment of
protective systems for potentially explosive atmospheres. CEN
(European Committee for Standardization).
Rasmussen, J., & Svedung, I. (2000). Proactive risk management in a
dynamic society. Karlstad: Swedish Rescue Services Agency.
SIPI (2003). In M. Dzwiarek, K. T. Kosmowski, & T. Missala (Eds.),
Proceedings of SIPI (safety in the process industries) international
workshops, Gdynia, 28–29 May 2003. Warsaw: Central Institute for
Labor Protection.