Safety integrity level explained

In functional safety, safety integrity level (SIL) is defined as the relative level of risk-reduction provided by a safety instrumented function (SIF), i.e. the measurement of the performance required of the SIF.[1]

In the functional safety standards based on the IEC 61508 standard, four SILs are defined, with SIL4 being the most dependable and SIL1 the least. The applicable SIL is determined based on a number of quantitative factors in combination with qualitative factors, such as risk assessments and safety lifecycle management. Other standards, however, may have different SIL number definitions.[2]

SIL allocation

Assignment, or allocation of SIL is an exercise in risk analysis where the risk associated with a specific hazard, which is intended to be protected against by a SIF, is calculated without the beneficial risk reduction effect of the SIF. That unmitigated risk is then compared against a tolerable risk target. The difference between the unmitigated risk and the tolerable risk, if the unmitigated risk is higher than tolerable, must be addressed through risk reduction of provided by the SIF. This amount of required risk reduction is correlated with the SIL target. In essence, each order of magnitude of risk reduction that is required correlates with an increase in SIL, up to a maximum of SIL4. Should the risk assessment establish that the required SIL cannot be achieved by a SIL4 SIF, then alternative arrangements must be designed, such as non-instrumented safeguards (e.g, a pressure relief valve).

There are several methods used to assign a SIL. These are normally used in combination, and may include:

Of the methods presented above, LOPA is by far the most commonly used in large industrial facilities, such as for example chemical process plants.

The assignment may be tested using both pragmatic and controllability approaches, applying industry guidance such as the one published by the UK HSE.[3] SIL assignment processes that use the HSE guidance to ratify assignments developed from Risk Matrices have been certified to meet IEC 61508.

Problems

There are several problems inherent in the use of safety integrity levels. These can be summarized as follows:

These lead to such erroneous statements as the tautology "This system is a SIL N system because the process adopted during its development was the standard process for the development of a SIL N system", or use of the SIL concept out of context such as "This is a SIL 3 heat exchanger" or "This software is SIL 2". According to IEC 61508, the SIL concept must be related to the dangerous failure rate of a system, not just its failure rate or the failure rate of a component part, such as the software. Definition of the dangerous failure modes by safety analysis is intrinsic to the proper determination of the failure rate.

SIL types and certification

The International Electrotechnical Commission's (IEC) standard IEC 61508 defines SIL using requirements grouped into two broad categories: hardware safety integrity and systematic safety integrity. A device or system must meet the requirements for both categories to achieve a given SIL.

The SIL requirements for hardware safety integrity are based on a probabilistic analysis of the device. In order to achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure and a minimum safe failure fraction. The concept of 'dangerous failure' must be rigorously defined for the system in question, normally in the form of requirement constraints whose integrity is verified throughout system development. The actual targets required vary depending on the likelihood of a demand, the complexity of the device(s), and types of redundancy used.

PFD (probability of dangerous failure on demand) and RRF (risk reduction factor) of low demand operation for different SILs as defined in IEC EN 61508 are as follows:

SILPFDPFD (power)RRF
10.1–0.0110−1 – 10−210–100
20.01–0.00110−2 – 10−3100–1000
30.001–0.000110−3 – 10−41000–10,000
40.0001–0.0000110−4 – 10−510,000–100,000
For continuous operation, these change to the following, where PFH is probability of dangerous failure per hour.
SILPFHPFH (power)RRF
10.00001-0.00000110−5 – 10−6100,000–1,000,000
20.000001-0.000000110−6 – 10−71,000,000–10,000,000
30.0000001-0.0000000110−7 – 10−810,000,000–100,000,000
40.00000001-0.00000000110−8 – 10−9100,000,000–1,000,000,000

Hazards of a control system must be identified then analysed through risk analysis. Mitigation of these risks continues until their overall contribution to the hazard are considered acceptable. The tolerable level of these risks is specified as a safety requirement in the form of a target 'probability of a dangerous failure' in a given period of time, stated as a discrete SIL.

Certification schemes, such as the CASS Scheme (Conformity Assessment of Safety-related Systems) are used to establish whether a device meets a particular SIL.[4] Third parties that can provide certification are CSA Group Testing (previously known as SIRA), TüV, and Exida among others. Self-certification is also possible. The requirements of these schemes can be met either by establishing a rigorous development process, or by establishing that the device has sufficient operating history to argue that it has been proven in use. Certification is achieved by proving the functional safety capability (FSC) of the organization, usually by assessment of its functional safety management (FSM) program, and the assessment of the design and life-cycle activities of the product to be certified, which is conducted based on specifications, design documents, test specifications and results, failure rate predictions, FMEAs, etc.

Electric and electronic devices can be certified for use in functional safety applications according to IEC 61508. There are a number of application-specific standards based on or adapted from IEC 61508, such as IEC 61511 for the process industry sector. This standard is used in the petrochemical and hazardous chemical industries, among others.[5]

Standards

The following standards use SIL as a measure of reliability and/or risk reduction.

See also

References

  1. Book: Marszal, Edward M. . Safety Integrity Level Selection: Systematic Methods Including Layer of Protection Analysis . Scharpf . Eric W. . . 2002 . 1-55617-777-1 . Research Triangle Park, N.C. . en.
  2. Web site: Redmill . Felix . 2000 . Understanding the Use, Misuse, and Abuse of Safety Integrity Levels . 2023-07-07.
  3. Book: Charlwood, Mark . A Methodology for the Assignment of Safety Integrity Levels (SILs) to Safety-related Control Functions Implemented by Safety-related Electrical, Electronic and Programmable Electronic Control Systems of Machines . Turner . Shane . Worsell . Nicola . . 2004 . 0-7176-2832-9 . Research Report 216 . Sudbury . en.
  4. Book: Jones, C. . Methods for Assessing the Safety Integrity of Safety-related Software of Uncertain Pedigree (SOUP) . Bloomfield . R.E. . Froome . P.K.D. . Bishop . P.G. . . 2001 . 0-7176-2011-5 . Research Report 337/2001 . Sudbury . 6 . en.
  5. Book: Smith, David J. . The Safety Critical Systems Handbook . Simpson . Kenneth G.L. . . 2016 . 978-0-12-805121-4 . 4th . Kidlington and Cambridge, Mass. . en.

Further reading

External links