System Integration & Control Systems Design

Safety instrumented systems: shedding light on SIL

May 2008 System Integration & Control Systems Design

Safety engineering principles have evolved over the past decade or so from employing a relatively formulaic and prescriptive philosophy to one which involves risk assessment and risk reduction. This risk-based approach places far more responsibility on control system engineers. They cannot simply refer to a handbook or catalogue to select a solution.

Safety engineering is non-trivial

The need to perform risk analysis and risk assessment as part of systems engineering means that there needs to be more interaction with team members from other disciplines.

Present standards such as IEC 62061 also require that design takes into account the full system lifecycle from design strategy and initial requirements analysis through commissioning, change management and maintenance to final decommissioning.

In simple electro-mechanical or electro-pneumatic systems it was relatively easy to assess failure modes. As systems have become more complex with the pervasive application of electronic devices employing complex components, ICs and programmability, and the incorporation of wired and wireless networks it has become practically impossible for a control systems engineer to fully determine and evaluate every possible failure mode.

Evolution of standards

Between 1998 and 2000 the IEC introduced parts 1 through 7 of IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems. As a result of feedback from the process industries certain sections of IEC 61508 were extracted and reworded, to allow the process industries more flexibility in how they implement safety related systems, whilst still ensuring overall compliance with IEC 61508. This process industry standard is IEC 61511, Functional safety – Safety instrumented systems for the process industry sector was introduced in 2003.

The result of this development is that within the process industries there are certain engineering tasks that fall under IEC 61508 and others which fall under the ambit of IEC 61511. For instance IEC 61508 is applicable when developing embedded software for process industries, whereas IEC 61511 is the applicable standard when developing application software using limited variability languages or fixed programs.

IEC 62061, Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems applies to the use of safety-related electrical, electronic and programmable control systems (SRECS) for non-portable machinery. It is a sector-specific standard that falls within the scope of IEC 61508 for the application area of machines and specifies the safety-related performance of safety-related electrical control systems that are required for risk reduction.

From safety to safety integrity

The IEC defines safety as the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly or indirectly as a result of damage to property or to the environment. It defines functional safety as that part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.

It is important to differentiate between safety and functional safety. An electric motor can be made safer by using winding insulation that can withstand higher temperatures. Worded differently, it can be said that the risk of the motor igniting under extreme overload conditions can be reduced by using insulation that has a higher ignition point. However, this is not functional safety since there is no system involved which responds to inputs. A system comprising a thermal sensor in a circuit that disconnects the motor on high winding temperature would represent an instance of functional safety.

A safety related system is one which is required to perform safety functions – ie, functions which mitigate risk. And so we arrive at the concept of safety integrity, which is the likelihood of the safety function being performed satisfactorily when called upon to do so.

From risk to target SIL

Before a target safety integrity level (SIL) can be determined, the level of risk before application of an SIS or safety function needs to be determined.

Hazard analysis determines any required safety functions. Risk assessment then evaluates the performance requirements for each required safety function. Aspects covered during risk assessment include the seriousness of the possible harm or injury, the frequency and duration of such exposure, the probability of the occurrence of the hazardous incident and the possibility of preventing or limiting the harm.

Based on the outcome of the risk assessment the target SIL, which represents a required level of risk reduction, can be determined using quantitative or qualitative methods. Different standards offer different methodologies for this SIL determination. These methodologies include safety layer matrices, calibrated risk graphs, risk graphs and layer of protection analysis (LOPA).

Determining a target SIL means making decisions about reducing risk to an acceptable level, and deciding, inter alia, on acceptable levels of probability for injury or death.

In IEC 61508 SIL values range from 1 to 4, where SIL 1 represents a lower level of risk reduction and SIL 4 the highest level of risk reduction.

SIL and failure on demand

If a safety related system fails to perform when called upon, the consequences can be extreme. Some of the greatest process plant disasters of the last 20 years have been traced back to such failures. In both the BP Texas City, USA disaster and the Buncefield, UK disaster independent safety related instrument systems failed on demand, leading to loss of containment and subsequent ignition of petrochemicals.

Table 1 shows the correlation between SIL and the probability that a safety related system will fail to operate when required. This latter is also known as probability of failure on demand (PFD).

Test frequency impacts SIL

Safety instrumented systems to meet high target SILs can become extremely complex and costly. One of the ways of reducing the target SIL is to increase the frequency of testing of safety functions that have low demand rates – ie, those that are rarely called upon to operate, like the loops that failed at Texas City and Buncefield.

For functions with a low demand rate, the accident rate is a combination of the frequency of demands, and the probability that the function fails on demand (PFD). Provided the function is proof-tested at a frequency which is greater than the demand rate, the PFD is calculated as:

PFD = T/(2 X MTTF)


T = Proof test interval

MTTF = Mean time to failure

From this equation it can be seen that for a constant MTTF the probability of failure of a loop reduces as the proof test interval decreases (ie, as the frequency of testing increases). This is the rationale behind practices such as partial valve stroking of valves in safety instrumented systems.

To significantly reduce the accident rate in low demand safety functions the test frequency should be at least two and preferably five or more times the demand frequency. However, there may be other considerations that require more frequent operation. For instance an ESD valve with a Teflon seat may need stroking more frequently to prevent jamming.

SIL is not for sale

Having determined the target SIL for a system, system designers then need to design systems to meet the target SIL. Devices of themselves cannot be described as having a particular SIL. For instance, applying the term 'Rated to SIL 3' to a level transmitter is meaningless. Only the safety instrumented system or sub-system (the loop) can be described as meeting a particular SIL. So while the PFDs of each loop element (including power supplies) ultimately determine the SIL of the loop, no single piece of equipment can lay claim to its own SIL.

About the author

Andrew Ashton has electrical, mechanical and business qualifications and has been active in automation and process control since the early 1980s. Since 1991 he has headed up a company that has developed formulation management systems for the food, pharmaceutical and chemical manufacturing industries and manufacturing solutions involving the integration of various communication technologies and databases. Developed systems address issues around traceability, systems integration, manufacturing efficiency and effectiveness. Andrew is features editor for S A Instrumentation and Control and editor of Motion Control in Southern Africa.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

From the editor's desk: IT-OT integration becoming a must, but there are challenges
October 2019, Technews Publishing (SA Instrumentation & Control) , News
We’re seeing the insecurity around digital transformation start to fade as the history of case studies builds to show how enlightened manufacturing companies have applied the ideas to rationalise their ...

The complexity of water management in mines
October 2019, Endress+Hauser , System Integration & Control Systems Design
Industries across the globe are encouraged to reuse water as much as possible, and therefore a 'zero liquid discharge' policy has already been implemented by various companies in different sectors.

PC-based control platform optimises water treatment product dosing
October 2019, Beckhoff Automation , System Integration & Control Systems Design
Clean water is vital in both consumer and commercial areas, including numerous industrial applications, such as mining, petroleum refining and groundwater remediation, in addition to residential applications

Rockwell Automation walks the Connected Enterprise talk
October 2019, Rockwell Automation , System Integration & Control Systems Design
The Connected Enterprise is Rockwell Automation's vision for seamless integration across all divisions of the organisation to enable more efficient decision making through access to the power of information based on real-time data.

Omniflex eases mine water compliance
October 2019, Omniflex Remote Monitoring Specialists , System Integration & Control Systems Design
Water licences carry a ‘Burdon of Proof’ that the licence holder will not harm the environment or the water system through its activities. This covers the use of water from the system and the responsible ...

Smart Press Kit from Bosch Rexroth
October 2019, Tectra Automation , System Integration & Control Systems Design
Bosch Rexroth is setting new standards for fast and efficient pressing and joining applications with its innovative new modular Smart Press Kit. Designed to meet future industrial requirements by providing ...

Emerson expands asset management coverage
October 2019, Emerson Automation Solutions , System Integration & Control Systems Design
Emerson has expanded AMS Device Manager with HART-IP support, making it easier to connect with devices and control systems and potentially eliminate hundreds of thousands of dollars in project hardware ...

Johnson Controls introduces Verasys
October 2019 , System Integration & Control Systems Design
Johnson Controls recently introduced Verasys, a plug-and-play controls system that integrates heating, ventilation, air-conditioning and refrigeration (HVACR) equipment and controls. Verasys offers customers ...

From the editor's desk: Automation professionals need communication strategy too
September 2019, Technews Publishing (SA Instrumentation & Control) , News
Catching the eye of a potential customer has become more difficult than ever thanks to the ethos of information promiscuity that defines the 21st century. It’s never been easy to stand out in a crowded ...

CSS digitises energy consumption at Hulamin for global information accessibility
September 2019, Control Software Solutions , System Integration & Control Systems Design
Energy Cybernetics was contracted by the NCPC-SA as part of the IEE programme to undertake a compressed air system optimisation (CASO) assessment to recommend compressed air system energy efficiency opportunities ...