Safety instrumented systems: shedding light on SIL
May 2008, System Integration & Control Systems Design
Safety engineering principles have evolved over the past decade or so from employing a relatively formulaic and prescriptive philosophy to one which involves risk assessment and risk reduction. This risk-based approach places far more responsibility on control system engineers. They cannot simply refer to a handbook or catalogue to select a solution.
Safety engineering is non-trivial
The need to perform risk analysis and risk assessment as part of systems engineering means that there needs to be more interaction with team members from other disciplines.
Present standards such as IEC 62061 also require that design takes into account the full system lifecycle from design strategy and initial requirements analysis through commissioning, change management and maintenance to final decommissioning.
In simple electro-mechanical or electro-pneumatic systems it was relatively easy to assess failure modes. As systems have become more complex with the pervasive application of electronic devices employing complex components, ICs and programmability, and the incorporation of wired and wireless networks it has become practically impossible for a control systems engineer to fully determine and evaluate every possible failure mode.
Evolution of standards
Between 1998 and 2000 the IEC introduced parts 1 through 7 of IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems. As a result of feedback from the process industries certain sections of IEC 61508 were extracted and reworded, to allow the process industries more flexibility in how they implement safety related systems, whilst still ensuring overall compliance with IEC 61508. This process industry standard is IEC 61511, Functional safety – Safety instrumented systems for the process industry sector was introduced in 2003.
The result of this development is that within the process industries there are certain engineering tasks that fall under IEC 61508 and others which fall under the ambit of IEC 61511. For instance IEC 61508 is applicable when developing embedded software for process industries, whereas IEC 61511 is the applicable standard when developing application software using limited variability languages or fixed programs.
IEC 62061, Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems applies to the use of safety-related electrical, electronic and programmable control systems (SRECS) for non-portable machinery. It is a sector-specific standard that falls within the scope of IEC 61508 for the application area of machines and specifies the safety-related performance of safety-related electrical control systems that are required for risk reduction.
From safety to safety integrity
The IEC defines safety as the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly or indirectly as a result of damage to property or to the environment. It defines functional safety as that part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.
It is important to differentiate between safety and functional safety. An electric motor can be made safer by using winding insulation that can withstand higher temperatures. Worded differently, it can be said that the risk of the motor igniting under extreme overload conditions can be reduced by using insulation that has a higher ignition point. However, this is not functional safety since there is no system involved which responds to inputs. A system comprising a thermal sensor in a circuit that disconnects the motor on high winding temperature would represent an instance of functional safety.
A safety related system is one which is required to perform safety functions – ie, functions which mitigate risk. And so we arrive at the concept of safety integrity, which is the likelihood of the safety function being performed satisfactorily when called upon to do so.
From risk to target SIL
Before a target safety integrity level (SIL) can be determined, the level of risk before application of an SIS or safety function needs to be determined.
Hazard analysis determines any required safety functions. Risk assessment then evaluates the performance requirements for each required safety function. Aspects covered during risk assessment include the seriousness of the possible harm or injury, the frequency and duration of such exposure, the probability of the occurrence of the hazardous incident and the possibility of preventing or limiting the harm.
Based on the outcome of the risk assessment the target SIL, which represents a required level of risk reduction, can be determined using quantitative or qualitative methods. Different standards offer different methodologies for this SIL determination. These methodologies include safety layer matrices, calibrated risk graphs, risk graphs and layer of protection analysis (LOPA).
Determining a target SIL means making decisions about reducing risk to an acceptable level, and deciding, inter alia, on acceptable levels of probability for injury or death.
In IEC 61508 SIL values range from 1 to 4, where SIL 1 represents a lower level of risk reduction and SIL 4 the highest level of risk reduction.
SIL and failure on demand
If a safety related system fails to perform when called upon, the consequences can be extreme. Some of the greatest process plant disasters of the last 20 years have been traced back to such failures. In both the BP Texas City, USA disaster and the Buncefield, UK disaster independent safety related instrument systems failed on demand, leading to loss of containment and subsequent ignition of petrochemicals.
Table 1 shows the correlation between SIL and the probability that a safety related system will fail to operate when required. This latter is also known as probability of failure on demand (PFD).
Test frequency impacts SIL
Safety instrumented systems to meet high target SILs can become extremely complex and costly. One of the ways of reducing the target SIL is to increase the frequency of testing of safety functions that have low demand rates – ie, those that are rarely called upon to operate, like the loops that failed at Texas City and Buncefield.
For functions with a low demand rate, the accident rate is a combination of the frequency of demands, and the probability that the function fails on demand (PFD). Provided the function is proof-tested at a frequency which is greater than the demand rate, the PFD is calculated as:
PFD = T/(2 X MTTF)
T = Proof test interval
MTTF = Mean time to failure
From this equation it can be seen that for a constant MTTF the probability of failure of a loop reduces as the proof test interval decreases (ie, as the frequency of testing increases). This is the rationale behind practices such as partial valve stroking of valves in safety instrumented systems.
To significantly reduce the accident rate in low demand safety functions the test frequency should be at least two and preferably five or more times the demand frequency. However, there may be other considerations that require more frequent operation. For instance an ESD valve with a Teflon seat may need stroking more frequently to prevent jamming.
SIL is not for sale
Having determined the target SIL for a system, system designers then need to design systems to meet the target SIL. Devices of themselves cannot be described as having a particular SIL. For instance, applying the term 'Rated to SIL 3' to a level transmitter is meaningless. Only the safety instrumented system or sub-system (the loop) can be described as meeting a particular SIL. So while the PFDs of each loop element (including power supplies) ultimately determine the SIL of the loop, no single piece of equipment can lay claim to its own SIL.
About the author
Andrew Ashton has electrical, mechanical and business qualifications and has been active in automation and process control since the early 1980s. Since 1991 he has headed up a company that has developed formulation management systems for the food, pharmaceutical and chemical manufacturing industries and manufacturing solutions involving the integration of various communication technologies and databases. Developed systems address issues around traceability, systems integration, manufacturing efficiency and effectiveness. Andrew is features editor for S A Instrumentation and Control and editor of Motion Control in Southern Africa.