IS & Ex


The importance of understanding SIL ratings

September 2023 IS & Ex

Major industrial accidents around the world like the Bhopal chemical plant disaster have occurred due to insufficient and poorly designed safety systems. Safety Integrity Level (SIL) ratings were introduced as part of IEC 61508 in 1998, and seek to quantify the probability of dangerous system failure. Gary Bradshaw, director of alarm and safety system specialist Omniflex, explains how SIL ratings work, and the dangers of the misconceptions that exist around them.

Functional safety, as defined by IEC 61508, is the safety that control systems provide to an industrial process or plant. Its purpose is to prevent both direct and indirect risk to human life that could result from those industrial processes, including risk caused by damage to equipment, property or the environment. Functional safety is a focus across the industrial spectrum, from petrochemicals and tank farms to oil and gas, and nuclear safety.

The concept of functional safety was developed in response to the growing global need for improved confidence in safety systems. Major accidents in the late 20th century, like the Chernobyl reactor explosion and the Bhopal tragedy, and the advent of electrical and programmable electronic systems to carry out safety functions, have prompted a desire to engineer safety systems to ‘fail safely’ or control dangerous failures when they arise. One metric used to assess the risk of unsafe failure in industrial settings is SIL ratings, which correspond to the frequency and severity of hazards. They describe the probability of failure on demand (PFD) and the performance required for a safety instrumented function (SIF) to maintain safety.

The ratings go from SIL-1 up to SIL-4, and the higher the level, the higher the associated safety and the lower the probability that the system will fail to perform. However, the installation and maintenance costs, and the system complexity, typically increase along with the SIL rating. The levels are distinguished by their acceptable rate of failure, which increases each time by factors of ten: i.e., SIL-1 systems accept one failure in every ten demands; SIL-2 systems accept one failure in every 100 demands, and so on.

Bigger is better − right?

One misconception is that higher SIL ratings are always superior for every application. Although SIL-4 does indeed offer the most reliability, the complexity involved with redundant back-up systems, more regular performance testing, and hierarchical voting arrangements can be unwieldy and over-expensive if not necessary.

The correct SIL rating is application-dependent; for example, if you can rely on a human operator to take action on an abnormal condition, such as for an alarm going off, then a SIL-1 system will suffice. Indeed, a safety loop involving a human cannot be rated above SIL-1, as systems are required to operate independently of operators for SIL-2 and upwards.

While the most critical applications, such as aircraft flight systems or nuclear reactor protection, require SIL-4 protection, correct safety analysis during the design stage is vital to determine the minimum acceptable SIL rating. Adhering to this recommendation will provide an adequate level of functional safety while containing costs effectivity.

How are SIL ratings assigned?

SIL certification is a tool to measure the risk reduction provided by a SIF. To determine the safety integrity level of a SIF, the overall PFD must be calculated. This involves combining the failure rate data for each individual component within a SIF, such as sensors, programmable logic controllers and control elements, whether automated or human. The calculation must also account for the test frequency, redundancy and voting arrangements.

Companies such as TÜV Nord carry out independent assessments, although internal ratings can be done for systems up to SIL-1. Another common misunderstanding is that although individual modules can be SIL rated, it is only the overall systems that are assessed this way.

While regulatory processes would prevent installation of any insufficiently rated safety systems, it is not unheard of for industrial facilities to purchase higher rated systems than they need. The consequences here are mostly financial: not only will the components add unnecessary expense, but the installation process will be more complex, and therefore more disruptive to the facility’s daily production.

For these reasons, it is essential to engage a company with safety system expertise that understands the SIL hierarchy and different levels’ suitability for different applications.

Evaluating instrumentation

Independent validation of safety instruments is an important factor for customer confidence in every industrial sector. Evaluation International (EI), a member owned, not-for-profit organisation, offers consultation and evaluation services for electrical, control and instrumentation matters.

EI members operate across the industrial spectrum, from ExxonMobil USA in oil and gas exploration and refinement, and INEOS in energy production, to Intertek Polychemlab in chemical industry inspection and certification, and Suez Environment in environmental services and waste management.

In March 2007, EI evaluated Omniflex’s alarm annunciator unit, the Omni16C, and found that it passed the various functionality tests, and that the results were in accordance with Omniflex’s specifications. Reports like the one written about the Omni16C are useful for facility planners and functional safety managers, as they provide reliable information about validated and qualified instrumentation.

The difficulty of rating software

The normalisation of software-based or SMART components, as in those with embedded microprocessors, presented a new challenge in the early 21st century. While hardware assessments were straightforward, software verification in terms of safety function was less sure territory and led to reluctance in some industries to take advantage of technological developments.

The nuclear industry was no exception. Initially, each major UK nuclear operator launched separate verification programmes to show compliance with the Nuclear Installation Inspectorate’s safety certification. To help nuclear site inspectors, while eliminating redundancy and duplication of individual work, the EMPHASIS tool was developed.

EMPHASIS’ purpose is to achieve a common level of substantiation and assess SMART instruments for the nuclear industry against IEC 61508. Launched in 2005, it has been adopted by the Nuclear Industry SMART Instruments Working Group, made up of the significant entities in the UK’s nuclear industry.

Alarm annunciator systems are a vital layer of protection in plant safety strategy. They provide operators with early warnings of an abnormal condition, helping to facilitate action before hazards take effect and to enable human logic-driven intervention. The importance of these SMART safety tools meant that substantiation by EMPHASIS was essential for UK nuclear safety.

Sellafield, which manages the Sellafield nuclear site, approached Omniflex in 2008 to apply the EMPHASIS tool to its Omni16C range of alarm annunciators. After a thorough review of the design and production methods, the hardware and software were both evaluated to IEC 61508 SIL-1. This was the first, and remains the only, alarm annunciator product to be substantiated in this way.

SIL ratings have been an important metric for industrial functional safety for 25 years, but misinterpretations about their application linger on. To avoid incurring unnecessary cost and complexity, it is important for facility planners and managers to work with safety system suppliers who truly understand safety integrity levels.


Credit(s)



Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

The role of alarm annunciators in temperature monitoring
Omniflex Remote Monitoring Specialists Temperature Measurement
Director at alarm annunciator specialist, Omniflex explores the importance of alarm annunciators in temperature monitoring applications, drawing on examples from different industrial settings.

Read more...
Keeping an eye on invisible radiation
Omniflex Remote Monitoring Specialists Analytical Instrumentation & Environmental Monitoring
At its peak in 1994, the energy generation capacity of the UK’s nuclear power stations was 12,7 GW across 16 plants. In 2024, the capacity has fallen to around 5 GW, and the number of stations is down to nine. However, this is far from the end of the story as spent nuclear fuel remains radioactive for centuries, and requires rigorous safety processes to safeguard against leaks.

Read more...
Fully Ex-certified access point solutions for wireless communication
Pepperl+Fuchs IS & Ex
Pepperl+Fuchs now offers a wireless access point solution that is fully certified in accordance with ATEX/IECEx standards, and forms the basis for end-to-end Wi-Fi communication in hazardous areas.

Read more...
Plant signal conditioning
Omniflex Remote Monitoring Specialists Flow Measurement & Control
Often, plant managers have a deep understanding of all the key operational challenges facing their facility, and have a broad knowledge of the instrumentation that can help solve them. However, they might not always be aware of the latest innovations that can make their lives even easier.

Read more...
Ensuring ongoing structural integrity in wharves
Omniflex Remote Monitoring Specialists Industrial Wireless
In collaboration with engineering firm AMOG Consulting, remote monitoring specialist Omniflex has developed WharfWise. This is a holistic structural monitoring system that, for the first time, provides wharf operators and asset managers with real-time oversight of mooring operations and structural integrity.

Read more...
Secure, digital communication in potentially explosive atmospheres
Pepperl+Fuchs IS & Ex
Consistently digitalised processes in the smart factory are a matter of course today, but not in potentially explosive atmospheres. The systems and devices used in these areas must have optimal protection mechanisms to ensure maximum safety.

Read more...
Functional and compatible intrinsically safe loop approvals
Extech Safety Systems IS & Ex
With all the focus on IS loop approval, it is easy to forget to check that the loop will function correctly to see whether the field device has sufficient power (voltage & current) to operate over the full process range.

Read more...
Upgrade your legacy alarm units
Omniflex Remote Monitoring Specialists IS & Ex
Darren Barratt, sales manager at alarm annunciator specialist Omniflex, explains the drawbacks of leaving outdated rack-based alarm annunciator systems in place, and why an upgrade might be simpler than you would expect.

Read more...
Taming the terrain
Omniflex Remote Monitoring Specialists Industrial Wireless
Effectively monitoring and controlling water distribution networks is crucial if we are to avoid wasting this valuable, life-preserving resource. Wireless telemetry systems play a vital role in this task, collecting data from remote locations and transmitting it to a central control station for real-time monitoring and control.

Read more...
Cathodic protection system for hazardous environments
Omniflex Remote Monitoring Specialists IS & Ex
When NSW Ports in Australia embarked on a two-year programme to rehabilitate the structures and combat corrosion levels at its Bulk Liquid Berth 1, it commissioned Melbourne-based consultancy Infracorr to deliver a bespoke cathodic protection) system. To deliver the system safely, Infraccor engaged cathodic protection specialist Omniflex to support the hazardous area and remote monitoring aspects of the CP system design.

Read more...