Major industrial accidents around the world like the Bhopal chemical plant disaster have occurred due to insufficient and poorly designed safety systems. Safety Integrity Level (SIL) ratings were introduced as part of IEC 61508 in 1998, and seek to quantify the probability of dangerous system failure. Gary Bradshaw, director of alarm and safety system specialist Omniflex, explains how SIL ratings work, and the dangers of the misconceptions that exist around them.
Functional safety, as defined by IEC 61508, is the safety that control systems provide to an industrial process or plant. Its purpose is to prevent both direct and indirect risk to human life that could result from those industrial processes, including risk caused by damage to equipment, property or the environment. Functional safety is a focus across the industrial spectrum, from petrochemicals and tank farms to oil and gas, and nuclear safety.
The concept of functional safety was developed in response to the growing global need for improved confidence in safety systems. Major accidents in the late 20th century, like the Chernobyl reactor explosion and the Bhopal tragedy, and the advent of electrical and programmable electronic systems to carry out safety functions, have prompted a desire to engineer safety systems to ‘fail safely’ or control dangerous failures when they arise. One metric used to assess the risk of unsafe failure in industrial settings is SIL ratings, which correspond to the frequency and severity of hazards. They describe the probability of failure on demand (PFD) and the performance required for a safety instrumented function (SIF) to maintain safety.
The ratings go from SIL-1 up to SIL-4, and the higher the level, the higher the associated safety and the lower the probability that the system will fail to perform. However, the installation and maintenance costs, and the system complexity, typically increase along with the SIL rating. The levels are distinguished by their acceptable rate of failure, which increases each time by factors of ten: i.e., SIL-1 systems accept one failure in every ten demands; SIL-2 systems accept one failure in every 100 demands, and so on.
Bigger is better − right?
One misconception is that higher SIL ratings are always superior for every application. Although SIL-4 does indeed offer the most reliability, the complexity involved with redundant back-up systems, more regular performance testing, and hierarchical voting arrangements can be unwieldy and over-expensive if not necessary.
The correct SIL rating is application-dependent; for example, if you can rely on a human operator to take action on an abnormal condition, such as for an alarm going off, then a SIL-1 system will suffice. Indeed, a safety loop involving a human cannot be rated above SIL-1, as systems are required to operate independently of operators for SIL-2 and upwards.
While the most critical applications, such as aircraft flight systems or nuclear reactor protection, require SIL-4 protection, correct safety analysis during the design stage is vital to determine the minimum acceptable SIL rating. Adhering to this recommendation will provide an adequate level of functional safety while containing costs effectivity.
How are SIL ratings assigned?
SIL certification is a tool to measure the risk reduction provided by a SIF. To determine the safety integrity level of a SIF, the overall PFD must be calculated. This involves combining the failure rate data for each individual component within a SIF, such as sensors, programmable logic controllers and control elements, whether automated or human. The calculation must also account for the test frequency, redundancy and voting arrangements.
Companies such as TÜV Nord carry out independent assessments, although internal ratings can be done for systems up to SIL-1. Another common misunderstanding is that although individual modules can be SIL rated, it is only the overall systems that are assessed this way.
While regulatory processes would prevent installation of any insufficiently rated safety systems, it is not unheard of for industrial facilities to purchase higher rated systems than they need. The consequences here are mostly financial: not only will the components add unnecessary expense, but the installation process will be more complex, and therefore more disruptive to the facility’s daily production.
For these reasons, it is essential to engage a company with safety system expertise that understands the SIL hierarchy and different levels’ suitability for different applications.
Evaluating instrumentation
Independent validation of safety instruments is an important factor for customer confidence in every industrial sector. Evaluation International (EI), a member owned, not-for-profit organisation, offers consultation and evaluation services for electrical, control and instrumentation matters.
EI members operate across the industrial spectrum, from ExxonMobil USA in oil and gas exploration and refinement, and INEOS in energy production, to Intertek Polychemlab in chemical industry inspection and certification, and Suez Environment in environmental services and waste management.
In March 2007, EI evaluated Omniflex’s alarm annunciator unit, the Omni16C, and found that it passed the various functionality tests, and that the results were in accordance with Omniflex’s specifications. Reports like the one written about the Omni16C are useful for facility planners and functional safety managers, as they provide reliable information about validated and qualified instrumentation.
The difficulty of rating software
The normalisation of software-based or SMART components, as in those with embedded microprocessors, presented a new challenge in the early 21st century. While hardware assessments were straightforward, software verification in terms of safety function was less sure territory and led to reluctance in some industries to take advantage of technological developments.
The nuclear industry was no exception. Initially, each major UK nuclear operator launched separate verification programmes to show compliance with the Nuclear Installation Inspectorate’s safety certification. To help nuclear site inspectors, while eliminating redundancy and duplication of individual work, the EMPHASIS tool was developed.
EMPHASIS’ purpose is to achieve a common level of substantiation and assess SMART instruments for the nuclear industry against IEC 61508. Launched in 2005, it has been adopted by the Nuclear Industry SMART Instruments Working Group, made up of the significant entities in the UK’s nuclear industry.
Alarm annunciator systems are a vital layer of protection in plant safety strategy. They provide operators with early warnings of an abnormal condition, helping to facilitate action before hazards take effect and to enable human logic-driven intervention. The importance of these SMART safety tools meant that substantiation by EMPHASIS was essential for UK nuclear safety.
Sellafield, which manages the Sellafield nuclear site, approached Omniflex in 2008 to apply the EMPHASIS tool to its Omni16C range of alarm annunciators. After a thorough review of the design and production methods, the hardware and software were both evaluated to IEC 61508 SIL-1. This was the first, and remains the only, alarm annunciator product to be substantiated in this way.
SIL ratings have been an important metric for industrial functional safety for 25 years, but misinterpretations about their application linger on. To avoid incurring unnecessary cost and complexity, it is important for facility planners and managers to work with safety system suppliers who truly understand safety integrity levels.
| Tel: | +27 31 207 7466 |
| Fax: | +27 31 208 2058 |
| Email: | [email protected] |
| www: | www.omniflex.com |
| Articles: | More information and articles about Omniflex Remote Monitoring Specialists |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version