Our blogs Blogs home
Software

Software

Plant

Terminology Explained: What is Safety Integrity Level (SIL)?

Another Terminology Explained: What is Safety Integrity Level (SIL)? This post aims at providing a brief introduction to the concept of Safety Integrity Level (SIL) and how this is interpreted in Synergi Plant. Big thank you to Felipe Sodré and Crystal James for their contribution.

The oil and industry has experienced a substantial increase in machine automation and utilisation of process safety systems over the past few years. This trend will continue and rapidly grow as the industry evolves through its next revolution, Industry 4.0. Industry 4.0 will increase automation and process safety data exchange through the industrial Internet of Things (IoT), big data and data analytics.

This new reality brings new challenges. Safety will now depend on the correct function of electronic components or systems.

What are the main standards?

The IEC 61508 was the first international standard to quantify the safety performance of an electrical control system and introduce the concept of lifecycle. The main goal of this standard was to minimize the failures in all electrical/electronic/programmable electronic (typically shortened to E/E/PE) safety-related systems, irrespective of where and how they are used.

The standard is broken down in 7 different parts providing full support for the implementation of SIL analysis:

  1. Part 1 “General requirements”,
  2. Part 2 “Requirements for E/E/PE safety-related systems”,
  3. Part 3 “Software requirements”,
  4. Part 4 “Definitions & abbreviations”,
  5. Part 5 “Examples of methods for the determination of safety integrity levels”,
  6. Part 6 “Guidelines on the application of parts 2 and 3”
  7. Part 7 “Overview of techniques & measures”

Equally important the IEC 61511 gives requirements for the specification, design, installation, operation and maintenance of the safety instrumented system. This standard was developed as a process sector implementation of IEC 61508.

There are some other standards available which might worth reading through but the former is the most popular one:

  • ISO 14118 “Safety of Machinery – Prevention of Unexpected Start-Up”
  • IEC 60204-1: “Safety of Machinery, Electrical Equipment of Machines”
  • IEC 62061 “Safety of machinery – functional safety of electrical, electronic and programmable control systems for machinery”
  • ISO 14118 (EN 1037:1996) Safety of machinery – prevention of unexpected start-up
  • IEC 60204-1:1997 Safety of machinery. Electrical equipment of machines. General requirements
  • ANSI/ISA S84.01 Safety Instrumented Systems for the Process Industry Sector (Parts 1, 2 and 3)

What are the main definitions?

IEC 61508 defines functional safety as the discipline that studies the concept of safety that depends on correct function of components or systems. There are a lot definitions so bear with me and it will come together.

Let’s start with Safety Integrity:

Safety Integrity

  • Safety Integrity is defined as “The probability of a Safety Instrumented Function (SIF) satisfactorily performing the required safety functions under all stated conditions within a stated period of time”.

Putting simple: what is the probability of the safety function work correctly when needed ?

Example: Consider your car – the correct functioning of temperature meter works to protect your car from overheating which might harm you (e.g. initiate fire etc.).

Safety Instrumented Function

  • Safety Instrumented Function is typically defined as function to be implemented “which is intended to achieve or maintain a safe state for the Equipment under Control (EUC), in respect of a specific hazardous event”

Putting simple: during a hazard analysis, several hazardous events are identified and the risk assessment is performed for each event / accidental scenario. Let`s say that you already used several safety barriers to reduce the risk but it is not acceptable yet, so what safety functions could be defined to reduce the risk to an acceptable level? This is normally achieved by implementing initiators (e.g., sensors), logic units (e.g. PLC) and actuators (e.g., valves) to prevent the hazardous scenario from developing – these are normally called Safety Instrumented System (SIS).

Example: back to the example of your car, every time the temperature goes beyond a certain level, measured by the temperature meter, the car pumps more water from the radiator to cool the engine. This is an example of safety function where the system is returned to a safety operational state (i.e. normal operating temperature).

Safety Integrity Level

  • Safety Integrity Level: it is a discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PE safety-related systems

Putting simple: safety Integrity level is a measure of performance required from a safety instrumented system to maintain or achieve the safety state

There are two basic elements associated with this measure:

  • Hardware safety integrity: which is typically based upon random hardware failures can normally be estimated to a reasonable level of accuracy via probability of failure on demand (PFD).
  • Systematic safety integrity: systematic integrity tends to be harder to quantify. This is due to the diversity of causes of failures; systematic failures may be introduced during the specification, design, implementation, operational and modification phase and may affect hardware as well as software

To conclude we have:

“Safety Integrity is measure by the correct performance of safety function which are used to return the system to a safety state. This state can be quantified using Safety Integrity Levels”

Let’s now move to how one would measure SIL. There are several methods available – Synergi Plant currently uses Risk Matrix to measure the SIL. Risk graph and Layer of Protection Analysis (LOPA) are other methods available in the industry.

How the terminology compares between IEC 61508 & IEC 61511?

IEC 61508 IEC 61511 Comment
E/E/PE safety related system SIS IEC 61508 refers ti E/E/PE safety related systems while IEC 61511 refers ti safety instrumented systems
PES SIS IEC 61508 “PES” includes sensors and final control elements, while IEC 61511 uses the term SIS
Process control system Basic process control system Basic process control system is a global term for the process sector
EUC Process IEC 61508 refers to EUC (equipment under control) while IEC 61511 refers to process
Safety function Safety instrumented function (SIF) IEC 61508 safety function implemented by E/E/PES, other technology safety related system, or external risk reduction facilities. IEC 61511 SIF is implemented solely by SIS.

Risk Matrix in Synergi Plant – SIL module

In Synergi Plant, the analysis starts by either:

  • Selecting an existing scenario or;

SIL Assessment List

  • Creating a new scenario; the definition considers all elements defined for a specific level of the Asset Tree to describe a scenario

SIL Scenario definition

SIL New Scenario

When describing a scenario at a certain level of the tree, Synergi Plant will use the information defined at the hierarchy to understand what components and data are available for the SIL analysis.

For instance, opening at the “Pressure Sensor”, which is part of the PSV-1001 shown in the picture above, shows the observed data for this item:

SIL Observation data

Anyways, the process of calculating SIL is broken down in two steps:

  • SIL Classification or Allocation (required SIL)
  • SIL Verification or Realization (calculated SIL)

The next section discusses the classification process.

SIL Classification analysis

As mentioned before, the main idea of the “SIL classification analysis” is to specify a required SIL for each Safety Instrumented Function (SIF).

A discrete level (one out of a possible four) for specifying the safety requirements of the safety functions which must be allocated to the system.  This is the main benefit of SIL as it allows a high-level understanding of each level is typically all that is necessary to convey SIL at management levels.

Safety Integrity level Probability of Failure on Demand Risk Reduction Factor
SIL 4 10-5≥ PofD <10-4 100,000 to 10,000
SIL 3 10-4≥ PofD <10-3 10,000 to 1,000
SIL 2 10-3≥ PofD < 10-2 1,000 to 100
SIL 1 10-2≥ PofD < 10-1 100 to 10

 

This saves management from having to understand the technical aspects of SIL, while allowing them to discuss their concerns.

The higher the level of safety integrity, the lower the probability that the safety-related system will fail to carry out the required safety functions.

For the Risk Matrix method, several parameters are qualitatively assessed. Analysts must define risk associated with the Environment, HSE and Economic in addition to the demand rate.

SIL Classification – Step 1

Upon completing this process, an “Assessed SIL” is defined for the scenario:

SIL Classification – Step 2

One of the nicest features that this module has is the ability to add comments and to validate why a certain frequency has been assigned.

The SIL assignment can be configured to follow your company’s rule/standard. In this case, the combination of a SIL 3 for environment and HSE and a SIL 2 economic gives a SIL 3 for the Assessed SIL:

Risk Matrix

Note that once the SIL classification process is finished, the Target SIL will be equal to the Assessed SIL. That’s because a fundamental part of the SIL classification process is missing – an Independent Layer of Protection. The next step before moving to the Verification process is defining an Independent Layer of Protection or IPL. AICHE defines IPL as:

“A device, system, or action that is capable of preventing a scenario from proceeding to the undesired consequence without being adversely affected by the initiating event or the action of any other protection layer associated with the scenario.”

Thus, the IPL will serve as a risk reduction factor. In Synergi Plant, the IPL can be defined for each scenario, as shown below:

IPL – Selection

Adding the Independent Protection Layer (IPL) will update the target SIL, as shown below. Now, the target SIL shows a SIL 1 level:

Adjusted SIL by IPL

This completes the SIL Classification process and allows us to move to the next step, the verification analysis.

SIL Verification analysis

After finishing the classification process, the analyst needs to verify the SIL. As the name suggests, this process is used to verify, quantitatively, if the Safety Integrity Function, which has been identified as part of the classification process, meet their target SIL.

There are several options to perform calculation to verify SIL. Synergi Plant, for example, offer a calculator which allows analyst to define any mathematical approach to the estimation process.

This calculation is based on several parameters which are defined in three categories:

  • Sensors
  • Logic units
  • Final elements

SIL Verification – Step 1

These elements are described in four sub-categories which carry a set of data:

SIL Verification – Step 2

An example of data required to run the calculation in Synergi Plant – SIL is failure database. By default, Synergi Plant looks at two databases of failure rate – Exida and PDS. This calculation requires a post by itself which will come over the next couple of weeks!

Upon completion of the Verification process, a SIL level is assigned to each component described in the list. This will then be used to calculate the “Current SIL”:

Finally, the results for all the scenarios are displayed at the dashboard area:

Dashboard

2 Comments Add your comment
Saikat says:

A nice description.Very informative.More specific example of conclusion on SIL level is required.

Victor Borges Victor Borges says:

Thanks Saikat. We will work on a better description of SIL level on the following posts.

Reply with your comment

Your email address will not be published. Required fields are marked *