Safety Integrity Level
Encyclopedia
Safety Integrity Level is defined as a relative level of risk-reduction provided by a safety function
, or to specify a target level of risk
reduction. In simple terms, SIL is a measurement of performance required for a Safety Instrumented Function (SIF).
The requirements for a given SIL are not consistent among all of the functional safety standards. In the European Functional Safety standards based on the IEC 61508
standard four SILs are defined, with SIL 4 being the most dependable and SIL 1 being the least. A SIL is determined based on a number of quantitative factors in combination with qualitative factors such as development process and safety life cycle management.
The assignment may be tested using both pragmatic and controllability approaches, applying guidance on SIL assignment published by the UK HSE. SIL assignment processes that use the HSE guidance to ratify assignments developed from Risk Matrices have been certified to meet IEC EN 61508
These lead to such erroneous statements as, "This system is a SIL N system because the process adopted during its development was the standard process for the development of a SIL N system", or use of the SIL concept out of context such as, "This is a SIL 3 heat exchanger" or "This software is SIL 2". According to IEC 61508, the SIL concept must be related to the dangerous failure rate of a system, not just its failure rate or the failure rate of a component part, such as the software. Definition of the dangerous failure modes by safety analysis is intrinsic to the proper determination of the failure rate.
low IQ managers and salesmen can save face, not have to learn difficult maths and stats and look important.
, now IEC EN 61508, defines SIL using requirements grouped into two broad categories: hardware safety integrity and systematic safety integrity. A device or system must meet the requirements for both categories to achieve a given SIL.
The SIL requirements for hardware safety integrity are based on a probabilistic analysis of the device. To achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure and a minimum Safe Failure Fraction. The concept of 'dangerous failure' must be rigorously defined for the system in question, normally in the form of requirement constraints whose integrity is verified throughout system development. The actual targets required vary depending on the likelihood of a demand, the complexity of the device(s), and types of redundancy used.
PFD (Probability of Failure on Demand) and RRF (Risk Reduction Factor) of low demand operation for different SILs as defined in IEC EN 61508 are as follows:
For continuous operation, these change to the following.
Hazards of a control system must be identified then analysed through risk analysis. Mitigation of these risks continues until their overall contribution to the hazard are considered acceptable. The tolerable level of these risks is specified as a safety requirement in the form of a target 'probability of a dangerous failure' in a given period of time, stated as a discrete SIL level.
Certification schemes are used to establish whether a device meets a particular SIL. The requirements of these schemes can be met either by establishing a rigorous development process, either by establishing that the device has sufficient operating history to argue that it has been proven in use.
Electric and electronic devices can be certified for use in Functional Safety
applications according to IEC 61508
, providing application developers the evidence required to demonstrate that the application including the device is also compliant. IEC 61511
is an application specific adaptation of IEC 61508 for the Process Industry sector. This standard is used in the petrochemical and hazardous chemical industries, among others.
The use of a SIL in specific safety standards may apply different number sequences or definitions to those in IEC EN 61508.
All the major components of HIPPS system shall be SIL-3 Approved.
There is a whole family of C-level standards based more or less on IEC 61508 that also uses SIL, e.g., 62061, 26262
.
M. Punch, "Functional Safety for the Mining Industry – An Integrated Approach Using AS(IEC)61508, AS(IEC)62061 and AS4024.1." (1st Edition, ISBN 978-0-9807660-0-4, in A4 paperback, 150 pages). www.marcuspunch.com
Safety instrumented system
A Safety Instrumented System is a form of process control usually implemented in industrial processes, such as those of a factory or an oil refinery. The SIS performs specified functions to achieve or maintain a safe state of the process when unacceptable or dangerous process conditions are detected...
, or to specify a target level of risk
Risk
Risk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
reduction. In simple terms, SIL is a measurement of performance required for a Safety Instrumented Function (SIF).
The requirements for a given SIL are not consistent among all of the functional safety standards. In the European Functional Safety standards based on the IEC 61508
IEC 61508
IEC 61508 is an international standard of rules applied in industry. It is titled "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems"....
standard four SILs are defined, with SIL 4 being the most dependable and SIL 1 being the least. A SIL is determined based on a number of quantitative factors in combination with qualitative factors such as development process and safety life cycle management.
SIL Assignment
There are several methods used to assign a SIL. These are normally used in combination, and may include:- Risk Matrices
- Risk Graphs
- Layers Of Protection Analysis (LOPA)
The assignment may be tested using both pragmatic and controllability approaches, applying guidance on SIL assignment published by the UK HSE. SIL assignment processes that use the HSE guidance to ratify assignments developed from Risk Matrices have been certified to meet IEC EN 61508
Problems with the use of SIL
There are several problems inherent in the use of Safety Integrity Levels. These can be summarized as follows:- Poor harmonization of definition across the different standards bodies which utilize SIL
- Process-oriented metrics for derivation of SIL
- Estimation of SIL based on reliability estimates
- System complexity, particularly in software systems, making SIL estimation difficult to impossible
These lead to such erroneous statements as, "This system is a SIL N system because the process adopted during its development was the standard process for the development of a SIL N system", or use of the SIL concept out of context such as, "This is a SIL 3 heat exchanger" or "This software is SIL 2". According to IEC 61508, the SIL concept must be related to the dangerous failure rate of a system, not just its failure rate or the failure rate of a component part, such as the software. Definition of the dangerous failure modes by safety analysis is intrinsic to the proper determination of the failure rate.
Advantages for Managers
Because SIL has only three simple numbers to remember, 1 to 4, with 4 being impossible for anything but the likes of the nuclear industrylow IQ managers and salesmen can save face, not have to learn difficult maths and stats and look important.
Certification to a Safety Integrity Level
The International Electrotechnical Commission's (IEC) standard IEC 61508IEC 61508
IEC 61508 is an international standard of rules applied in industry. It is titled "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems"....
, now IEC EN 61508, defines SIL using requirements grouped into two broad categories: hardware safety integrity and systematic safety integrity. A device or system must meet the requirements for both categories to achieve a given SIL.
The SIL requirements for hardware safety integrity are based on a probabilistic analysis of the device. To achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure and a minimum Safe Failure Fraction. The concept of 'dangerous failure' must be rigorously defined for the system in question, normally in the form of requirement constraints whose integrity is verified throughout system development. The actual targets required vary depending on the likelihood of a demand, the complexity of the device(s), and types of redundancy used.
PFD (Probability of Failure on Demand) and RRF (Risk Reduction Factor) of low demand operation for different SILs as defined in IEC EN 61508 are as follows:
SIL | PFD | PFD (power) | RRF |
---|---|---|---|
1 | 0.1-0.01 | 10-1 - 10-2 | 10-100 |
2 | 0.01-0.001 | 10-2 - 10-3 | 100-1000 |
3 | 0.001-0.0001 | 10-3 - 10-4 | 1000-10,000 |
4 | 0.0001-0.00001 | 10-4 - 10-5 | 10,000-100,000 |
For continuous operation, these change to the following.
SIL | PFD | PFD (power) | RRF |
---|---|---|---|
1 | 0.00001-0.000001 | 10-5 - 10-6 | 100,000-1,000,000 |
2 | 0.000001-0.0000001 | 10-6 - 10-7 | 1,000,000-10,000,000 |
3 | 0.0000001-0.00000001 | 10-7 - 10-8 | 10,000,000-100,000,000 |
4 | 0.00000001-0.000000001 | 10-8 - 10-9 | 100,000,000-1,000,000,000 |
Hazards of a control system must be identified then analysed through risk analysis. Mitigation of these risks continues until their overall contribution to the hazard are considered acceptable. The tolerable level of these risks is specified as a safety requirement in the form of a target 'probability of a dangerous failure' in a given period of time, stated as a discrete SIL level.
Certification schemes are used to establish whether a device meets a particular SIL. The requirements of these schemes can be met either by establishing a rigorous development process, either by establishing that the device has sufficient operating history to argue that it has been proven in use.
Electric and electronic devices can be certified for use in Functional Safety
Functional Safety
Functional Safety is the part of the overall safety of a system or piece of equipment that depends on the system or equipment operating correctly in response to its inputs, including the safe management of likely operator errors, hardware failures and environmental changes.- Objective of Functional...
applications according to IEC 61508
IEC 61508
IEC 61508 is an international standard of rules applied in industry. It is titled "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems"....
, providing application developers the evidence required to demonstrate that the application including the device is also compliant. IEC 61511
IEC 61511
IEC 61511 is a technical standard which sets out practices in the engineering of systems that ensure the safety of an industrial process through the use of instrumentation. Such systems are referred to as Safety Instrumented Systems...
is an application specific adaptation of IEC 61508 for the Process Industry sector. This standard is used in the petrochemical and hazardous chemical industries, among others.
SIL in Safety Standards
The following standards use SIL as a measure of reliability and/or risk reduction.- ANSI/ISA S84 (Functional safety of safety instrumented systems for the process industry sector)
- IEC EN 61508 (Functional safety of electrical/electronic/programmable electronic safety related systems)
- IEC 61511 (Safety instrumented systems for the process industry sector)
- IEC 62061 (Safety of machinery)
- EN 50128 (Railway applications - Software for railway control and protection)
- EN 50129 (Railway applications - Safety related electronic systems for signalling
- EN 50402 (Fixed gas detection systems)
- MISRA, various (Guidelines for safety analysis, modelling, and programming in automotive applications)
- Defence Standard 00-56 Issue 2 - accident consequence
The use of a SIL in specific safety standards may apply different number sequences or definitions to those in IEC EN 61508.
See also
- ALARPALARPALARP stands for "as low as reasonably practicable", and is a term often used in the milieu of safety-critical and safety-involved systems. The ALARP principle is that the residual risk shall be as low as reasonably practicable...
- Spurious trip levelSpurious trip levelSpurious Trip Level is defined as a discrete level for specifying the spurious trip requirements of safety functions to be allocated to safety systems. An STL of 1 means that this safety function has the highest level of spurious trips. The higher the STL level the lower the number of spurious...
- HIPPSHIPPSA High Integrity Pressure Protection System is a type of safety instrumented system designed to prevent over-pressurization of a plant, such as a chemical plant or oil refinery. The HIPPS will shut off the source of the high pressure before the design pressure of the system is exceeded, thus...
All the major components of HIPPS system shall be SIL-3 Approved.
There is a whole family of C-level standards based more or less on IEC 61508 that also uses SIL, e.g., 62061, 26262
ISO 26262
ISO 26262 is a Functional Safety standard , titled "Road vehicles -- Functional safety".This standard is an adaptation of the Functional Safety standard IEC 61508 for Automotive Electric/Electronic Systems.ISO 26262:...
.
Textbooks
D. Smith, K. Simpson, "Safety Critical Systems Handbook - A Straightforward Guide to Functional Safety, IEC 61508 (2010 Edition) and Related Standards" (3rd Edition, ISBN 978-0-08-096781-3, 270 Pages).M. Punch, "Functional Safety for the Mining Industry – An Integrated Approach Using AS(IEC)61508, AS(IEC)62061 and AS4024.1." (1st Edition, ISBN 978-0-9807660-0-4, in A4 paperback, 150 pages). www.marcuspunch.com
External links
- Safety Users Group Functional Safety-Information Resources
- Inside Functional Safety Technical magazine focusing on functional safety
- 61508.org The 61508 Association
- IEC Safety Zone The IEC Functional safety zone
- Functional Safety, A Basic Guide Functional Safety and IEC 61508: A basic guide
- Overview of 61508 Overview of IEC 61508
- SIL Made Simple - White Paper presented at Valve World 2010