Over the years, the global importance of SIL (Safety Integrity Levels) has grown substantially in the process industries. Yet, SIL is still a somewhat ambiguous concept that is often misinterpreted and incorrectly implemented for many systems integrators, end users, and product vendors.
Image Credit: MSA - The Safety Company
It is crucial to understand the overarching concept known as Functional Safety, and how it applies to Safety Instrumented Systems (SIS) within the process industries in order to fully understand SIL and its implications.
What is Functional Safety?
As defined by IEC standard 61508, Functional Safety is the safety that control systems provide to an overall plant or process. The concept of Functional Safety was developed in response to the growing requirement for improved confidence in safety systems.
Major accidents globally, in addition to increasing utilization of electronic, electrical, or programmable electronic systems to perform safety functions, have raised awareness and the desire to design safety systems in such a way as to prevent dangerous failures or to control them when they happen.
Through the development of standards IEC 61508, IEC 61511, and ANSI/ISA 84, industry experts started to address functional safety and formalize a method for decreasing risk in the process plant environment.
Generally, previous safety standards were not performance-based but were prescriptive in nature. A spotlight on life-cycle considerations, quantitative risk reduction, and general practices make these standards different from their predecessors.
Functional Safety is a term employed to describe the safety system dependent on the correct functioning of the sensors, logic solver, and final elements to attain a desired risk reduction level. When every safety function is successfully performed and the process risk is reduced to the desired level, Functional Safety is achieved.
What is a Safety Instrumented System (SIS)?
By taking a process to a safe state when predetermined conditions are violated, a Safety Instrumented System is designed to mitigate or prevent hazardous events. Other common terms utilized are emergency shutdown systems (ESD), safety interlock systems, and safety shutdown systems (SSD).
Each SIS has one or more Safety Instrumented Functions (SIF). A SIF loop has a combination of logic solver(s), sensor(s), and final element(s) in order to carry out its function. Every SIF within an SIS will have a SIL level.
Depending on the process these SIL levels may be the same, or may be different. It is a common misconception that a whole system must have the same SIL level for each safety function.
The Meaning of Safety Integrity Level (SIL)
SIL stands for Safety Integrity Level. A SIL is a measure of safety system performance, in terms of probability of failure on demand (PFD). It is easier to express the probability of failure rather than that of proper performance (e.g., 1 in 100,000 vs. 99,999 in 100,000), so this convention was chosen based on numbers.
There are four discrete integrity levels associated with SIL:
The higher the associated safety level, the higher the SIL level, and the lower probability that a system will fail to work correctly. Usually, the maintenance and installation costs and complexity of the system increase as the SIL level increases.
Specifically for the process industries, SIL 4 systems are so costly and complex that they are not usually economically beneficial to use. Furthermore, there is a fundamental problem in the process design that should be addressed by a process change or other non-instrumented technique if a process includes so much risk that a SIL 4 system is needed to bring it to a safe state.
It is a very common misconception that individual components or products have SIL ratings. Rather, components and products are suitable for utilization within a given SIL environment but are not individually SIL rated. SIL levels apply to safety functions and safety systems (SIFs and SISs).
Only the end user can ensure that the safety system is implemented correctly, and the logic solvers, sensors, and final elements are only suitable for utilization in specific SIL environments.
In order to successfully obtain the desired risk reduction level, the equipment or system must be used in the way it was intended. A SIL 2 or SIL 3 system is not ensured by just purchasing SIL 2 or SIL 3 suitable components.
Risk Management and Selecting an SIS or SIL Level
The identification of risk tolerance is site-specific and subjective. The owner/operator must establish the acceptable level of risk to capital assets and personnel based on insurance requirements, company philosophy, budgets and numerous other factors. A risk level that one owner establishes to be tolerable may be unacceptable to another.
The first step is to conduct a Process Hazard Analysis to establish the functional safety requirements and identify the tolerable risk level when deciding if a SIL 1, SIL 2, or SIL 3 system is required.
A user must compare the residual risk against their risk tolerance after all of the risk reduction and mitigation effects from the Basic Process Control System (BPCS) and other layers of protection are considered.
A risk reduction factor (RRF) is determined and an SIS/SIL need is calculated if there is still an unacceptably high level of risk. The RRF is the inverse of the Probability of Failure on Demand for the SIF/SIS, as seen in the table.
The appropriate SIL level must be carefully considered before selecting one. In order to achieve higher SIS / SIL levels, costs increase considerably. Usually, companies accept SIS designs up to SIL 2 in the process industry. Owners will normally ask the engineering company to redesign the process to lower the intrinsic process risk if a Process Hazard Analysis shows a need for a SIL 3 SIS.
Source: MSA - The Safety Company
Example of How to Determine SIS/SIF/SIL
A simple example will help to demonstrate the concepts of SIF, SIS and SIL. Consider the installation of a pressure vessel containing flammable liquid which is maintained at a design operating pressure by the BPCS.
The vessel will be subjected to an over-pressure condition that could result in a vessel failure if the process control system should fail, releasing the flammable contents and even an explosion or fire.
An SIS will be implemented to decrease this risk situation further, to a tolerable risk level, if the risk in this scenario is deemed to be intolerable by the facility owner. The SIS system will be independent from the BPCS and will work to mitigate or prevent the hazardous condition resulting from pressure vessel overpressure.
The SIS will have a SIF which could include a pressure transmitter that can sense when an intolerable level of pressure has been attained, a logic solver to control the system logic, and a solenoid valve that might vent the contents of the vessel into a safe location (environment, flare stack, storage tank, etc.), thus bringing the pressure vessel to a safe state.
A SIL 2 level of SIF performance will be needed if the risk reduction factor required from the Process Hazard Analysis is a factor of 100. Calculations for the components of the entire SIF loop will be done to verify that the PFD of the safety function is 10-2, meaning that the SIF is SIL 2 or decreases the risk of the hazard by a factor of 100.
This one SIF may constitute the whole SIS, or the SIS may be made up of multiple SIFs used for a number of other unacceptable process risks in the facility.
This information has been sourced, reviewed and adapted from materials provided by MSA - The Safety Company.
For more information on this source, please visit MSA - The Safety Company.