The language of functional safety

Sept. 20, 2021
Safety integrity levels provide an effective framework for mitigating the risks inherent in industrial processes

With increased realization of the risk posed by hydrocarbons and other toxic hazards, and the resultant focus on safety and environment protection across industries, it's necessary and mandatory to implement trusted methods that result in reliable, robust and safe industrial processes, while also taking into account the overall costs of such measures.

Well-designed instrumented systems used for safety or critical control applications seek a balance of safety and reliability by considering appropriate voting schemes and high self-diagnostic coverage among field sensors, logic solvers and final elements.

In this article, we'll discuss the definitions and concepts behind functional safety and safety integrity level (SIL) requirements, how they can help systematically optimize process safety, and provide guidance during the design process.

Safety terms defined

The need for independent safety systems in the process industry derives from a range of potential hazards such as high temperatures and pressures, explosive atmospheres and exposure to radiation. And, while the basic process control system (BCPS) is used for controlling process variables within specified limits (and raising alarms when they're not), it's typically not sufficient for ensuring safety.

A safety instrumented function (SIF) is a safety function with a specified SIL necessary to achieve functional safety. It can be either a safety instrumented protection function or a safety instrumented control function. A function comprises of one or more initiators, a logic solver and one or more final elements. A SIF’s sensors, logic solver and final control elements act in concert to detect a hazard, and bring the process to a safe state. What devices are used in the SIF are based on the level of protection required.

A safety instrumented system (SIS) is an instrumented system used to implement one or more SIFs. A SIS is composed of any combination of sensors, logic solvers and final elements. This definition is used in ANSI/ISA 84.0S1 and IEC 61511 standards, and is equivalent to the IEC 61508, “E/E/PE safety related system” standard.

Safety integrity is the average probability of a SIS satisfactorily performing its required safety functions under all the stated conditions within a given period of time.

SIL is a measure of safety system performance or probability of failure on demand (PFD) for a SIF or SIS. There are four discrete integrity levels associated with SIL (Figure 1). The higher the SIL level, the lower the PFD for the safety system and the better the system performance. It's important to also note that as the SIL level increases, typically so do cost and complexity. In general, SIL applies to an entire system and not to Individual products or components.

Safety Integrity Level Probability of failure on demand per year (or low demand) Risk reduction factor Probability of dangerous failure per hour (continuous mode or high demand) 
SIL 4 > = 10-5 to < 10-4 from 100,000 to 10,000  > = 10-9 to < 10-8
SIL 3 > = 10-4 to <10-3 from 10,000 to 1,000  > = 10-8 to < 10-7
SIL 2 > = 10-3 to < 10-2 from 1,000 to 100  > = 10-7 to < 10-6
SIL 1 > = 10-2 to < 10-1 from 100 to 10  > = 10-6 to < 10-5

Figure 1: Safety integrity levels 1 to 4 describe safety instrumented systems that can reduce risk by a factor ranging from 10 to a million.

Discrete SILs (from one to four) specify the safety integrity requirements of the SIFs to be allocated to a SIS. SIL 4 is the highest level of safety integrity, and SIL 1 the lowest. And each increment indicates an order of magnitude change in risk reduction. These SILs are also a way to indicate the tolerable failure rate of a particular safety function.

PFD is the probability that a device will fail to perform its required function when called upon to do so. The average PFD of all elements within a SIF is used for SIL evaluation.
Safe failure fraction (SFF) is a number that shows the percentage of possible failures that are self-identified by the device or are safe and have no effect. The key number in this calculation are the presence of dangerous undetected failures—those that are not identified but still have an effect. SIL and SFF are two of the key values that system designers can use as an objective comparison of instrument reliability from various device suppliers.

SIL levels are used when implementing a SIF that must reduce an existing intolerable process risk level to a tolerable risk range which is also called as low as reasonably possible (ALARP).

The acceptance of a SIL 1 SIS means that the level of hazard or economic risk is sufficiently low, and that a SIS with an availability of 90% (or 10% chance of failure) is acceptable.

For example, consider the installation of a SIL 1 SIS for a high-level trip in a liquid tank. The availability of 90% would mean that, out of every 10 times that the level reached the high-level trip point, there would be one predicted failure of the SIS and subsequent overflow of the tank. This might be an acceptable risk for some applications, hence it doesn't require any additional complexity. However, it should also be understood that SIL and availability are simply statistical representations of the integrity of the SIS when a process demand occurs.

Safety is in the details

Designing a system that can take action to ensure safety requires that we first understand the danger, including its probability and the consequences involved. Analysis of that data is required to determine the conditions that maintain safety. These analysis tools include risk graphs, risk matrices, layered risk matrices, layers of protection and fault trees. The need for protective layers is determined by first conducting an analysis of a process’s hazards and risks known as a process hazards analysis (PHA). Depending on the complexity of the process operations and the severity of its inherent risks, such an analyses may range from a simplified screening to a rigorous hazard and operability (HAZOP) engineering study, including reviews of process, electrical, mechanical, safety, instrumentation and managerial factors.

Once risks and hazards have been assessed, it can be determined whether they're at acceptable levels. If the study concludes that existing protection is insufficient, then a SIS will be required. The philosophy of the relevant standards suggests that a SIS or SIF should be implemented only if there is no other non-instrumented way of adequately eliminating or mitigating process risk.

Specifically, IEC 61511 Mod recommends that when a hazardous event can't be prevented or mitigated with something other than instrumentation, then a multidisciplinary team should conduct a PHA, design a variety of layers of protection, and finally implement an appropriate SIS.

Safety can be profitable, too

Business benefits can also be obtained using SIL assessments. In addition to developing safer processes, they can improve overall efficiency, reducing operating costs and boost profitability. They can reduce the number of false and unnecessary alarms and nuisance trips, and can allow the declassification of some trips and the lengthening of test intervals for others, which in turn reduces the costs associated with trip testing. Also, SIL assessments help demonstrate compliance with regulations, protect your license to operate, and raise confidence among stakeholders and the general public.

Behind the byline

Rasikendra Singh Chauhan is an associate chief engineer for instrumentation and controls at Technip Energies in Mumbai, India. He can be reached at [email protected]