The occurrence of catastrophic overfill incidents in recent years has made improving safety a mission-critical requirement for all process industries. To do this, one needs to first understand the hazards that these types of processes pose, and what can be done to mitigate them.
In prior posts, this blog has discussed how assessing the hazards and risks within your processes can determine the need for a Safety Instrumented System (SIS). This week, we’ll explain Safety Integrity Level (SIL) – and how assigning a target SIL can help you measure the safety risk of a given process.
Four Levels of Integrity
Historically, safety thinking categorized a process as being either safe or unsafe. However, for the new standards that have been developed of the past several years, safety isn’t considered a binary attribute. Instead, the ISA SP84 committee stratified it into four discrete levels of safety. Each level represents an order of magnitude of risk reduction. The higher the SIL level, the greater the impact of a failure for the surrounding area and the lower the failure rate that is acceptable.
SIL is a way to indicate the tolerable failure rate of a safety function. Standards require the assignment of a target SIL for any new or retrofitted SIF within a SIS. The assignment of the target SIL is a decision that requires the extension of the Hazards Analysis, which analyzes the hazards and risks within a process. The SIL assignment is based on the amount of risk reduction that is necessary to maintain the risk at an acceptable level. All of the SIS design, operation, and maintenance choices must then be verified against the target SIL. This ensures that the SIS can mitigate the assigned process risk.
Hardware Fault Tolerance
IEC61508-4 defines “fault tolerance” as the “ability of a functional unit to continue to perform a required function in the presence of faults or errors.” Therefore, hardware fault tolerance is the ability of the hardware (complete hardware and software of the transmitter) to continue to perform a required function in the presence of faults or errors.
A hardware fault tolerance of 0 means that if there is a single fault, the transmitter will not be able to perform its function (for example, measure level). A hardware fault tolerance of N means that N+1 faults could cause a loss of the safety function. When a Failures Modes, Effects and Diagnostic Analysis (FMEDA) is performed on a device, the resultant Safe Failure Fraction (SFF) has an associated hardware fault tolerance of 0.
Determining SIL Levels – Process
When a Process Hazards Analysis determines that a SIS is needed, the level of risk reduction afforded by the SIS and the target SIL have to be assigned. The effectiveness of a SIS is described in terms of “the probability it will fail to perform its required function when it is called upon to do so,” which is its Probability of Failure on Demand (PFD). The average PFD (PFDavg) is used for SIL evaluation. The chart below shows the relationship between PFDavg, availability of the safety system, risk reduction and SIL level.
Various methodologies are used to assign target SILs, including (but not limited to), Simplified Calculations, Fault Tree Analysis, Layer of Protection Analysis and Markov Analysis. The determination must also involve people who possess the relevant expertise and experience.
Determining SIL Levels – Instrumentation
SIL levels for field instruments are established by one of two methods:
- FMEDA is best when reviewed or certified by a third party, such as exida or TUV, but manufacturers can do self declarations. A systematic analysis technique is necessary to determine failure rates, failure modes and the diagnostic capability as defined by IEC 61508/651511.
- Proven in Use (also called Prior Use) is typically used for mature instruments in known processes. This approach requires sufficient product operational hours, revision history, fault reporting systems and field failure data to determine if there is evidence of systematic design faults in a product. IEC 61508 provides levels of operational history required for each SIL. It is generally considered more valuable when done by users in their facility when comparing like data. It is considered less reliable when done by a device manufacturer whose data may be less relevant to the end user’s application.
If using a manufacturer’s prior use data is necessary because a product does not reach the required level under the standard FMEDA analysis, there are significant requirements that are imposed. For example, a mature product must generally be used (to have the required field experience) and the design and assembly must be “frozen in time” so that no upgrades, modifications or even configuration changes are allowed that may render the “Proven in Use” data useless. A key result of the analysis is establishing a Safe Failure Fraction (SFF) for a product. The following chart shows the relationship of SFF values, SIL ratings and the effects of redundancy.
While two SIL 1 devices can be used to achieve SIL 2 and two SIL 2 devices may be used to achieve SIL 3, it is not automatic. Using redundancy to attain a higher SIL rating has an additional requirement of systematic safety, which includes software integrity. It is important to note that the most conservative approach to redundancy is to use dissimilar technologies. This reduces failures due to application issues. Within the SFF determination is an understanding of types of failures and the ability of the instrument to diagnose them.
The most critical category of failures is called Dangerous Undetected (DU). For example, the new Eclipse® Model 706 has an SFF of 93.0% with 61 Dangerous Undetected failures, which means that 93.0% of all failures are detected or are safe (nuisance) failures. Conversely, 61 represents the remaining 7% that are dangerous and undetected. The lower the number of Dangerous Undetected failures the better. This number is key in a reliability evaluation, even for non safety-related applications.
For More Information
To learn more about this topic, please download the Magnetrol® Understanding SIL Technology bulletin.