Safety integrity level

Last updated July 08, 2023

In functional safety, safety integrity level (SIL) is defined as the relative level of risk-reduction provided by a safety instrumented function (SIF), i.e. the measurement of the performance required of the SIF.^[1]

In the functional safety standards based on the IEC 61508 standard, four SILs are defined, with SIL4 being the most dependable and SIL1 the least. The applicable SIL is determined based on a number of quantitative factors in combination with qualitative factors, such as risk assessments and safety lifecycle management. Other standards, however, may have different SIL number definitions.^[2]

SIL allocation

Assignment, or allocation of SIL is an exercise in risk analysis where the risk associated with a specific hazard, which is intended to be protected against by a SIF, is calculated without the beneficial risk reduction effect of the SIF. That unmitigated risk is then compared against a tolerable risk target. The difference between the unmitigated risk and the tolerable risk, if the unmitigated risk is higher than tolerable, must be addressed through risk reduction of provided by the SIF. This amount of required risk reduction is correlated with the SIL target. In essence, each order of magnitude of risk reduction that is required correlates with an increase in SIL, up to a maximum of SIL4. Should the risk assessment establish that the required SIL cannot be achieved by a SIL4 SIF, then alternative arrangements must be designed, such as non-instrumented safeguards (e.g, a pressure relief valve).^[1]

There are several methods used to assign a SIL. These are normally used in combination, and may include:^[1]

Risk matrices
Risk graphs
Layers of protection analysis (LOPA)

Of the methods presented above, LOPA is by far the most commonly used in large industrial facilities, such as for example chemical process plants.

The assignment may be tested using both pragmatic and controllability approaches, applying industry guidance such as the one published by the UK HSE.^[3] SIL assignment processes that use the HSE guidance to ratify assignments developed from Risk Matrices have been certified to meet IEC 61508.

Problems

There are several problems inherent in the use of safety integrity levels. These can be summarized as follows:^{[ citation needed ]}

Poor harmonization of definition across the different standards bodies which utilize SIL.^[2]
Process-oriented metrics for derivation of SIL.
Estimation of SIL based on reliability estimates.
System complexity, particularly in software systems, making SIL estimation difficult to impossible.

These lead to such erroneous statements as the tautology "This system is a SIL N system because the process adopted during its development was the standard process for the development of a SIL N system", or use of the SIL concept out of context such as "This is a SIL 3 heat exchanger" or "This software is SIL 2". According to IEC 61508, the SIL concept must be related to the dangerous failure rate of a system, not just its failure rate or the failure rate of a component part, such as the software. Definition of the dangerous failure modes by safety analysis is intrinsic to the proper determination of the failure rate.^{[ citation needed ]}

Certification

The International Electrotechnical Commission's (IEC) standard IEC 61508 defines SIL using requirements grouped into two broad categories: hardware safety integrity and systematic safety integrity. A device or system must meet the requirements for both categories to achieve a given SIL.

The SIL requirements for hardware safety integrity are based on a probabilistic analysis of the device. In order to achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure and a minimum safe failure fraction. The concept of 'dangerous failure' must be rigorously defined for the system in question, normally in the form of requirement constraints whose integrity is verified throughout system development. The actual targets required vary depending on the likelihood of a demand, the complexity of the device(s), and types of redundancy used.

PFD (probability of dangerous failure on demand) and RRF (risk reduction factor) of low demand operation for different SILs as defined in IEC EN 61508 are as follows:

SIL	PFD	PFD (power)	RRF
1	0.1–0.01	10⁻¹ – 10⁻²	10–100
2	0.01–0.001	10⁻² – 10⁻³	100–1000
3	0.001–0.0001	10⁻³ – 10⁻⁴	1000–10,000
4	0.0001–0.00001	10⁻⁴ – 10⁻⁵	10,000–100,000

For continuous operation, these change to the following, where PFH is probability of dangerous failure per hour.

SIL	PFH	PFH (power)	RRF
1	0.00001-0.000001	10⁻⁵ – 10⁻⁶	100,000–1,000,000
2	0.000001-0.0000001	10⁻⁶ – 10⁻⁷	1,000,000–10,000,000
3	0.0000001-0.00000001	10⁻⁷ – 10⁻⁸	10,000,000–100,000,000
4	0.00000001-0.000000001	10⁻⁸ – 10⁻⁹	100,000,000–1,000,000,000

Hazards of a control system must be identified then analysed through risk analysis. Mitigation of these risks continues until their overall contribution to the hazard are considered acceptable. The tolerable level of these risks is specified as a safety requirement in the form of a target 'probability of a dangerous failure' in a given period of time, stated as a discrete SIL.

Certification schemes, such as the CASS Scheme (Conformity Assessment of Safety-related Systems) are used to establish whether a device meets a particular SIL.^[4] The requirements of these schemes can be met either by establishing a rigorous development process, or by establishing that the device has sufficient operating history to argue that it has been proven in use.

Electric and electronic devices can be certified for use in functional safety applications according to IEC 61508, providing the application developers show the evidence required to demonstrate that the application including the device is also compliant. There are a number of application-specific standards based on or adapted from IEC 61508, such as IEC 61511 for the process industry sector. This standard is used in the petrochemical and hazardous chemical industries, among others.

Standards

The following standards use SIL as a measure of reliability and/or risk reduction.

ANSI/ISA S84 (functional safety of safety instrumented systems for the process industry sector)
IEC 61508 (functional safety of electrical/electronic/programmable electronic safety related systems)
- IEC 61511 (implementing IEC 61508 in the process industry sector)
- IEC 61513 (implementing IEC 61508 in the nuclear industry)
- IEC 62061 (implementing IEC 61508 in the domain of machinery safety)
EN 50128 (railway applications – software for railway control and protection)
EN 50129 (railway applications – safety related electronic systems for signalling)
EN 50657 (railway applications – software on board of rolling stock)
EN 50402 (fixed gas detection systems)
ISO 26262 (automotive industry)
MISRA (guidelines for safety analysis, modelling, and programming in automotive applications)

Related Research Articles

Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.

A safety-critical system (SCS) or life-critical system is a system whose failure or malfunction may result in one of the following outcomes:

ALARP, or ALARA, is a principle in the regulation and management of safety-critical and safety-involved systems. The principle is that the residual risk shall be reduced as far as reasonably practicable. In UK and NZ Health and Safety law, it is equivalent to SFAIRP. In the US, ALARA is used in the regulation of radiation risks.

Fieldbus Foundation was an organization dedicated to a single international, interoperable fieldbus standard. It was established in September 1994 by a merger of WorldFIP North America and the Interoperable Systems Project (ISP). Fieldbus Foundation was a not-for-profit trade consortium that consisted of more than 350 of the world's suppliers and end users of process control and manufacturing automation products. Working together those companies made contributions to the IEC/ISA/FDI and other fieldbus standards development.

IEC 61508 is an international standard published by the International Electrotechnical Commission consisting of methods on how to apply, design, deploy and maintain automatic protection systems called safety-related systems. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems.

IEC standard 61511 is a technical standard which sets out practices in the engineering of systems that ensure the safety of an industrial process through the use of instrumentation. Such systems are referred to as Safety Instrumented Systems. The title of the standard is "Functional safety - Safety instrumented systems for the process industry sector".

In software engineering, software system safety optimizes system safety in the design, development, use, and maintenance of software systems and their integration with safety-critical hardware systems in an operational environment.

In functional safety a safety instrumented system (SIS) is an engineered set of hardware and software controls which provides a protection layer that shuts down a chemical, nuclear, electrical, or mechanical system, or part of it, if a hazardous condition is detected.

Standardization in oil industry seeks to promote a better standardization within the oil and energy industry. It promotes this objective by highlighting areas where standardization has worked well, where it has not, and why. This provokes discussions for better standardization. The overall purpose of the document is to issue a guideline on the application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry, and thereby simplify the use of the standards.

A high-integrity pressure protection system (HIPPS) is a type of safety instrumented system (SIS) designed to prevent over-pressurization of a plant, such as a chemical plant or oil refinery. The HIPPS will shut off the source of the high pressure before the design pressure of the system is exceeded, thus preventing loss of containment through rupture (explosion) of a line or vessel. Therefore, a HIPPS is considered as a barrier between a high-pressure and a low-pressure section of an installation.

Spurious trip level (STL) is defined as a discrete level for specifying the spurious trip requirements of safety functions to be allocated to safety systems. An STL of 1 means that this safety function has the highest level of spurious trips. The higher the STL level the lower the number of spurious trips caused by the safety system. There is no limit to the number of spurious trip levels.

Functional safety is the part of the overall safety of a system or piece of equipment that depends on automatic protection operating correctly in response to its inputs or failure in a predictable manner (fail-safe). The automatic protection system should be designed to properly handle likely human errors, systematic errors, hardware failures and operational/environmental stress.

ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems that are installed in serial production road vehicles, defined by the International Organization for Standardization (ISO) in 2011, and revised in 2018.

Partial stroke testing is a technique used in a control system to allow the user to test a percentage of the possible failure modes of a shut down valve without the need to physically close the valve. PST is used to assist in determining that the safety function will operate on demand. PST is most often used on high integrity emergency shutdown valves (ESDVs) in applications where closing the valve will have a high cost burden yet proving the integrity of the valve is essential to maintaining a safe facility. In addition to ESDVs PST is also used on high integrity pressure protection systems or HIPPS. Partial stroke testing is not a replacement for the need to fully stroke valves as proof testing is still a mandatory requirement.

Parasoft C/C++test is an integrated set of tools for testing C and C++ source code that software developers use to analyze, test, find defects, and measure the quality and security of their applications. It supports software development practices that are part of development testing, including static code analysis, dynamic code analysis, unit test case generation and execution, code coverage analysis, regression testing, runtime error detection, requirements traceability, and code review. It's a commercial tool that supports operation on Linux, Windows, and Solaris platforms as well as support for on-target embedded testing and cross compilers.

ISO 13849 is a safety standard which applies to parts of machinery control systems that are assigned to providing safety functions. The standard is one of a group of sector-specific functional safety standards that were created to tailor the generic system reliability approaches, e.g., IEC 61508, MIL-HDBK-217, MIL-HDBK-338, to the needs of a particular sector. ISO 13849 is simplified for use in the machinery sector.

IEC/EN 62061, ”Safety of machinery: Functional safety of electrical, electronic and programmable electronic control systems”, is the machinery specific implementation of IEC/EN 61508. It provides requirements that are applicable to the system level design of all types of machinery safety-related electrical control systems and also for the design of non-complex subsystems or devices.

Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the ISO 26262 - Functional Safety for Road Vehicles standard. This is an adaptation of the Safety Integrity Level (SIL) used in IEC 61508 for the automotive industry. This classification helps defining the safety requirements necessary to be in line with the ISO 26262 standard. The ASIL is established by performing a risk analysis of a potential hazard by looking at the Severity, Exposure and Controllability of the vehicle operating scenario. The safety goal for that hazard in turn carries the ASIL requirements.

Cantata++, or simply Cantata in newer versions, is a commercial computer program for dynamic testing, specifically unit testing and integration testing, and code coverage at run time of C and C++ programs. It is developed and sold by QA Systems, and was formerly a product of IPL Information Processing Ltd.

Failure modes, effects, and diagnostic analysis (FMEDA) is a systematic analysis technique to obtain subsystem / product level failure rates, failure modes and diagnostic capability. The FMEDA technique considers:

References

1 2 3 Marszal, Edward M.; Scharpf, Eric W. (2002). Safety Integrity Level Selection: Systematic Methods Including Layer of Protection Analysis. Research Triangle Park, N.C.: ISA – The Instrumentation, Systems, and Automation Society. ISBN 1-55617-777-1.
1 2 Redmill, Felix (2000). "Understanding the Use, Misuse, and Abuse of Safety Integrity Levels" . Retrieved 7 July 2023.
↑ Charlwood, Mark; Turner, Shane; Worsell, Nicola (2004). A Methodology for the Assignment of Safety Integrity Levels (SILs) to Safety-related Control Functions Implemented by Safety-related Electrical, Electronic and Programmable Electronic Control Systems of Machines (PDF). Research Report 216. Sudbury: HSE Books. ISBN 0-7176-2832-9.
↑ Jones, C.; Bloomfield, R.E.; Froome, P.K.D.; Bishop, P.G. (2001). Methods for Assessing the Safety Integrity of Safety-related Software of Uncertain Pedigree (SOUP) (PDF). Research Report 337/2001. Sudbury: HSE Books. p. 6. ISBN 0-7176-2011-5.

External links

61508.org - The 61508 Association
Functional Safety, A Basic Guide
IEC Safety and functional safety - The IEC functional safety site
Safety Integrity Level Manual (Archived) - Pepperl+Fuchs SIL Manual

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:0-1] 1 2 3 Marszal, Edward M.; Scharpf, Eric W. (2002). Safety Integrity Level Selection: Systematic Methods Including Layer of Protection Analysis. Research Triangle Park, N.C.: ISA – The Instrumentation, Systems, and Automation Society. ISBN 1-55617-777-1.

[Redmill_UseMisuseAbuseSILs-2] 1 2 Redmill, Felix (2000). "Understanding the Use, Misuse, and Abuse of Safety Integrity Levels" . Retrieved 7 July 2023.

[3] Charlwood, Mark; Turner, Shane; Worsell, Nicola (2004). A Methodology for the Assignment of Safety Integrity Levels (SILs) to Safety-related Control Functions Implemented by Safety-related Electrical, Electronic and Programmable Electronic Control Systems of Machines (PDF). Research Report 216. Sudbury: HSE Books. ISBN 0-7176-2832-9.

[4] Jones, C.; Bloomfield, R.E.; Froome, P.K.D.; Bishop, P.G. (2001). Methods for Assessing the Safety Integrity of Safety-related Software of Uncertain Pedigree (SOUP) (PDF). Research Report 337/2001. Sudbury: HSE Books. p. 6. ISBN 0-7176-2011-5.

[1]

[2]

[3]

[4]