In functional safety, safety integrity level (SIL) is defined as the relative level of risk-reduction provided by a safety instrumented function (SIF), i.e. the measurement of the performance required of the SIF. [1]
In the functional safety standards based on the IEC 61508 standard, four SILs are defined, with SIL4 being the most dependable and SIL1 the least. The applicable SIL is determined based on a number of quantitative factors in combination with qualitative factors, such as risk assessments and safety lifecycle management. Other standards, however, may have different SIL number definitions. [2]
Assignment, or allocation of SIL is an exercise in risk analysis where the risk associated with a specific hazard, which is intended to be protected against by a SIF, is calculated without the beneficial risk reduction effect of the SIF. That unmitigated risk is then compared against a tolerable risk target. The difference between the unmitigated risk and the tolerable risk, if the unmitigated risk is higher than tolerable, must be addressed through risk reduction of provided by the SIF. This amount of required risk reduction is correlated with the SIL target. In essence, each order of magnitude of risk reduction that is required correlates with an increase in SIL, up to a maximum of SIL4. Should the risk assessment establish that the required SIL cannot be achieved by a SIL4 SIF, then alternative arrangements must be designed, such as non-instrumented safeguards (e.g, a pressure relief valve). [1]
There are several methods used to assign a SIL. These are normally used in combination, and may include: [1]
Of the methods presented above, LOPA is by far the most commonly used in large industrial facilities, such as for example chemical process plants.
The assignment may be tested using both pragmatic and controllability approaches, applying industry guidance such as the one published by the UK HSE. [3] SIL assignment processes that use the HSE guidance to ratify assignments developed from Risk Matrices have been certified to meet IEC 61508.
There are several problems inherent in the use of safety integrity levels. These can be summarized as follows:[ citation needed ]
These lead to such erroneous statements as the tautology "This system is a SIL N system because the process adopted during its development was the standard process for the development of a SIL N system", or use of the SIL concept out of context such as "This is a SIL 3 heat exchanger" or "This software is SIL 2". According to IEC 61508, the SIL concept must be related to the dangerous failure rate of a system, not just its failure rate or the failure rate of a component part, such as the software. Definition of the dangerous failure modes by safety analysis is intrinsic to the proper determination of the failure rate.[ citation needed ]
The International Electrotechnical Commission's (IEC) standard IEC 61508 defines SIL using requirements grouped into two broad categories: hardware safety integrity and systematic safety integrity. A device or system must meet the requirements for both categories to achieve a given SIL.
The SIL requirements for hardware safety integrity are based on a probabilistic analysis of the device. In order to achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure and a minimum safe failure fraction. The concept of 'dangerous failure' must be rigorously defined for the system in question, normally in the form of requirement constraints whose integrity is verified throughout system development. The actual targets required vary depending on the likelihood of a demand, the complexity of the device(s), and types of redundancy used.
PFD (probability of dangerous failure on demand) and RRF (risk reduction factor) of low demand operation for different SILs as defined in IEC EN 61508 are as follows:
SIL | PFD | PFD (power) | RRF |
---|---|---|---|
1 | 0.1–0.01 | 10−1 – 10−2 | 10–100 |
2 | 0.01–0.001 | 10−2 – 10−3 | 100–1000 |
3 | 0.001–0.0001 | 10−3 – 10−4 | 1000–10,000 |
4 | 0.0001–0.00001 | 10−4 – 10−5 | 10,000–100,000 |
For continuous operation, these change to the following, where PFH is probability of dangerous failure per hour.
SIL | PFH | PFH (power) | RRF |
---|---|---|---|
1 | 0.00001-0.000001 | 10−5 – 10−6 | 100,000–1,000,000 |
2 | 0.000001-0.0000001 | 10−6 – 10−7 | 1,000,000–10,000,000 |
3 | 0.0000001-0.00000001 | 10−7 – 10−8 | 10,000,000–100,000,000 |
4 | 0.00000001-0.000000001 | 10−8 – 10−9 | 100,000,000–1,000,000,000 |
Hazards of a control system must be identified then analysed through risk analysis. Mitigation of these risks continues until their overall contribution to the hazard are considered acceptable. The tolerable level of these risks is specified as a safety requirement in the form of a target 'probability of a dangerous failure' in a given period of time, stated as a discrete SIL.
Certification schemes, such as the CASS Scheme (Conformity Assessment of Safety-related Systems) are used to establish whether a device meets a particular SIL. [4] Third parties that can provide certification are CSA Group Testing (previously known as SIRA), TüV, and Exida among others. Self-certification is also possible. The requirements of these schemes can be met either by establishing a rigorous development process, or by establishing that the device has sufficient operating history to argue that it has been proven in use. Certification is achieved by proving the functional safety capability (FSC) of the organization, usually by assessment of its functional safety management (FSM) program, and the assessment of the design and life-cycle activities of the product to be certified, which is conducted based on specifications, design documents, test specifications and results, failure rate predictions, FMEAs, etc. [5]
Electric and electronic devices can be certified for use in functional safety applications according to IEC 61508. There are a number of application-specific standards based on or adapted from IEC 61508, such as IEC 61511 for the process industry sector. This standard is used in the petrochemical and hazardous chemical industries, among others. [5]
The following standards use SIL as a measure of reliability and/or risk reduction.
Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.
A safety-critical system or life-critical system is a system whose failure or malfunction may result in one of the following outcomes:
Fieldbus Foundation was an organization dedicated to a single international, interoperable fieldbus standard. It was established in September 1994 by a merger of WorldFIP North America and the Interoperable Systems Project (ISP). Fieldbus Foundation was a not-for-profit trade consortium that consisted of more than 350 of the world's suppliers and end users of process control and manufacturing automation products. Working together those companies made contributions to the IEC/ISA/FDI and other fieldbus standards development.
IEC 61508 is an international standard published by the International Electrotechnical Commission (IEC) consisting of methods on how to apply, design, deploy and maintain automatic protection systems called safety-related systems. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems.
IEC standard 61511 is a technical standard which sets out practices in the engineering of systems that ensure the safety of an industrial process through the use of instrumentation. Such systems are referred to as Safety Instrumented Systems. The title of the standard is "Functional safety - Safety instrumented systems for the process industry sector".
Software safety is an engineering discipline that aims to ensure that software, which is used in safety-related systems, does not contribute to any hazards such a system might pose. There are numerous standards that govern the way how safety-related software should be developed and assured in various domains. Most of them classify software according to their criticality and propose techniques and measures that should be employed during the development and assurance:
In functional safety a safety instrumented system (SIS) is an engineered set of hardware and software controls which provides a protection layer that shuts down a chemical, nuclear, electrical, or mechanical system, or part of it, if a hazardous condition is detected.
Standardization in oil industry seeks to promote a better standardization within the oil and energy industry. It promotes this objective by highlighting areas where standardization has worked well, where it has not, and why. This provokes discussions for better standardization. The overall purpose of the document is to issue a guideline on the application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry, and thereby simplify the use of the standards.
A high-integrity pressure protection system (HIPPS) is a type of safety instrumented system (SIS) designed to prevent over-pressurization of a plant, such as a chemical plant or oil refinery. The HIPPS will shut off the source of the high pressure before the design pressure of the system is exceeded, thus preventing loss of containment through rupture (explosion) of a line or vessel. Therefore, a HIPPS is considered as a barrier between a high-pressure and a low-pressure section of an installation.
Spurious trip level (STL) is defined as a discrete level for specifying the spurious trip requirements of safety functions to be allocated to safety systems. An STL of 1 means that this safety function has the highest level of spurious trips. The higher the STL level the lower the number of spurious trips caused by the safety system. There is no limit to the number of spurious trip levels.
Functional safety is the part of the overall safety of a system or piece of equipment that depends on automatic protection operating correctly in response to its inputs or failure in a predictable manner (fail-safe). The automatic protection system should be designed to properly handle likely systematic errors, hardware failures and operational/environmental stress.
ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems that are installed in serial production road vehicles, defined by the International Organization for Standardization (ISO) in 2011, and revised in 2018.
Parasoft C/C++test is an integrated set of tools for testing C and C++ source code that software developers use to analyze, test, find defects, and measure the quality and security of their applications. It supports software development practices that are part of development testing, including static code analysis, dynamic code analysis, unit test case generation and execution, code coverage analysis, regression testing, runtime error detection, requirements traceability, and code review. It's a commercial tool that supports operation on Linux, Windows, and Solaris platforms as well as support for on-target embedded testing and cross compilers.
ISO 13849 is a safety standard which applies to parts of machinery control systems that are assigned to providing safety functions. The standard is one of a group of sector-specific functional safety standards that were created to tailor the generic system reliability approaches, e.g., IEC 61508, MIL-HDBK-217, MIL-HDBK-338, to the needs of a particular sector. ISO 13849 is simplified for use in the machinery sector.
IEC/EN 62061, ”Safety of machinery: Functional safety of electrical, electronic and programmable electronic control systems”, is the machinery specific implementation of IEC/EN 61508. It provides requirements that are applicable to the system level design of all types of machinery safety-related electrical control systems and also for the design of non-complex subsystems or devices.
Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the ISO 26262 - Functional Safety for Road Vehicles standard. This is an adaptation of the Safety Integrity Level (SIL) used in IEC 61508 for the automotive industry. This classification helps defining the safety requirements necessary to be in line with the ISO 26262 standard. The ASIL is established by performing a risk analysis of a potential hazard by looking at the Severity, Exposure and Controllability of the vehicle operating scenario. The safety goal for that hazard in turn carries the ASIL requirements.
Cantata++, commonly referred to as Cantata in newer versions, is a commercial computer program designed for dynamic testing, with a focus on unit testing and integration testing, as well as run time code coverage analysis for C and C++ programs. It is developed and marketed by QA Systems, a multinational company with headquarters in Waiblingen, Germany.
IEC 84.00.07 is a technical report developed by the ISA 84 standards panel. It defines the lifecycle and technical requirements for ensuring effective design of fire and gas detection systems for use in the process industries. The technical report provides a lifecycle for performance based design of fire and gas detection systems, listing out the steps involved in a performance based design and establishing requirements to be implemented for each step. The technical report also defines performance metrics for application to fire and gas detection systems. The performance metrics established in this report for fire and gas system effectiveness include coverage and safety availability.
Failure modes, effects, and diagnostic analysis (FMEDA) is a systematic analysis technique to obtain subsystem / device level failure rates, failure modes and diagnostic capability. The FMEDA technique considers:
Lean air is a gas mixture with an oxygen content lower than 20.95%. Lean air is made from a gas mixture of air with nitrogen or of pure oxygen with nitrogen and is used in several production processes where a product covering with pure nitrogen can be dangerous, undesirable or more expensive. In some production processes the oxygen content is necessary for the reaction process or during storage.