Within the chemical process industries (CPI), the need to design safety systems to prevent process failures from occurring, or to control them when they do, is well recognized, as is the importance of having confidence in the safety systems that are put in place. However, when formalized, the specific terminology, definitions and concepts are sometimes misunderstood, misinterpreted or implemented incorrectly. Provided here is a review of terms and definitions related to determining safety integrity levels (SILs).
Functional safety standards
Functional safety refers to the ability of safety-relevant electronic devices to respond reliably and verifiably to signals that they receive. Industry experts have addressed functional safety and formalized an approach for reducing risk in process plants through the development of industry consensus standards. Those most relevant for the CPI include IEC 61508, IEC 61511, and ANSI/ISA 84, developed by the International Electrotechnical Commission (IEC; Geneva, Switzerland; www.iec.ch) and the International Society of Automation (Research Triangle Park, N.C.; www.isa.org). IEC says the aim of functional safety is to reduce safety risks to tolerable levels and reduce the negative impacts of safety failures. The standards mentioned here emphasize quantitative risk reduction, lifecycle considerations and general practices, while acknowledging that a system with zero risk is not possible. Functional safety is measured by assessing how likely it is that a particular adverse safety-risk event will occur and how severe it would be (how much harm it could cause).
SIF, SIS and SIL
A safety instrumented function (SIF) refers to the means by which the risk of a particular safety hazard is reduced automatically by the sensors, logic solvers and final elements (for example, safety relief valve) that are used. A safety instrumented system (SIS) is the safety system used to implement a SIF. The safety integrity level (SIL) is a measure of safety system performance, in terms of the probability of failure on demand (PFD). SIL is intended as a shorthand indicator for quantifying the risk-reduction capacity of a safety system. The SIL category of a system is generated by combining the likelihood of a safety failure with the consequences of a failure. There are four discrete integrity levels associated with SIL: SIL 1, SIL 2, SIL 3 and SIL 4. The higher the SIL level, the higher the associated safety level, and the lower probability that a system will fail to perform properly. As the SIL increases, typically the installation and maintenance costs increase, as does the complexity of the system.
To determine SIL categories, a risk matrix is constructed that matches likelihood of occurrence against the consequences of the event. The likelihood ranges from frequent to incredible, and the consequences range from negligible consequences to catastrophic. The four SIL categories are shown in Tables 1 and 2. For systems that operate intermittently, PFD is used, while probability of failure per hour (PFH) is used for continuously operating systems.
End-user responsibility
A SIL rating applies to SIFs and SISs, and is not assigned to individual products or components. Rather, products and components are said to be suitable for use within a given SIL environment. The end user of the sensors, logic solvers and final elements are responsible for implementing the safety system correctly, so that it achieves the risk reduction that is sought. Having components that are suitable for SIL 3, for example, does not, on its own, ensure that the system will achieve SIL 3.
Risk tolerance is subjective and site-specific. Each owner/operator needs to determine the acceptable level of risk to personnel and capital assets based on company philosophy, insurance requirements, budgets, and a variety of other factors. A risk level that one owner determines is tolerable may be unacceptable to another owner.
When determining which SIL is needed for a given system, the first step is often conducting a process hazard analysis (PHA). This will assist in determining the functional safety need and in identifying the tolerable risk level. The degree of risk reduction and mitigation due to the basic process control system (BPCS) and other layers of protection are taken into account. Then, plant operators compare the residual risk against their risk tolerance. If the risk level remains unacceptably high, a risk-reduction factor (RRF) is determined and a SIS/SIL requirement is calculated (RRF is the inverse of the PFD for the SIF/SIS).
References
1. McIntyre, C. and Hedrick, N., Managing SIS Process Measurement Risk and Cost, Chem. Eng., August 2016, pp. 51–57.
2. Klein, M., The Value of Safety Instrumented Systems, Chem. Eng., March 2019, pp. 50–51.
3. International Electrotechnical Commission (IEC), Functional Safety, IEC Brochure, IEC, Geneva, Switzerland, www.iec.ch, 2015.
4. General Monitors Inc., SIL Information, published at: www.gmigasandflame.com/sil_info_101.html, 2008.
5. Pierce, S., United Electric Controls, Introduction to Safety Instrumented Systems, Webinar Slides, 2014.