SILs explained01 March 2008

It's clearly important to determine the safety functions that we want an automatic electrical, electronic or programmable electronic safety-related system to perform - but what about the safety integrity level (SIL)? What does it really mean? How is it arrived at? And what are the implications for plant engineers?

First, some background: during the last 25 years, there have been a number of initiatives worldwide aimed at developing standards and guidelines for the safe use of electronic safety-related systems in industrial applications, culminating in the IEC 61508 family of standards. Central to these is the concept of functional safety - essentially the safety actions to be delivered by the system or equipment. For example, over-temperature protection on an electric motor might be provided by a thermal sensor in its windings, which de-energises the motor before it overheats.

Consequences of failure
But that's just part of the story: what we're trying to do is achieve a tolerable risk for the application via that safety function. So we need first to identify fully the nature and consequences of the hazardous events, so we can define what adequate protection looks like. In short, we need a safety requirements spec for the electronic safety-related system.

And that, in turn, requires two key pieces of information: the safety functions to be performed and their safety performance - the extent to which we need to depend on the system working to achieve the tolerable risk. That safety performance is the safety integrity, and the higher the level (SIL), the lower the rate of dangerous failures allowed.

Hence, the safety functions must first be determined from a hazard analysis, but then, to meet the tolerable risk for any specified hazardous events, a SIL commensurate with the risk reduction required has to be determined from a risk assessment. You can't have one without the other.

So far so good, but exploring it a little, we find that failure categories in IEC 61508 relate to those arising from either random hardware failures or systematic failures. Random hardware failures arise from degradation mechanisms and - while it's difficult to determine exactly when such an event will occur - it is possible to predict the failure rate. With systematic failures, on the other hand, it is not so easy to model or predict failure rates, particularly for electronic systems that are programmable.

Why? Because we're talking about a range of potential systematic failures, including: errors in the safety specification, errors in the software, failures arising from electromagnetic interference due to inadequate immunity, errors during maintenance, and errors arising from human factors. So packages of generally qualitative measures are used - with increasing rigour, the higher the SIL.

So IEC 61508 sets four SILs: SIL 1 allows the highest dangerous failure rate (for the most benign risk assessments) and SIL 4, the lowest (for the most potentially dangerous). Making that work, each SIL is linked to target failure bands (for example, 10-6 to 10-5 probability of dangerous failure per hour is the SIL 1 band for a safety function operating in a high-demand mode).

So it's the SIL of the safety functions to be carried out that determines the measures needed to make the design of your safety-related system robust enough. In other words, the safety system reliability you need - to meet your quantified target failure rates - is achieved by using the SIL which, in turn, drives the system design measures, covering both hardware and systematic safety issues.

In short, determining the SIL is of fundamental importance to achieving the safety protection level of all electronic safety-related systems.

Points
- Key standards for safety-related sytems include: IEC 61508, parts 0-7, IEC 61511, parts 1-3, IEC 62061 (safety of machinery, functional safety of safety-related PES); and IEC 61800-5-2: adjustable speed electrical power drive systems, part 5
- The IEC website covering functional safety: www.iec.ch/functionalsafety provides information on functional safety and IEC 61508, FAQs on IEC 61508 and a preview of IEC 61508

SOE

This material is protected by MA Business copyright
See Terms and Conditions.
One-off usage is permitted but bulk copying is not.
For multiple copies contact the sales team.