In this article:
Safety Integrity Level (SIL) is a discrete level (out of a possible four) used to define the integrity of a specific Safety Instrumented Function (SIF) allocated to an Electric/Electronic/Programmable Electronic (E/E/PE) safety-related system.
The higher the SIL, the higher the integrity of the safety function and vice versa. SIL is one of the integral concepts of the functional safety discipline of engineering.
It is important to note that SIL is not a property of a system, subsystem, element or component. SIL is only applicable to a specific safety function, and when referring to systems, subsystems or components, it is more appropriate to say that they are capable of supporting or being part of a safety function with a SIL up to n.
It is also important to note that SIL only applies to safety functions which include E/E/PE components. SIL is not a term that can be applied to, for example, safety functions that only use purely mechanical components, such as pressure relief devices; for such functions, it would be appropriate to say they provide a risk reduction equivalent to a SIF with SIL up to n.
Since it was first introduced to industry (during the late 1990s) the framework of functional safety and the concept of SIL (or equivalent ones) have become widely applied in different sectors, including the process industries, railways, machinery, etc.
Functional safety, through the concept of Safety Integrity Level, allows defining the design, performance and maintenance requirements of E/E/PE safety functions, as well as providing the framework for managing them during the function's lifecycle. These requirements are related to the hardware reliability of the SIF's components, the potential need for redundancies, and the avoidance of systematic failures during all stages of the lifecycle (design, installation, operation & maintenance, decommissioning, etc.).
There are many concepts that are necessary to understand what SIL really is beyond its specific definition. This insight explains these key terms related to SIL, focusing on applications for the process industry.
Functional safety standards
Functional safety started emerging formally as a discipline during the 1980s and 1990s. It was finally formalised when, in 1998, the first international standard for functional safety was published by the International Electrotechnical Commission (IEC); this was IEC 61508 - Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES), which introduced and clarified key concepts such as the overall safety lifecycle, systematic safety integrity and SIL.
IEC 61508 is a basic standard which is applicable to all industries. Several other standards have been published under the umbrella of IEC 61508 serving as guidelines for the application of functional safety to specific sectors. Some of these are:
IEC 61511: Functional safety - Safety instrumented systems for the process industry sector;
When referring specifically to the process industries, both IEC 61508 and IEC 61511 are relevant, depending on the stage of the safety lifecycle being addressed and the activity of the organization (manufacturer, operator, assembler, etc.).
Safety is defined in IEC 61508 as freedom from unacceptable risk. This can be understood as meaning that, although there is always risk associated to an activity, there is a quantifiable point in which such risk becomes unacceptable.
Ensuring that the risk associated with a specific activity is within the acceptable level is the role of the overall safety discipline. There are many different types of risk associated with industrial activities, for which different safety sub-disciplines have been developed; these include Occupational Health and Safety, Process Safety, Human Factors or Ergonomics, and also, among others, Functional Safety.
Functional safety is then, according to IEC 61508, the part of overall safety that relates to Equipment Under Control (EUC) and the EUC control system that depends on the correct functioning of the E/E/PE safety-related systems and other risk reduction measures.
The concepts of SIL and SIF exist within the framework of functional safety defined in IEC 61508 and its family of standards.
Safety Instrumented Function (SIF)
A SIF is a function implemented by an E/E/PE safety-related system or, for the process industry, a Safety Instrumented System (SIS), which is basically, a system used to implement one or more different SIFs. A SIF is typically composed of input device(s), logic solver(s), and final element(s), although this is not always necessarily the case.
The purpose of a SIF is to prevent the ultimate consequences of a hazardous event from manifesting and to, in combination with other risk reduction measures, ensure the risk associated with a specific scenario is within the acceptable risk level, or as close to it as possible.
A process plant normally has multiple safety functions that stop the process in case a potentially hazardous variable value is detected. A fundamental part of the functional safety framework is to evaluate if these safety functions require a specific Safety Integrity Level (SIL) to ensure safety or freedom from unacceptable risk. When it is identified that one function requires SIL, then it should be designed according to the requirements of the safety lifecycle as defined in IEC 61508 or IEC 61511 in the specific case of the process industries.
Architecture of a SIF
SIFs are typically confirmed by a combination of the following components:
Input device or sensor: a device that continuously measures a process variable and relies the information to the logic solver. Common sensors in the process industry are pressure, temperature or flow transmitters.
Logic solver: a component that processes the information received from the input device and initiates a decision based on a predefined logic. If the information from the input device is interpreted to have reached the set value, then a signal will be sent to activate the final element(s).
Final element: these are the devices responsible for executing the necessary actions to bring the Equipment Under Control to a safe state. In the process industries, they normally include valves, actuators, relays, switches, and other mechanisms that physically interact with the process.
SIL is only a property of a complete SIF and does not apply to each of its individual components. A SIF component can be SIL n capable, i.e. it can be possible to use it in a SIF of SIL up to n.
Safety Instrumented System (SIS)
Depending on the size of an operation, it can have from a few SIFs to a large number of them; complex process plants can have hundreds of SIFs. The system that implements the SIFs is referred to as the Safety Instrumented System (SIS); it must be noted that a complex process plant can have several SISs implement a variety of SIFs.
The SIS operates independently from the Basic Process Control System (BPCS) and the focus of its design, operation, and maintenance is on ensuring safety for those potential scenarios that require a safety function with a high Safety Integrity Level (SIL).
Allocation of SIL requirements
A SIF is allocated a SIL requirement based on a risk-based or, in some specific cases, a prescriptive approach. A risk-based approach is normally performed using a Layers of Protection Analysis (LOPA) technique, Risk Graph, or other suitable methods such as Fault Tree Analysis (FTA) following a Hazard and Risk Assessment (H&RA) normally performed by using a Process Hazard Analysis (PHA) technique, such as Hazard and Operability (HAZOP) analysis.
A risk-based approach evaluates the required performance requirement for a SIF in order to meet pre-defined risk acceptance or tolerability criteria, also crediting other non-instrumented risk reduction methods and conditional frequency modifiers.
During the process design phase, and before any SIL is allocated, it is important to evaluate if an inherently safer alternative is feasible to reduce a hazard by applying Inherently Safer Design (ISD) principles, which means, in a nutshell, to avoid, eliminate or fundamentally reduce a hazard, rather than trying to control it.
A high SIL requirement may result in significant challenges during the design and verification process, as well as increased maintenance and testing requirements during the operational phase of an asset. It also means that there is a high risk associated with a specific scenario, requiring a very high integrity or risk reduction factor for safety to be achieved.
SIFs can operate in different demand modes, which in IEC 61511 are defined as:
Low demand mode: mode of operation in which the SIF is only performed on demand, in order to transfer the process into a specified safe state, and where the frequency of demands is no greater than one per year.
High demand mode: mode of operation where the SIF is only performed on demand and where the frequency of demands is greater than one per year.
Continuous mode: mode of operation where the SIF retains the process in a safe state as part of normal operation.
The vast majority of SIFs in the process industry operate in low-demand mode and a deviation from this operating mode is sometimes indicative of a more significant issue with the control system.
Safety Integrity Level (SIL) is a measure of how "good" a SIF will be at ensuring safety for a specific scenario. In order to define whether a SIF achieves the required SIL, two main subjects are explored:
Hardware safety integrity: which deals with the probability of the SIF successfully acting on a demand. This is further divided into two subjects:
Quantification of random hardware failures: dealing with the calculation of the Probability of Failure on Demand or Per Hour (PFD and PFH respectively) ro meet a target failure probability defined during the allocation process. SIL has a direct correlation to PFD or PFH, which can also be expressed as the Risk Reduction Factor (RRF), which is the inverse of PFD or PFH. Care must be exercised, however, as achieving the random hardware failure requirements does not mean that the required SIL has been achieved.
Ensuring the SIF achieves architectural constraints requirements: this is allowing for sufficient redundancies in the different components of the SIF to achieve the requirements of IEC 61508 or IEC 61511. The higher the SIL, the more redundancy requirements there are, although these can vary depending on the demonstrable quality of the components.
Systematic safety integrity: which deals with the avoidance of systematic failures during the whole lifecycle of the SIF and its components, including software.
How to interpret different SIL and what do they correspond to?
SIL 1 represents the lowest level of risk reduction factor within this framework. Safety systems designed, operated and maintained to be SIL 1 capable are typically used in processes or applications where the risk is relatively low, and the consequences of a failure are not severe, or where there are other risk reduction measures with high reliability (such as appropriately sized mechanical relief designed). These may have fewer redundancies and less rigorous testing compared to a safety system designed to achieve higher SIL levels.
SIL 2 indicates a moderate level of risk reduction. A safety system that enacts SIL 2 SIFs is taking a higher order of magnitude of risk reduction for some specific scenarios. SIL 2 may require higher levels of redundancy to ensure higher Hardware Fault Tolerance (HFT), and more rigorous testing compared to systems enacting SIL 1 SIFs.
SIL 3 signifies a substantial level of risk reduction. Safety systems designed for SIL 3 capability are subject to even stricter requirements, including more redundancy, rigorous testing, and fault tolerance. These systems are intended for use in processes or applications where the consequences of a failure could lead to catastrophic consequences and where other risk reduction measures may not exist, or not be considered very reliable. SIL 3 SIFs are very uncommon in the process industries.
SIL 4 capable systems are very rare and are usually reserved for the most critical and hazardous industrial processes. Industries such as nuclear power generation and certain segments of aerospace and defense may utilize SIL 4 capable systems; however, the requirements to achieve SIL 4 are so strict that they are virtually unattainable in the common process industries. If a SIL 4 requirement is identified for a normal process application, then it can almost certainly be said that there is a design issue or a problem with the SIL allocation methodology followed.
In summary, Safety Integrity Levels (SIL) are a measure of the reliability of a safety function enacted by an E/E/PE system. This reliability is measured in terms of the hardware reliability of the components of the SIF and its redundancies, but also on the avoidance of systematic failures that could be introduced due to failures in management, software programming, or manufacturing, amongst many others.
SIL is a concept enshrined in the framework defined by the functional safety standards, of which IEC 61508 is the basic standard applicable to all industries, and IEC 61511 is applicable to the process industries; there are however, many more industry and application-specific standards.
Functional safety and Safety Integrity Levels are integral to achieve overall safety, but are not the only strategy, and should always be applied in consonance with the overall safety strategy in order to achieve the best possible results.