The global importance of Safety Integrity Levels (SIL) has grown substantially in the process industries over the years. However, SIL is still a somewhat ambiguous concept that often is misinterpreted and incorrectly implemented. In order to fully understand SIL and its implications, it is important to grasp the overarching concept known as Functional Safety, and how it applies to Safety Instrumented Systems (SIS) within the process industries.

 

What is Functional Safety?

Functional Safety, as defined by IEC standard 61508, is the safety that control systems provide to an overall process or plant. Not only does Functional Safety design systems to not fail, but it implements control measures to prevent failures or control them when they arrive.

Previous safety standards were generally prescriptive in nature, not performance based. An emphasis on quantitative risk reduction, life-cycle considerations, and general practices make these standards different from their predecessors.

Functional Safety is a term used to describe the safety system that is dependent on the correct functioning of the logic solver, sensors, and final elements to achieve a desired risk reduction level. Functional Safety is achieved when every safety function is successfully carried out and the process risk is reduced to the desired level.


What is a Safety Instrumented System (SIS)?

A Safety Instrumented System is designed to prevent or mitigate hazardous events by taking a process to a safe state when predetermined conditions are violated. Other common terms used are safety interlock systems, emergency shutdown systems (ESD), and safety shutdown systems (SSD).

Each SIS has one or more Safety Instrumented Functions (SIF). Every SIF within a SIS will have a SIL level. These SIL levels may be the same, or may differ, depending on the process. It is a common misconception that an entire system must have the same SIL level for each safety function.


The Meaning of Safety Integrity Level (SIL)

SIL stands for Safety Integrity Level. A SIL is a measure of safety system performance, in terms of probability of failure on demand (PFD) - i.e a 1 in 10000 chance of failing when used. There are four discrete integrity levels associated with SIL: SIL 1, SIL 2, SIL 3, and SIL 4. The higher the SIL level, the higher the associated safety level, and the lower a probability that a system will fail to perform properly.

As the SIL level increases, typically the installation and maintenance costs and complexity of the system also increase. Specifically for the process industries, SIL 4 systems are so complex and costly that they are not economically beneficial to implement.


It is a very common misconception that individual products or components have SIL ratings. Rather, products and components are suitable for use within a given SIL environment but are not individually SIL rated. The equipment or system must be used in the way it was intended in order to successfully obtain the desired risk reduction level. Just buying SIL 2 or SIL 3 suitable components does not ensure a SIL 2 or SIL 3 system.


Risk Management and Selecting a SIS or SIL Level

The identification of risk tolerance is subjective and site-specific. The owner/operator must determine the acceptable level of risk to personnel and capital assets based on company philosophy, insurance requirements, budgets, and a variety of other factors. A risk level that one owner determines is tolerable may be unacceptable to another owner.

 

When determining whether a SIL 1, SIL 2, or SIL 3 system is needed, the first step is to conduct a Process Hazard Analysis to determine the functional safety need and identify the tolerable risk level. After all of the risk reduction and mitigation impacts from the Basic Process Control System (BPCS) and other layers of protection are taken into account, a user must compare the residual risk against their risk tolerance.

If there is still an unacceptably high level of risk, a risk reduction factor (RRF) is determined and a SIS / SIL requirement is calculated. The RRF is the inverse of the Probability of Failure on Demand for the SIF / SIS (see here).

 

Selecting the appropriate SIL level must be done carefully. Costs increase considerably to achieve higher SIS / SIL levels. Typically in the process industry, companies accept SIS designs up to SIL 2. If a Process Hazard Analysis indicates a requirement for a SIL 3 SIS, owners will usually require the engineering company to re-design the process to lower the intrinsic process risk.

 

What does it mean?

Since not everybody is a maths whiz and knows how to read the table, here is a simpler version. 

 

No matter the task, there is always potential for something to go wrong. If this risk is deemed too dangerous by the facility owner, an SIS will be implemented in order to reduce this risk to an acceptable level.

 

If this risk has a 1% (1/100) chance of occurring without additional controls, an SIL 1 level design will reduce it to between a 0.1% and 0.01% (1/1000 and 1/10,000) chance. An SIL 2 design will reduce it between 0.01% and 0.001% (1/10,000 and 1/100,000) chances. Whether an SIL 1 or SIL 2 level design is implemented will depend on the facility owner (and their workers) evaluating the risk chance. 

 

Consider the installation of a pressure vessel containing flammable liquid. It is maintained at a design operating pressure by the BPCS. If the process control system fails, the vessel will be subjected to an over-pressure condition that could result in a vessel failure, release of the flammable contents and even fire or explosion. That is our hypothetical 1% risk.


The SIS system will be independent from the BPCS and will act to prevent or mitigate the hazardous condition resulting from pressure vessel over-pressure. The SIS will have an SIF which might include a pressure transmitter which can sense when an intolerable level of pressure has been reached, a logic solver to control the system logic, and a solenoid valve which might vent the contents of the vessel into a safe location (flare stack, environment, storage tank, etc.), thus bringing the pressure vessel to a safe state.

This reduces the risk, and determines our SIL based on how effective it is. If it reduces the probability of failure on demand to a value between 0.1% and 0.01%, it is an SIL 1 level design. If it reduces it to a value between 0.01% and 0.001%, it is an SIL level 2 design.

 

For further detail, view the MSA Safety blog post about Safety Integrity Level here