Safety Integrity Level
Safety Integrity Level (SIL) is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a Safety Instrumented Function (SIF).
The requirements for a given SIL are not consistent among all of the functional safety standards. In the European Functional Safety standards based on the IEC 61508 standard four SILs are defined, with SIL 4 being the most dependable and SIL 1 being the least. A SIL is determined based on a number of quantitative factors in combination with qualitative factors such as development process and safety life cycle management.
Assignment of SIL is an exercise in risk analysis where the risk associated with a specific hazard, that is intended to be protected against by a SIF, is calculated without the beneficial risk reduction effect of the SIF. That "unmitigated" risk is then compared against a tolerable risk target. The difference between the "unmitigated" risk and the tolerable risk, if the "unmitigated" risk is higher than tolerable, must be addressed through risk reduction of the SIF. This amount of required risk reduction is correlated with the SIL target. In essence, each order of magnitude of risk reduction that is required correlates with an increase in one of the required SIL numbers.
There are several methods used to assign a SIL. These are normally used in combination, and may include:
- Risk Matrices
- Risk Graphs
- Layers Of Protection Analysis (LOPA)
Of the methods presented above, LOPA is by far the most commonly used by large industrial facilities.
The assignment may be tested using both pragmatic and controllability approaches, applying guidance on SIL assignment published by the UK HSE. SIL assignment processes that use the HSE guidance to ratify assignments developed from Risk Matrices have been certified to meet IEC EN 61508
Problems with the use of SIL
There are several problems inherent in the use of Safety Integrity Levels. These can be summarized as follows:
- Poor harmonization of definition across the different standards bodies which utilize SIL
- Process-oriented metrics for derivation of SIL
- Estimation of SIL based on reliability estimates
- System complexity, particularly in software systems, making SIL estimation difficult to impossible
These lead to such erroneous statements as, "This system is a SIL N system because the process adopted during its development was the standard process for the development of a SIL N system", or use of the SIL concept out of context such as, "This is a SIL 3 heat exchanger" or "This software is SIL 2". According to IEC 61508, the SIL concept must be related to the dangerous failure rate of a system, not just its failure rate or the failure rate of a component part, such as the software. Definition of the dangerous failure modes by safety analysis is intrinsic to the proper determination of the failure rate.
SIL is for electrical controls only and does not relate directly to the caT architecture in EN 62061. It appears to be a precursor to PL ratings that are now the new requirements which encompass hydraulic and pneumatic valves.
It is sometimes assumed that the 'S' in SIL refers to software but the failure rate of the software component of a system is merely a contribution to the overall SIL level of the system as a whole.
Advantages for Managers
Because SIL has a simple number scheme to represent its levels (1-4), a high-level understanding of each level is typically all that is necessary to convey SIL at management levels. This saves management from having to understand the technical aspects of SIL, while allowing them to discuss their concerns.
Certification to a Safety Integrity Level
The International Electrotechnical Commission's (IEC) standard IEC 61508, now IEC EN 61508, defines SIL using requirements grouped into two broad categories: hardware safety integrity and systematic safety integrity. A device or system must meet the requirements for both categories to achieve a given SIL.
The SIL requirements for hardware safety integrity are based on a probabilistic analysis of the device.In order to achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure and a minimum Safe Failure Fraction. The concept of 'dangerous failure' must be rigorously defined for the system in question, normally in the form of requirement constraints whose integrity is verified throughout system development. The actual targets required vary depending on the likelihood of a demand, the complexity of the device(s), and types of redundancy used.
PFD (Probability of Failure on Demand) and RRF (Risk Reduction Factor) of low demand operation for different SILs as defined in IEC EN 61508 are as follows:
|1||0.1-0.01||10−1 - 10−2||10-100|
|2||0.01-0.001||10−2 - 10−3||100-1000|
|3||0.001-0.0001||10−3 - 10−4||1000-10,000|
|4||0.0001-0.00001||10−4 - 10−5||10,000-100,000|
For continuous operation, these change to the following. (Probability of Failure per Hour)
|1||0.00001-0.000001||10−5 - 10−6||100,000-1,000,000|
|2||0.000001-0.0000001||10−6 - 10−7||1,000,000-10,000,000|
|3||0.0000001-0.00000001||10−7 - 10−8||10,000,000-100,000,000|
|4||0.00000001-0.000000001||10−8 - 10−9||100,000,000-1,000,000,000|
Hazards of a control system must be identified then analysed through risk analysis. Mitigation of these risks continues until their overall contribution to the hazard are considered acceptable. The tolerable level of these risks is specified as a safety requirement in the form of a target 'probability of a dangerous failure' in a given period of time, stated as a discrete SIL.
Certification schemes are used to establish whether a device meets a particular SIL. The requirements of these schemes can be met either by establishing a rigorous development process, or by establishing that the device has sufficient operating history to argue that it has been proven in use.
Electric and electronic devices can be certified for use in Functional Safety applications according to IEC 61508, providing application developers the evidence required to demonstrate that the application including the device is also compliant. IEC 61511 is an application-specific adaptation of IEC 61508 for the Process Industry sector. This standard is used in the petrochemical and hazardous chemical industries, among others.
SIL in Safety Standards
The following standards use SIL as a measure of reliability and/or risk reduction.
- ANSI/ISA S84 (Functional safety of safety instrumented systems for the process industry sector)
- IEC EN 61508 (Functional safety of electrical/electronic/programmable electronic safety related systems)
- IEC 61511 (Safety instrumented systems for the process industry sector)
- IEC 61513 (Nuclear Industry)
- IEC 62061 (Safety of machinery)
- EN 50128 (Railway applications - Software for railway control and protection)
- EN 50129 (Railway applications - Safety related electronic systems for signalling
- EN 50402 (Fixed gas detection systems)
- ISO 26262 (Automotive industry)
- MISRA, various (Guidelines for safety analysis, modelling, and programming in automotive applications)
- Defence Standard 00-56 Issue 2 - accident consequence
The use of a SIL in specific safety standards may apply different number sequences or definitions to those in IEC EN 61508.
All the major components of HIPPS system shall be SIL-3 Approved.
There is a whole family of C-level standards based more or less on IEC 61508 that also uses SIL, e.g., 62061, 26262.
- M. Charlwood, S Turner and N. Worsell, UK Health and Safety Executive Research Report 216, "A methodology for the assignment of safety integrity levels (SILs) to safety-related control functions implemented by safety-related electrical, electronic and programmable electronic control systems of machines", 2004. ISBN 0-7176-2832-9
- F. Redmill, "Understanding the Use, Misuse, and Abuse of SILs" http://www.csr.ncl.ac.uk/FELIX_Web/3A.SILs.pdf with capture date of 11 October 2010
- CASS Scheme, Conformity Assessment of Safety Systems, http://www.cass.uk.net/
- F. Redmill, "Understanding the Use, Misuse, and Abuse of SILs" http://www.csr.ncl.ac.uk/FELIX_Web/3A.SILs.pdf with capture dates of 9 July 2010 and 11 October 2010
- Marszal, Edward, "Safety Integrity Level Selection - Systematic Methods Including Layer of Protection Analysis", The Instrumentation, Systems, and Automation Society, Research Triangle Park, NC, USA, 2002.
- Mitchell, KJ, Longendelpher, TM, Kuhn, MC, "Safety Instrumented Systems Engineering Handbook", Kenexis, Columbus, OH, USA, 2010.
D. Smith, K. Simpson, "Safety Critical Systems Handbook - A Straightforward Guide to Functional Safety, IEC 61508 (2010 Edition) and Related Standards" (3rd Edition, ISBN 978-0-08-096781-3, 270 Pages).
M. Punch, "Functional Safety for the Mining Industry – An Integrated Approach Using AS(IEC)61508, AS(IEC)62061 and AS4024.1." (1st Edition, ISBN 978-0-9807660-0-4, in A4 paperback, 150 pages). www.marcuspunch.com
- Inside Functional Safety Technical magazine focusing on functional safety
- 61508.org The 61508 Association
- IEC Safety Zone The IEC Functional safety zone
- Functional Safety, A Basic Guide Functional Safety and IEC 61508: A basic guide
- SIL Made Simple - White Paper presented at Valve World 2010
- Safety Integrity Level Manual Pepperl+Fuchs SIL Manual