Key points
Abstract
Functional safety is important in the process industry. Safety Instrumented Systems (SIS) are nowadays used to reduce risks of processes with higher hazard potential for both people and environment. Choosing the right components for safety instrumented systems is a critical step for an effective risk reduction in industrial applications.
To achieve this target, any system component has to meet special safety requirements in compliance with international standards, such as IEC 61508 and IEC 61511. Some of these requirements are shortly described in the following.
Introduction
No single safety measure alone can eliminate process risks. For this reason, an effective safety system consists of several protective layers. This way, if one protection layer fails, other layers will probably take the process to a safe state.
As the number of protection layers increases, the safety of the whole process increases. Figure 1 provides a global view of the protection layers. It is important to understand that each layer has to function independently from the others in case one of them fails.
The Layer of Protection Analysis (LOPA) is a method that allows to closely examine all process hazards and helps choose the most suitable layers of protection.
For each process hazard, where the LOPA concludes that existing protection cannot reduce risk to an acceptable level, the so-called Safety Instrumented Systems (SIS) can be introduced to control the process.
Safety instrumented systems are specifically designed to detect dangerous process states as they develop and start appropriate countermeasure. To fulfil its role, a SIS always consists of at least one sensor, one logic device and one final element. This final element is usually an electric actuator connected to a valve.
Safety Instrumented Systems are nowadays installed in process plants to mitigate hazards by taking the process to a “safe state” when predetermined set points are exceeded and safe operating conditions can be ensured no longer. If process risks are not within an acceptable range, safety instrumented systems are used as one possible way to reduce them to a tolerable value.
The use of a SIS has to be in relation with a target SIL level. This article shows how SIL levels are determined in process applications.
Figure 1: protection layers (Magnetrol)
Examples of protection layers include:
- fire suppression systems;
- leak containment systems;
- pressure relief valves;
- toxic substances detection and warning systems.
After the hazard frequency of each hazard is known, the key question is: “With all protection layers operating, is the effective frequency lower than the acceptable frequency?”. In other words, once all protection layers are defined, if the LOPA concludes that existing protection layers cannot reduce risks to an acceptable or tolerable level, a Safety Instrumented System is required.
1.0 Safety Instrumented Systems and Functions
A Safety Instrumented Function (SIF) is a safety function carried out by a SIS to achieve or maintain a safe state. Sensors, logic solvers and final elements act in concert to detect a hazard and bring the process to a safe state. Each SIF serves as a protection layer to bring the effective hazard frequency down below the acceptable hazard frequency. To do this, each SIF must have a minimum SIL Level.
SIL is an acronym which stands for “Safety Integrity Level”. It comes from two international standards used by operators to quantify safety performance requirements for hazardous operations:
- IEC 61508: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems
- IEC 61511: Safety Instrumented Systems for the Process Industry Sector
As defined in the IEC standards, there are four SIL Levels (1-4). A higher SIL Level means a higher level of protection required from the SIS. To show how SIL Levels are determined, please refer to Figure 2.
SIL Level is a function of hazard frequency and hazard severity of consequence. Hazards that can occur more frequently or have more severe consequences require higher SIL Levels. The global importance of SIL has substantially grown in the process industries over the last 20 years.
However, for many end users SIL still represents an ambiguous concept that is often misinterpreted. In order to fully understand SIL concept and its implications, it is important to introduce the Functional Safety and how it applies to Safety Instrumented Systems (SIS) within the process industries.
2.0 Functional Safety
Functional Safety is a term used to describe the safety system that depends on the correct functioning of logic solvers, sensors and final elements in order to achieve a desired Risk Reduction Factor (RRF). The Functional Safety, as defined by IEC standard 61508, is the safety that control systems automatically provide to a process.
The Functional Safety was developed in response to the growing need for improved confidence in safety systems. The increasing use of electrical, electronic or programmable electronic systems to carry out safety functions raised awareness to design safety systems in such a way as to prevent dangerous failures and to control them when they eventually arise.
Industry experts began to address functional safety and formalise an approach for reducing risks in the process plants through the development of standards IEC 61508 and IEC 61511. These standards are important because previous safety standards were only prescriptive and not performance based.
The basic idea behind functional safety is that the potential risks posed by a process plant for people and environment have to be evaluated before the design phase by means of a hazard and risk analysis. The Risk Graph is often helpful in order to determine the target SIL Level.
Functional Safety is achieved when every safety function is successfully carried out and the process risk is reduced to the desired level. Since Safety Instrumented Systems are mainly used to reduce the risks of processes with high hazard potential for both people and environment, any individual system component has to fully meet the safety requirements provided by the standards.
3.0 Target SIL Level of the SIF
Let’s make an example, trying to solve the problem raised by a dangerous tank overfill. After applying all protection layers, let’s suppose to still have an effective frequency of 2.5 times per year.
If the acceptable hazard frequency is once in 10 years, then the SIF must have a Risk Reduction Factor (RRF) of at least 25 (Minimum RRF of SIF = Effective frequency / Acceptable frequency = 2.5/0.1 = 25).
The minimum required RRF of the SIF is used to determine the target SIL Level of the SIF by using the table 1. This chart establishes a relationship between SIL Level and RRF. SIL1 corresponds to a minimum RRF of 101, SIL2 has a minimum RRF of 102 and so on.
For the tank overfill example, just taken into account, the minimum RRF is 25 and, therefore, the target SIL level of the SIF is SIL1. The example shows that for each hazard identified by LOPA that requires a SIF, a target SIL level has to be assigned using the described method.
The next step for a safe process is to design a SIS capable of reaching the required SIFs and maintaining the target SIL level for a predetermined period of time, the so-called “SIS lifetime”.
4.0 Achievable SIL Level of the SIS
Three main criteria have to be satisfied to make sure the SIS conforms to the specified SIL:
- systematic capability;
- maximum allowed probability of dangerous failure on demand;
- architectural constraints.
In the following, we are going to briefly examine all these main criteria.
4.1 Systematic capability
IEC 61508 defines two alternative methods to ensure that a component is suitable for use in a safety instrumented system with a defined SIL rating.
The first method is called “Route 1S”. It requires that everyone working on the component, and therefore concerned with its development, manufacture and maintenance, has to follow strict procedures during the so-called “life cycle” of the component.
The aim is to avoid “systematic errors” due to calculations, wrong specifications and design faults. “Route 1S” is the preferred way for newly developed components. The second method is called “Route 2S”.
It relies on field data and, therefore, applies to existing components. “Route 2S” takes field data into account to show that existing components still have the required reliability for use in a safety instrumented system.
This method is mainly used for components where data field, which usually come from a proved experience, actually exist. Both methods require field tests, which have to be carried out at the user’s plant with a defined frequency, named “Test Interval” by the standards.
The SIL capability of a component is usually stated in the certificate released by a “third part” that acts independently from both the manufacturer and the end user.
4.2 Probability of Failure on Demand
The probability of Failure on Demand (PFD) is the probability that the SIS fails to perform its safety function when required. The standards define a maximum allowed PFD for the overall SIS. Since the SIS contains at least one sensor, one logic device and one final element, none of these components must have a dangerous failure rate equal or close to the maximum allowed PFD.
The standards specify that the maximum allowed PFD is in relation with the dangerous failure rate of each component and it also depends on the Test Interval: the longer the Test Interval, the higher the probability that the system might fail on demand.
Considering the SIS as a whole, a PFD distribution of 15% for logic devices, 35% for sensors, 25% for actuators and 25% for valves can be considered a good guideline. The values of the dangerous failure rate are usually made available by manufacturers.
4.3 Architectural constraints
Any safety instrumented system has to have a failure-tolerant architecture. The “Route 1H” in IEC 61508 relies on a combination of sufficient redundancy and a minimum Safe Failure Fraction (SFF). The Safe Failure Fraction is the fraction of system failures that are either safe or lead to a safe condition of functioning.
The standards require that the architecture of the SIS has to fulfil strict requirements. For example, a SIL 2 safety system, that has no redundancy and uses at least one complex electronic component as a logic device, will result in a minimum required SFF of 90% for the microprocessor.
It is not necessary for all the components used in this safety instrumented system have a SFF of 90%. With no redundancy, it is allowed to choose a component with a minimum required SFF of 60% only if the component can be regarded as a simple electronic component, such as a valve or an actuator.
If “Route 1H” is selected, it is always advisable to choose components that fulfill the minimum SFF requirements in order to avoid expensive redundancies to achieve the required SIL level of the SIS.
4.4 Special requirements for actuators
Field components such as sensors, actuators and valves are exposed to influences that logic devices do not normally have to bear. These include environmental conditions such as temperature, pressure, humidity, contaminations and vibrations. In addition, field components may be exposed to abrasive or corrosive process elements.
When designing a SIS, it is crucial to select components able to withstand these conditions over the intended lifetime of the SIS. If a single component fails due to such “off-design use”, the whole SIS will not even fulfil SIL1.
To improve the system reliability, i.e. the probability that the safety system automatically intervenes in critical situations, it is absolutely vital to carry out periodic field tests. The standards consider the use of these tests a basic requirement for employing actuators and valves successfully in safety instrumented systems.
A few other technical questions have to be analysed before an actuator is selected for a SIS. The discussion below is far away from being exhaustive but experience shows that some aspects are neglected, resulting sometimes in major design faults.
4.5 Further technical questions
At times, an actuator has to perform different safety functions. This happen when an actuator is part of a SIS designed for a safe stop function during standard operations and, at the same time, it is also part of another SIS realised for an emergency shutdown (ESD).
In this case, it is essential to establish a priority to make sure that both safety functions can be carried out in compliance with the requirements of each safety instrumented system.
A SIS should be physically separate from the Basic Process Control System (BPCS). If we only take sensors and logic solvers into account, the SIS is always structured in this way.
Nevertheless, for the final elements, such as actuators and valves, this approach is often very expensive since two actuators and valves have to be purchased, installed and maintained instead of just one of each.
There is therefore the tendency to use the same actuator and valve for both the process control system and the safety instrumented system. This is allowed but under some very restrictive conditions. The most important are as follows.
a) All components jointly used by the BPCS and the SIS have to be treated as part of the safety system, which means that they have to comply with IEC 61508.
b) The failure of a component used as part of both the SIS and the BPCS must not cause a failure of the BPCS that, in return, might result in a request for the SIS to intervene.
c) The SIS and the BPCS have to be sufficiently separated to make sure that a failure in the BPCS has no negative impact on the SIS.
5.0 Summary and Conclusions
The following are the key points of this article.
- the purpose of a SIS is to bring a process to a “safe state” when predetermined set points are exceeded and safe operating conditions are transgressed. The role of the SIS is to reduce risk by implementing Safety Instrumented Functions (SIF).
- Process plant hazards become “SIL-Rated” only when existing non-SIS safety layers prove to be not sufficient to reduce process hazards to an acceptable level.
- SIL-Rated hazards have to be mitigated by SIFs implemented by a SIS.
- The SIL Level of each hazard is determined by calculating the required target Risk Reduction Factor of each SIF.
- To achieve an acceptable level of risk, the SIS has to be designed such that each component has a dangerous failure rate less than the maximum allowed PFD.
- When choosing the components for a SIS, it is important to ensure that the Systematic Capability of each component matches the required SIL of the whole SIS.
References
[1] IEC 61508; [2] IEC 61511; [3] Safety Instrumented Systems using electric actuators – How to choose the right components. CPP (Chemical Production Plants Processes) – Konradin Industrie – August 2017 – Author: Heike Schmeding, AUMA RiesterIn answer to the comment below:
Hi Anthony
I prefer to answer the question using the event tree.
Let's consider a pressure tank. Suppose the tank is installed in a process plant where the SEVESO directive applies.
The probability of occurrence of the unwanted event (burst of the tank) in the process plant cannot exceed the value of 1 x 10-6 events / year.
A probability of occurrence of the unwanted event greater than 1 x 10-6 events / year (for instance, 1 x 10-5 events / year) leads to an unacceptable risk value.
Let’s suppose that, at first, the LOPA analysis has established that the tank has to be equipped with:
- a safety valve,
- an alarm system,
- a basic process control system (BPCS), consisting of a sensor (transducer), a controller and a final element (valve + actuator).
The frequency f0 of the initiating event (safety valve stuck close) is equal to 1 x 10-2 events / year.
The probability of failure on demand (PFD) of the alarm system is 1 x 10-1 events / year.
The probability of failure on demand (PFD) of the basic process control system (BPCS) is 1 x 10-1 events / year.
The use of the event tree leads to a probability of occurrence of the unwanted event (burst of the tank) equal to 1 x 10-4 events / year.
As I said, the probability of occurrence of the unwanted event is unacceptable since 1 x 10-4 events / year is greater than 1 x 10-6 events / year.
Therefore, the LOPA analysis is used once again.
We decide to equip the pressure tank with a safety instrumented system (SIS) too.
In order to reduce the probability of occurrence of the unwanted event to the value of 1 x 10-6 events / year, the safety instrumented system has to be able to ensure a probability of failure on demand (PFD) equal to 1 x 10-2 at least, which corresponds to a risk reduction factor (RRF) equal to 100.
Of course, a safety instrumented system (SIS) capable of ensuring a Risk Reduction Factor (RRF) equal to 100 is characterised by Safety Integrity Level (SIL) equal to 2.
If we had been in the need to bring the frequency of occurrence of the unwanted event (burst of the pressure vessel) to 1 x 10-5, the LOPA analysis would have led to this concluding remark: a Risk Reduction Factor (RRF) equal to 10 is enough. This value of the Risk Reduction Factor (RRF) is achieved by inserting a safety instrumented system (SIS) characterised by SIL 1 in the safety chain of the vessel.
This proposed method is quite precise since it is based upon the application of the LOPA analysis and the event tree. Approximations are not allowed at all, as you guess.
Beste,
uit de LOPA studie verkrijgen we een vereist SIL niveau voor een bepaalde SIF. Aangezien echter het SIL niveau een bepaald domein van RRF weergeeft (bv SIL1 heeft een RRF van 10^1 tot 10^2) verkrijgt men geregeld wel het correcte SIL niveau maar daarom nog niet een voldoende RRF. Kan of mag men hier vereenvoudigd te werk gaan? Of kan men een bepaalde ‘foutemarge’ hierin accepteren? (bv we hebben een RRF van 600 nodig maar we tolereren een foutemarge van 20% en dus is een RRF van 400 acceptabel).
Alvast hartelijk dank voor jullie respons.
Google translate
Best,
from the LOPA study we obtain a required SIL level for a certain SIF. However, since the SIL level represents a certain domain of RRF (eg SIL1 has an RRF of 10 ^ 1 to 10 ^ 2), the correct SIL level is regularly obtained, but therefore not yet a sufficient RRF. Can or should one work here in a simplified way? Or can one accept a certain “margin of error” in this? (eg we need an RRF of 600 but we tolerate a margin of error of 20% and so an RRF of 400 is acceptable).
Thank you in advance for your response.
Mvg,
Anthony
Hello Anthony, I have answered this above….
Dear Francesco,
first of all thanks for your reply, although it is not really an answer to my question..
Let me clarify: SIL 2 has a RRF from 100 untill 1000, not all SIF2 loops have the same reliability..
When a SIF2 loop is being calculated (based on all PFD values of the components) it can be that the required RRF does not meet the calculated RRF although both SIL2.
So if both are SIL2 can we accept a small difference/approximation? (although SIL level is ok)
Thanks for your reply.
kind regards,
Anthony
I believe that the problem to be solved is ensuring that the required SIL is maintained over time by the Safety Instrumented System (SIS). This problem has a solution called “systematic capability”.
First, you have to calculated the probability of failure on demand (PFD) of each component of the SIS, according to the formula indicated below:
PFDavg = 0,5 x FR x T1,
valid for the channel architecture called 1oo1.
FR is the failure rate of the individual component of the SIS.
T1 is the proof test interval, that is equal to 8760 hours if you refer to an annual proof test.
Second , you have to evaluate the probability of failure on demand (PFD) of the SIS as a whole:
PFD avg, syst = PFD avg, sensor + PFD avg, PLC + PFD avg, actuator
Last, in order to get SIL2, you are required to verify that the following relationship exists:
0,001 < PFD avg, syst ≤ 0,01
For further information, please refer to IEC 61508-6 and IEC 61511-3.
Best regards,
Francesco Nigri