GE / IP FANUC Series 90/30 In Stock
SIL 2 vs SIL 3
What are Safety Integrity Levels, and how do they relate to Safety Instrumented Systems? We frequently receive all sorts of questions around process safety control devices and instruments, and thought we’d help share information in this blog article to answer many of those questions. We’ll take a look at Safety Instrumented Systems and their governing regulations, how Safety Integrity Levels fit into the process control scheme, and at a particular case comparison between SIL 2 and SIL 3 safety ratings. Let’s dive in!
Safety Instrumented Systems Overview
Safety devices and controls are not new to industrial manufacturing. Historically, terms such as ‘interlocks’ or ‘fail-safes’ were used to describe safety features built into hardware or software controls. Anywhere that risks to humans or property existed, safety considerations were almost always made in the design of a system. Over time, it became apparent that a unifying standard was needed in order to set precedence in the analysis, design, and implementation of process hazard control. No longer was process safety to be left to individual companies or device manufacturers. In the late 20th century, multiple groups across the globe worked towards developing and ratifying standards within their domains – associations such as OSHA, ANSI, ISA, IEC, and EWICS included. Today, these works have been consolidated into code documents ANSI/ISA-84 in the United States, and IEC 61511 internationally, for Process Industry Safety programs. IEC 61511 is specific to the process industry, and has a parent document IEC 61508 titled the International Performance-Based Standard for All Industries (there are other standards such as IEC 61513 for the Nuclear Sector and IEC 62061 for the Machinery Sector). For the rest of this article, we’ll pull from IEC 61508 to outline safety terminology, requirements, and practices as applicable to all industries and sectors. To apply these topics to your particular industry, please see the relevant child standard called for by IEC 61508.
In one manner of speaking, an industrial manufacturing system can be described as a massive collection of independent devices simultaneously performing discrete tasks, each ignorant of the tasks being performed by other devices in the system. A single valve opens and closes. A level transmitter reports level in a tank. A pump turns on and off. Each discrete device neither has visibility of nor cares about what else is going on in other parts of the system – each device is a single instrument in a larger orchestra, and only the maestro (or logic control system, in this analogy) can lead the overall arrangement. A manufacturing system made up of such devices, where some are employed to gather and report conditions about the system in real-time, and others then employed to perform a deterministic task, is known as an instrumented system. When devices are added into this scheme with the intent to detect and react to process safety situations, that is referred to as a Safety Instrumented System.
Turning to IEC 61508, let’s introduce several definitions of safety system topics:
- Safety Instrumented System (or SIS) = an engineered set of hardware and software controls which are specifically used on critical process systems, reacting to hazard conditions in such a way as to reduce the risk of harm or malfunction. The SIS is entirely separate from the Basic Process Control System (BPCS), and is in no way involved in normal process automation or monitoring. The SIS only exists for safety automation.
- Safety Instrumented Function (or SIF) = an individual function that has the capability to evaluate a process condition and take action in response to a prescribed unsafe condition. For example, a tank overpressure SIF may include a pressure transmitter on the tank to sense the unsafe condition, a safety logic controller to determine and initiate the reaction to the unsafe condition, and an automated inlet valve to close off incoming fluid flow at the direction of the logic controller.
- Safety Integrity Level (or SIL) = a quantitative numerical figure that represents the amount of risk reduction required to make a process safe enough to install and operate. Measured in levels of SIL 0 (least risk) to SIL 4 (most risk), the SIL is used to set the expected design criteria for a safety function, and then is also used to measure the achieved risk reduction after implementation.
- Layer of Protection Analysis (or LOPA) = the LOPA is the formal risk assessment review process that engineers conduct in order to evaluate and determine the necessary safety requirements on a project. A SIL cannot be arrived at randomly or ‘by experience’ – a formal assessment of either a simple SIL Selection or thorough LOPA must be conducted to determine the SIL and other details, per IEC 61508. This process is similar to other process assessments such as a Process Hazard Assessment (PHA) or a Hazard and Operational Study (HAZOP).
- Safety Requirement Specification = this is the formal document set required by IEC 61508 to record all information, measurements, findings, and decisions made in evaluating and designing a Safety Instrumented System.
With Safety Instrumented Systems and their associated code sources covered, let’s take a closer look at what Safety Integrity Levels mean in a process application.
Understanding Safety Integrity Levels
According to the IEC (and general human experience!), there is no such thing as a system completely devoid of all risk. Any process assessment review begins with evaluating the scheme for inherent risks at idle, and then further considering risks in normal and emergency operating conditions. In some areas of the process, the amount of inherent risk might be tolerable as-is – for example, if the water fill valve on a non-critical wash tank were to fail open, there would be no risk to anyone or any property. In these cases, the lowest SIL level of O would be applied, and no additional safety functions would be necessary. If in another example, an immersion heater were to fail in the ‘on’ position and heat a vessel beyond the allowable temperature, the risks associated with the failure may earn a required SIL of 2, meaning that the risk is intolerable and additional safety functions must be added to bring the risks down to acceptable levels. This is how SILs are utilized: to measure and specify necessary risk reduction to instrumented processes.
Below we’ll show a table that describes SIL levels in terms of quantifiable values used in risk assessment calculations. (Please note that these values are based on ‘Low Demand’ modes of operation, meaning one failure demand or fewer per year. IEC 61508 has alternative values for ‘Continuous / High Demand’ modes of operation, for applications expecting more than one failure demand per year. See the standard for more information.)
| Safety Integrity Level (SIL) | Risk Description | Probability of Failure on Demand | Risk Reduction Factor |
| SIL 0 | Tolerable Risk | ≥10-1 | 0 to 10 |
| SIL 1 | Minimal Risk | ≥10-2 to <10-1 | 10 to 100 |
| SIL 2 | Moderate Risk | ≥10-3 to <10-2 | 100 to 1,000 |
| SIL 3 | Substantial Risk | ≥10-4 to <10-3 | 1,000 to 10,000 |
| SIL 4 | Extreme Risk | ≥10-5 to <10-4 | 10,000 to 100,000 |
The Probability of Failure Demand, or PFD, is the measure of dangerous failures typically applied at a time of one year. From our above examples, the water valve leak situation may be deemed acceptable to have a PFD of 10-1, or 1 failure in 10 years. In the immersion heater situation, you may determine that you cannot accept a failure below 10-4, or 1 in 10,000 years. The Risk Reduction Factor, or RRF, is the inverse of the PFD used mainly in SIL calculations, but can also be useful in concept when read as “an acceptable failure is one per this many years”. For SIL 2, this would be ”an acceptable failure is one in 100 to 1,000 years”.
Before going further, we need to introduce the concept of the ‘safety lifecycle’. In short, IEC 61508 refers to the need to manage and maintain safety systems from their initial conceptualization all the way through their eventual decommissioning. Any modification, upgrade, maintenance, or use (in the event of a risk event actually occurring) must then be followed up with a review to assure that the system will continue to operate at the required SIL. For example, if a process system is not properly maintained, it’s required SIL level may in fact increase over time (expecting more harmful failures than a properly maintained system). Likewise, if the safety function on this system is not maintained, it may no longer provide the intended SIL. IEC 61508 describes the SIL of a system as a function of its ongoing operation and maintenance, not just that of its initial installation.
Comparing SIL 2 versus SIL 3
We’re frequently asked about the difference between SIL 2 and SIL 3 in terms of component selection. To help shine some light on this topic, let’s lay out a few rapid comments, and then take a closer look between SIL 2 and 3.
- SIL is a rating on an overall safety function, not just a single component
For example, a SIL rating of 2 means that the sensor, logic controller, reacting device such as a valve or pump, all of the software and logic involved, all of the installation materials (wiring, cabling, etc) involved, and all support services (such as compressed air or conditioned electricity with battery backup) altogether represent a determined SIL 2 risk reduction factor of 1-in-100 years to 1-in-1,000 years.
- As Safety Integrity Level increases, cost and complexity increases
Aspiring to hit SIL 3 is substantially more expensive than SIL 2. The costs are found in both the devices and the installation. Devices of a higher SIL are more robust and resilient, and are tested and certified as such. The installation of a SIL 3 system may require multiple redundant components.
- SIL 1 makes up the majority of all Safety System
In practice, SIL 1 is typically found to be sufficient for nearly all process control schemes in an industrial manufacturing or process environment. SIL 2 and 3 are so much more expensive to install and maintain than SIL 1, that designers typically will look to reduce the inherent risk of a function in order to make a SIL 1 solution work, before agreeing to install a SIL 2 or 3 solution. For this reason, most devices on the market today are certified for use in SIL 1 systems, while perhaps 5% of devices are certified for SIL 2 systems, and 1% of devices are certified for SIL 3 systems.
- SIL 4 is practically never installed
To help drive the above two points home, SIL 4 is a level of risk reduction that is both impractical to afford and maintain, and unreasonable to even suggest that such a hazardous process be deployed.
Comparing SIL 2 to 3, let’s use an example scenario. We perform a Hazard Assessment on a safety function serving a centrifugal separator, looking at the vibration sensor which is utilized to shut down the centrifuge should it become unstable, which would risk significant injury or death to nearby operators. Looking at the basic control system’s vibration sensor, PLC, and motor drive, we see that when working appropriately, the PLC will shut down the drive at vibration rates above a unsafe setpoint. Looking up standard safety ratings for these devices and calculating failure probability, we find that the aggregate failure rate of the control loop is 2,000 times more than what we’ve calculated as acceptable in our hazard assessment. We now know that we need a SIL 3 safety function added to the system (as it falls between the Risk Reduction Factor of 1,000 to 10,000 in the table above).
We take a look at what it would take to implement a SIL 3 safety function. In order to hit the risk reduction rates needed to get the remaining risk within allowable limits, we find that we need a suite of expensive sensors, multiple power shunting devices to cut power to the motor, and redundant safety logic controllers with independent battery backups. These upgrades would bring the full SIF to an SIL 3 rating and would meet our risk abatement objectives, but would be incredibly expensive and require very detailed maintenance and ongoing testing to assure reliability into the future.
With this determination made, we consider how to reduce the SIL requirement from a level 3 to a level 2. What changes can we make in the design of the system where a reduction factor of only 100 to 1,000 would be needed? Our justification for this concept is to cut cost and reduce the likelihood that poor maintenance over time would make the safety function unreliable, as well as to simply make the base process all that much safer to begin with. We look next at the conditions around the centrifuge itself, and then at the instruments in the safety function.
First, we decide to specify a centrifuge with an internal brake, such that a free-wheel condition that may lead to hazardous vibration will be internally controlled, mitigating that risk mechanically. Next, we increase the concrete foundation size and mass, and double-anchor the centrifuge, such that even a catastrophic rotational force of a run-away centrifuge will not shear away from its structural foundation and risk flying into nearby operators. Returning to the vibration safety devices, we install redundant safety sensors with built-in heartbeat technology, such that our safety controller will be able to monitor for the health of these sensors at all times. Lastly, we prescribe annual controlled testing of a high-vibration condition on the separator, and set a threshold for performing a complete teardown and rebalance of the disk stack which will further insulate against hazardous vibration conditions down the road.
With all of the above design decisions, we conclude that a SIL 2 rating is all that we will now need instead of a SIL 3 for this safety function. The difference in cost and complexity between SIL 2 and 3 are substantial, and while it’s beneficial to design out the need for higher SIL ratings, there are of course times where a SIL 3 rating is unavoidable. In these cases, higher redundancy, higher rated components, and substantial ongoing testing and maintenance will be required.
We hope that this overview of Safety Instrumented Systems, and our comparison between SIL 2 and SIL 3, has been helpful in understanding safety design and specification options. For more information or to discuss which Safety Control and Instrumentation solution might be best for your application, please visit our website here, or contact us at [email protected] or 1- 919-535-3180.
This entry was posted on September 8th, 2021 and is filed under Education. Both comments and pings are currently closed.
PDF Supply sells used surplus products. PDF Supply is not an authorized distributor, affiliate, or representative for the brands we carry. Products sold by PDF Supply come with PDF Supply’s 1-year, 2-year, or 3-year warranty and do not come with the original manufacturer’s warranty. Designated trademarks, brand names and brands appearing herein are the property of their respective owners. This website is not sanctioned or approved by any manufacturer or tradename listed.
Rockwell Disclaimer: The product is used surplus. PDF Supply is not an authorized surplus dealer or affiliate for the Manufacturer of this product. The product may have older date codes or be an older series than that available direct from the factory or authorized dealers. Because PDF Supply is not an authorized distributor of this product, the Original Manufacturer’s warranty does not apply. While many Allen-Bradley PLC products will have firmware already installed, PDF Supply makes no representation as to whether a PLC product will or will not have firmware and, if it does have firmware, whether the firmware is the revision level that you need for your application. PDF Supply also makes no representations as to your ability or right to download or otherwise obtain firmware for the product from Rockwell, its distributors, or any other source. PDF Supply also makes no representations as to your right to install any such firmware on the product. PDF Supply will not obtain or supply firmware on your behalf. It is your obligation to comply with the terms of any End-User License Agreement or similar document related to obtaining or installing firmware.