Functional Safety and SIL
An Introduction to Functional Safety and SIL (Safety Integrity Level) in the Process Industries (Oil & Gas, Chemicals, Power Generation, etc)- Whitepaper from Abhisam
An Introduction to Functional Safety and SIL
Functional Safety is a relatively new concept in the world of safety (and industry as well). This whitepaper seeks to explain the concept of Functional Safety and related concepts of demand, safety integrity level, Safety Instrumented Systems and standards used in the area of Functional Safety, to technical professionals, who do not have any background in functional safety. It also explains the importance of Functional Safety Management known as FSM for short, in industry.
What is Functional Safety?
Safety is simply defined as “freedom from harm”. In colloquial terminology we use the words, risk, hazard, harm and unsafe interchangeably. However, all these terms are actually completely different. Before we start with the concept of Functional Safety, let us understand the differences between hazard, risk and harm.
What is a Hazard?
A hazard is a property of a substance or equipment that has the potential to cause harm. Harm is of course, easily understood. So for example, a propane tank that stores propane (which is a highly flammable substance) in an industrial facility could be considered a hazard.
Get this free Functional Safety ebook today
What is Risk?
Is there a possibility that the propane tank in the above example can explode or catch fire? Yes, of course. If it does explode or catch fire, there is a certainty that it can cause harm to people in the vicinity, cause damage to nearby equipment and also the environment. These are known as consequences. In the world of safety, generally the word consequence always has a negative connotation. The probability that a hazard may cause negative consequences is called as Risk.
Therefore Risk can be expressed as the equation below:
Risk = Probability of the occurrence X Consequence of occurrence
What is Harm?
When the risk gets actualized into an event (an accident happens), it leads to a lot of consequences, almost all of which are undesirable, as they cause harm to people, damage equipment and cause environmental destruction. This is known as harm. Such incidents that cause harm are known as unsafe incidents.
Our goal to ensure safety is to ensure that there is very little likelihood of harm.
What is Inherent Safety?
Processes and Systems can be designed to some extent to be inherently safe, but very often they are not. What do we mean by inherent safety? Consider a day tank in a chemical manufacturing plant, which is filled and emptied several times a day with a toxic liquid. The tank has an overflow line that connects to a containment vessel. In case of overfilling, the excess liquid in the day tank flows to the containment vessel, thus preventing spillage and other consequences.
This is an example of inherent safety. It is also an example of what Functional Safety is not.
If, instead of the overflow line, we had a level sensor that sensed the overfilling of the tank and on detection, sent a signal to a system that operates an actuated valve that cut off the inlet flow, then we would call this an example of “Functional Safety”. In our example above, we showed an example of Functional Safety in the chemical process industry. But this is not the only place where you will find Functional Safety. It is present in lots of other places such as trains, cars, aircraft, building automation systems, machinery, nuclear installations, to name a few.
What is a Safety Function?
In the above example, the system, comprising of the sensor, the controller or logic solver and the actuated valve together carry out a particular function, namely a Safety Function, that assures that in case of high level, spillage will not occur. It is now clear that in a plant, equipment or other piece of machinery, there would be several such Safety Functions. These Safety Functions taken together can be called as a Safety System.
Safety will be assured only if all these Safety Functions work when needed. The “when needed” part is as important as the “work” in the above sentence. Why is this so?
That brings us to the concept of something known as a demand.
Note: To learn and get certified in Functional Safety & SIL, please take either of the courses below.
Whitepaper continued below…….
Get our e-learning course on Functional Safety today, to easily understand Functional Safety, SIL and SIS Cybersecurity and also get Certified for free!
Get our e-learning course on Safety Instrumented Systems today, to easily understand Safety Related Systems and also get Certified for free!
The adjoining animated video is by the US Chemical Safety Board, explaining the Danvers accident. This disaster was caused by poor Functional Safety. Simple safety interlocks could have prevented this accident.
(Note: Whitepaper continues below)
What do we mean by Demand?
In the context of functional safety, when the Safety Function is called upon to do its work, it is known as a demand. So in the above example, as long as the day tank is not filled to a high level (that can cause a spill), we can say that there is no demand on the Safety Function to carry out its work. However, the moment that the level in the tank goes to a high level (to cause a spill), the safety Function must act, as a demand is now raised on it by the process.
One can see that the Safety Function must act now, on demand, to ensure that safety is maintained.
This is an important concept, because most of the time a safety device just sits there, idle, when the process is in the safe state.
The moment however that a demand occurs, it must swing into action immediately. The aim of Functional Safety and Functional Safety Management, is to ensure that it does, every time. It will won’t it?
Or can anything go wrong? What do you think?
How do Failures affect Safety Functions?
What is the relationship between Reliability and Functional Safety?
This brings us to the concept of Failures. Like everything else, a safety system can also fail. What if it fails at the precise moment that it is supposed to operate? (Just like the famous “Murphys Law”).
Then, on demand, the Safety Function will not work and a disaster may take place. How do we avoid these situations? By using the techniques, tools and standards of Functional Safety Engineering, for example by adopting and following techniques outlined in International Standards such as IEC 61508.
What types of Failures can occur?
Broadly speaking we could have three types of failures of the safety system. These are Random, Common Cause and Systematic failures. Any and all these three types of failures could make our safety function inoperable upon demand. Our goal therefore would be to design, build and maintain a safety system that will not fail upon demand even in the event of random, common cause and systematic failures.
Needless to say such a system, that would never fail is only a theoretical concept and not practical. All systems fail and safety systems are no exception.
However, by using the principles and generally accepted good engineering practices of Functional Safety, we can make them almost fail safe.
What is SIL? (Safety Integrity Level)
We have a measure for the reliability of a Safety Function and it is captured by the term “Safety Integrity”. As the name suggests, we need a safety function with integrity and the more the likelihood of the consequences of failure being really bad, the more the need for as high a safety integrity as possible. Hence Safety Integrity Level is defined in the IEC standards to represent the Safety Integrity of a particular Safety Function. It is a performance measure of the Safety Function.
There are four levels of Safety Integrity named as SIL 1, SIL 2, SIL 3 and SIL 4. Of these SIL 1 is the lowest and SIL 4 is the highest level.
So how does one decide the Safety Integrity? The IEC standards classify Safety Functions as being of two types based on how frequently one encounters a demand. So certain safety functions, such as those that are commonly found in the Chemical Industry (e.g. overfill protection system like the example of our day tank above), are generally classified as low demand ones. This is because we expect that the demand would be less than one per year. This of course is in line with our practical experience in this industry, where we do not expect that Safety Functions are called in to protect the plant every other day.
There is another category of Safety Functions that are found in places where the demand rate is very high and sometimes even continuously present, these are called high demand applications. Common examples are the braking system of a train, or car. Brakes are operated quite often (certainly more than once a year) and are classified as high demand systems.
What do we understand by the SIL Rating?
The probability that the Safety Function will fail on demand is known as the PFD. The average probability that it will fail dangerously is called the PFDavg. The SIL levels correlate with the PFDavg of the Safety Function, as outlined in the SIL Rating table below, for Low Demand applications.
Note that this is not the only criteria for a Safety Function to be categorized as a SIL 1 or SIL 2 or SIL 3 or SIL 4. There are some other conditions too, but this is the most famous one!
However, for High Demand applications, the probability of failure is represented by PFH or Probabilty to fail dangerous per hour. The SIL levels that correspond with the different PFH levels are given in the table below.
The above is of course, just a small introduction to the concept of Safety Integrity Level. Further reading and training is essential to understand it fully. For example if you take our courses today, you can learn everything about it in a very easy to understand manner.
In the next section we will now take a look at some standards that are used in Functional Safety.
Which are the important Functional Safety Standards?
Functional Safety standards are not new. They have been around in some form or the other for the past several decades. However, it is only after the IEC (International Electrotechnical Commission) published the first set of standards known as IEC 61508, sometime around 1990, that Functional Safety really came into its own. This standard, IEC 61508 is also known as an “umbrella standard” because a lot of other industry-specific Functional Safety standards are derived from it.
Thus the process industry follows IEC 61511, , the Nuclear industry follows IEC 61513, the machinery industry follows IEC 62061, the automotive industry follows ISO 26262 and the Railway industry follows EN 50126 and so on. All of these are derived from the IEC 61508 standard.
Note that IEC 61508 applies to any Electrical/Electronic/ Programmable Electronic Safety Related System. It is followed all over the world. In the US the ANSI/ ISA S84 is also derived from IEC 61508. Typical applications where IEC 61508 is applied are Safety Instrumented Systems in process plants, nuclear plants and the like, High Integrity Pressure Protection Systems (HIPPS), Burner Management Systems, Emergency braking systems of trains and so on. Wherever an Electrical /Electronic/ Programmable Electronic Safety Related System exists, IEC 61508 is applicable.
What do we mean by the Safety Life Cycle?
IEC 61508 emphasizes a Life Cycle approach to Safety Related Systems. The Safety Life Cycle, starts from the day the first requirement to build a Safety Related System arises, to the day the entire system is de-commissioned. This means, given the life of a typical process plant (or a passenger train), the life cycle could be very long, like 30 years or so or even 50 years. During this time there could be minor or major modifications, or retrofits.
Sector specific functional safety standards have lifecycles applicable to them. For example, below is the IEC 61511 safety lifecycle applicable to the process industries.
Contact Us by filling the form below OR call us OR email