Safety Integrity Level 3
Three safety integrity levels (SIL) were described in the ANSI/ISA-84.00.01-1996 standard. Revised standard ANSI/ISA 84.00.01-2004 (IEC 61511-1 mod) now includes the higher SIL 4. SILs are a measure of system performance: the higher the number, the better the safety performance, such as lower probability of failure on demand.
Three safety integrity levels (SIL) were described in the ANSI/ISA-84.00.01-1996 standard. Revised standard ANSI/ISA 84.00.01-2004 (IEC 61511-1 mod) now includes the higher SIL 4. SILs are a measure of system performance: the higher the number, the better the safety performance, such as lower probability of failure on demand. What the standard provides is a rational, uniform way to assess and mitigate risks. Properly used, the standard channels spending where it is necessary, allowing savings elsewhere. With this in mind, why use a higher performance safety system if it's not needed?
SIL-3 logic-solver ? SIL-3 system
Many end-users specify 'certified for use in SIL 3' redundant-logic solvers. There are numerous, redundant, programmable logic-solvers—often referred to as 'safety PLCs'—that are certified for use up to SIL 3. However, merely using one of these certified logic solvers does not create a SIL 3 system . A system includes sensors and final elements. Many have implemented redundant logic solvers using non -redundant field devices. The result is probably a SIL 1 system; after all, a chain is only as strong as its weakest link.
Only in very special cases can redundancy be avoided in true, SIL-3 safety systems. With input sensors, the logic solver and the final element (or actuator) will almost certainly need to be redundant in a SIL-3 design. Specifying a SIL 3 logic solver does not yield a SIL 3 system; and if SIL 3 is not needed, why pay the extra cost?
Section 11.4 of the standard states:
'A hardware fault tolerance of '1' means that there are, for example, two devices and the architecture is such that the dangerous failure of one of the two components or subsystems does not prevent the safety action from occurring.'
Rules for how much fault tolerance must be applied to field instruments at any given SIL level are clearly defined within the standard's Section 11.4.1 Note 2, see table and below:
'The minimum hardware fault tolerance has been defined to alleviate potential shortcomings in SIF (safety instrumented function) design that may result due to the number of assumptions made in the design of the SIF, along with uncertainty in the failure rate of components or subsystems used in various process applications.'
In other words, mandating a minimum level of fault tolerance will prevent the use of unrealistically low failure rates. And a short manual test in calculations used to verify the performance of a proposed conceptual design.
The standard describes cases where fault tolerance requirements—defined in the table—may be decreased by one. It also depicts cases where the numbers need to be increased by one.
Fault tolerance requirements can be relaxed where the field instrument is certified as having a particularly low level of dangerous failure modes or where there is detailed information about the hardware, such as failure rates, failure modes, and levels of internal diagnostics. The simplified table was included in IEC 61511 because it was felt most end-users would not have such detailed information and, in many cases, field instruments certified to have low levels of dangerous failure modes are simply not available.
Satisfying these requirements for final elements, typically valves, can be particularly problematic and expensive. An increased safety integrity level has a significant impact on the number of valves required and the installation's complexity to allow proper maintenance and proof testing. Much has been done to improve diagnostics by techniques such as partial stroke testing, but the valve remains a major contributor to failure probability for any 'loop', control or safety.
A true SIL-3 system typically requires triplicate transmitters, a triplicate (two-out-of-three) or 1oo2D (one-out-of-two with diagnostics) logic-solver, and either three valves in series, or dual valves in series incorporating partial stroke testing—or very frequent full stroke testing, which usually is not possible. Adding to SIL-3 systems' higher costs are extra transmitters, valves, and the like. There are also operational considerations such as insurance, availability, maintenance, and so on. Compare this to a typical SIL-2 system, with a less complex logic-solver and single- or dual-transmitters and valves—depending on the type chosen.
When SIL determination techniques are effectively utilized, SIL 3 requirements should be extremely rare. In many cases, it is more effective to redesign the process to be less risky than it is to require a SIL-3 safety system; SIL 2 will often be most applications' highest true requirement.
General-purpose PLCs are only suitable for use in SIL 1 applications. Triplicate—and 1oo2D—SIL-3 approved safety PLCs are over-designed and unnecessarily expensive for SIL 2, in our experience. So, is the sensible resolution a SIL 2 solution?
Specifying a SIL-3 logic box is not the magic key to a safer facility. Merely specifying a certified-for-use in SIL-3 logic-box does not provide a SIL 3 system, nor does it mean the overall design conforms to the requirements of industry standards. Proper determination of safety integrity levels will often result in no more than SIL 2 requirements for most process applications. In such cases, using a safety platform that is similar to, and integrated with, the control platform—yet certified for use in SIL 2—can ease implementation and lower lifecycle costs.
Field-device hardware fault-tolerance requirements
Minimum hardware fault tolerance
See IEC 61508
Other Control Engineering articles on similar topics include:
Paul Gruhn, co-author of this article, is also co-author of the ISA textbook, Safety Shut-down Systems: Design, Analysis and Justification, author of many articles, and the developer of a control and safety system modeling software package. He is a registered professional engineer, a Certified Functional Safety Expert (a TÜV certification), and an ISA Fellow.
SIL 2 safety net
MTL has recently introduced the Matrix SafetyNet, a comprehensive SIL-2 product for safety related applications, including PSD, ESD, and F&G applications. SafetyNet is built on the same platform as the Matrix Process Control System, enabling one platform to address process control and functional safety needs.