Safety integrity level


Safety integrity level is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a safety instrumented function.
The requirements for a given SIL are not consistent among all of the functional safety standards. In the functional safety standards based on the IEC 61508 standard, four SILs are defined, with SIL 4 the most dependable and SIL 1 the least. The applicable SIL is determined based on a number of quantitative factors in combination with qualitative factors such as development process and safety life cycle management.

Assignment

Assignment of SIL is an exercise in risk analysis where the risk associated with a specific hazard, that is intended to be protected against by a SIF, is calculated without the beneficial risk reduction effect of the SIF. That unmitigated risk is then compared against a tolerable risk target. The difference between the unmitigated risk and the tolerable risk, if the unmitigated risk is higher than tolerable, must be addressed through risk reduction of the SIF. This amount of required risk reduction is correlated with the SIL target. In essence, each order of magnitude of risk reduction that is required correlates with an increase in one of the required SIL numbers.
There are several methods used to assign a SIL. These are normally used in combination, and may include:
Of the methods presented above, LOPA is by far the most commonly used by large industrial facilities.
The assignment may be tested using both pragmatic and controllability approaches, applying guidance on SIL assignment published by the UK HSE. SIL assignment processes that use the HSE guidance to ratify assignments developed from Risk Matrices have been certified to meet IEC EN 61508.

Problems

There are several problems inherent in the use of safety integrity levels. These can be summarized as follows:
These lead to such erroneous statements as, "This system is a SIL N system because the process adopted during its development was the standard process for the development of a SIL N system", or use of the SIL concept out of context such as, "This is a SIL 3 heat exchanger" or "This software is SIL 2". According to IEC 61508, the SIL concept must be related to the dangerous failure rate of a system, not just its failure rate or the failure rate of a component part, such as the software. Definition of the dangerous failure modes by safety analysis is intrinsic to the proper determination of the failure rate.
SIL is for electrical controls only and does not relate directly to the caT architecture in EN 62061. It appears to be a precursor to PL ratings that are now the new requirements which encompass hydraulic and pneumatic valves.

Certification

The International Electrotechnical Commission's standard IEC 61508 defines SIL using requirements grouped into two broad categories: hardware safety integrity and systematic safety integrity. A device or system must meet the requirements for both categories to achieve a given SIL.
The SIL requirements for hardware safety integrity are based on a probabilistic analysis of the device. In order to achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure and a minimum safe failure fraction. The concept of 'dangerous failure' must be rigorously defined for the system in question, normally in the form of requirement constraints whose integrity is verified throughout system development. The actual targets required vary depending on the likelihood of a demand, the complexity of the device, and types of redundancy used.
PFD and RRF of low demand operation for different SILs as defined in IEC EN 61508 are as follows:
SILPFDPFD RRF
10.1–0.0110−1 – 10−210–100
20.01–0.00110−2 – 10−3100–1000
30.001–0.000110−3 – 10−41000–10,000
40.0001–0.0000110−4 – 10−510,000–100,000

For continuous operation, these change to the following.
SILPFHPFH RRF
10.00001-0.00000110−5 – 10−6100,000–1,000,000
20.000001-0.000000110−6 – 10−71,000,000–10,000,000
30.0000001-0.0000000110−7 – 10−810,000,000–100,000,000
40.00000001-0.00000000110−8 – 10−9100,000,000–1,000,000,000

Hazards of a control system must be identified then analysed through risk analysis. Mitigation of these risks continues until their overall contribution to the hazard are considered acceptable. The tolerable level of these risks is specified as a safety requirement in the form of a target 'probability of a dangerous failure' in a given period of time, stated as a discrete SIL.
Certification schemes are used to establish whether a device meets a particular SIL. The requirements of these schemes can be met either by establishing a rigorous development process, or by establishing that the device has sufficient operating history to argue that it has been proven in use.
Electric and electronic devices can be certified for use in functional safety applications according to IEC 61508, providing application developers show the evidence required to demonstrate that the application including the device is also compliant. IEC 61511 is an application-specific adaptation of IEC 61508 for the Process Industry sector. This standard is used in the petrochemical and hazardous chemical industries, among others.

Safety standards

The following standards use SIL as a measure of reliability and/or risk reduction.
The use of a SIL in specific safety standards may apply different number sequences or definitions to those in IEC EN 61508.

Textbooks

D. Smith, K. Simpson, "Safety Critical Systems Handbook – A Straightforward Guide to Functional Safety, IEC 61508 and Related Standards".
M. Punch, "Functional Safety for the Mining Industry – An Integrated Approach Using AS61508, AS62061 and AS4024.1.".
M.J.M. Houtermans, "SIL and Functional Safety in a Nutshell. *
H. Hartmann, H. Thomas, E. Scharpf, "Practical SIL Target Selection - Risk Analysis per the IEC 61511 Safety Lifecycle"
M. Medoff, R. Faller, "Functional Safety - An IEC 61508 SIL 3 Compliant Development Process, "