Safety Systems

Functional Safety and SIL

Introduction to Functional Safety

Whenever something is being built (be it equipment or plant) that may introduce a hazard to people, buy safety standards or even legislation will probably be involved! If any reasonably foreseeable action or inaction leads to hazards with an intolerable risk arising from the equipment or plant, then safety functions are necessary to achieve or maintain a safe mode of operation. These safety functions are carried out by one or more safety-related systems. Initially, significant consideration should be given to the elimination of the hazards. This could be, for example, by the application of inherent safety principles or the application of good engineering practice. It is likely however that in many cases this will not be possible (or cost will be prohibitive) and some residual risk will remain. It is at this stage that we must analyse the risk and take appropriate action. One of the more common forms of appropriate action (and a defined and published methodology) is the application of functional safety and safety integrity levels.

What is Functional Safety

There are two distinct aspects to functional safety, the ‘safety function’ requirement (what the safety function is) and ‘safety integrity’ requirement (the likelihood of the safety function performing correctly when called upon to do so). The safety function requirements are derived from the ‘hazard analyses’ (i.e. Process Hazard Analysis, Failure Mode Analysis) and the safety integrity requirements are derived from a ‘risk assessment’ (i.e. Consequence Analysis). In order to ensure that safety is achieved, both hazard analysis and risk assessment is necessary. The hazard analysis identifies the hazards associated with the process or operation, the risk assessment determines the performance requirements of the safety function. The aim is to ensure that the safety integrity of the safety function is sufficient to ensure the risk associated with this hazardous event is lowered to a level considered to be acceptable.

To reinforce the definitions given, we will consider a machine tool, containing a guillotine blade, which is protected by a sliding guard to prevent access to the shearing element of the blade. The guillotine blade is accessed for routine maintenance by sliding the guard open. The guard is interlocked so that whenever it is opened an electrical circuit de-energises the machine tool. Therefore, the operation of the guillotine blade is stopped before the operator can access it and the possibility of shearing injury is prevented. In order to ensure that safety is achieved, both hazard analysis and risk assessment is necessary.

a) The hazard analysis identifies the hazard associated with the routine maintenance of the guillotine blade. For this machine tool it might show that it should not be possible to open the guard without the machine tool being de-energised. This describes the safety function.
b) The risk assessment determines the performance requirements of the safety function. The aim is to ensure that the safety integrity of the safety function is sufficient to ensure that no one is exposed to an unacceptable risk associated with this hazardous event.

The harm resulting from a failure of the safety function could be shearing amputation of parts of the operator’s limbs. The risk also depends on how frequently the guard has to be opened. The level of safety integrity required increases with the severity of injury and the frequency of exposure (how often the guard is opened) to the hazard.

Functional Safety & SIL

Process and Machinery safety is often achieved by the use of Safety Instrumented Systems (SIS) to provide safe control functions for processes; this would include functions such as emergency shutdown, gas or fire detection, explosion mitigation and dangerous level/pressure control.

Safety Instrumented Systems are typically composed of some form of sensors (e.g. motion, pressure, temperature etc.), analyzers/processors (e.g. relay logic, PLC) and control elements (e.g. actuation, alarm). The integrity of each of these elements are collated to produce a ‘system’ safety integrity level, so the individual potential failure rate and mode of each part must be known to gauge the integrity of the system.

Example Safety Integrity Level related to Probability of Failure on Demand- Functional Safety

SIL  PFD             Risk Reduction Factor  (1/PFD)Functional safety

4      10-5 to 10-4  100,000 to 10,000

3      10-4 to 10-3  10,000 to 1,000

2      10-3 to 10-2  1,000 to 100

1      10-2 to 10-1  100 to 10

A Safety Integrity Level (SIL) is a simple numerical representation of the reliability of Safety Instrumented Systems (SIS) correlated to the probability of failure of demand (PFD), this is expressed as the unavailability of a system at the time of a defined unwanted event such as a process failure that could potentially injure people.

Example Safety Integrity Level related to probable injury levels

SIL  Qualitative Terms

4      Potential for fatalities in the community or large scale on site facilities

3      Potential for multiple fatalities

2      Potential for major on site injuries or single fatality

1      Potential for minor on site injuries

The level of SIL required for a system will be determined by analyzing the frequency of the event, the likelihood of detecting or avoiding the event and the consequence of the event. SIL therefore defines the level of protection required to lower the risk of an undesirable event to an acceptable level.

Applying the IEC 61508 for  SIL and Functional Safety

The IEC 61508 series of Standards works under the common title of ‘Functional safety of electrical/electronic/programmable electronic safety-related systems’ and consists of the following parts;

Part 0: Functional safety and IEC 61508

Part 1: General requirements;

Part 2: Requirements for E/E/PES safety-related systems;

Part 3: Software requirements;

Part 4: Definitions and abbreviations;

Part 5: Examples of methods for the determination of safety integrity levels;

Part 6: Guidelines on the application of IEC 61508

Part 7: Overview of measures and techniques for Functional Safety

There is a great deal of information contained within these standards (approaching 1000 pages) and it may seem a daunting task to approach and understand SIL via the Standards It is recommended that if you are new to the Standards (and/or the subject of SIL) that you begin by reading the following sections.

Understanding of Functional Safety

Annex A of IEC 61508-5, which covers risk concepts and safety integrity in a simplified form

Figure 2 and Table 1 of IEC 61508-1, which illustrate the overall safety lifecycle and list the objectives of each lifecycle phase. The lifecycle and phase objectives provide a key to understanding the requirements of Clause 7 of IEC 61508-1.

Annex A of IEC 61508-6, which gives an overview of the requirements in IEC 61508-2 and IEC 61508-3.  Clauses 6 and 8 of IEC 61508-1, which contain requirements relating to management of functional safety and functional safety assessment.

Figure 2 and Table 1 of IEC 61508-2 and Figure 3 and Table 1 of IEC 61508-3, which provide a key to understanding the requirements IEC 61508-2 and IEC 61508-3

If you are about to undertake your first functional safety or SIL assessment, It is highly desirable to undertake training in this field and/or partner with a company that has experience in this area if you do not have experience in this area

ExVeritas Functional Safety Analysis to Component Level