Safety Systems

Functional Safety and SIL

Introduction to Functional Safety

Whenever something is being built (be it equipment or plant) that may introduce a hazard to people, safety standards or even legislation will probably be involved! If any reasonably foreseeable action or inaction leads to hazards with an intolerable risk arising from the equipment or plant, then safety functions are necessary to achieve or maintain a safe mode of operation. These safety functions are carried out by one or more safety-related systems. Initially, significant consideration should be given to the elimination of the hazards. This could be, for example, by the application of inherent safety principles or the application of good engineering practice. It is likely however that in many cases this will not be possible (or cost will be prohibitive) and some residual risk will remain. It is at this stage that we must analyse the risk and take appropriate action. One of the more common forms of appropriate action (and a defined and published methodology) is the application of functional safety and safety integrity levels.

What is Functional Safety

There are two distinct aspects to functional safety, the ‘safety function’ requirement (what the safety function is) and ‘safety integrity’ requirement (the likelihood of the safety function performing correctly when called upon to do so). The safety function requirements are derived from the ‘hazard analyses’ (i.e. Process Hazard Analysis, Failure Mode Analysis) and the safety integrity requirements are derived from a ‘risk assessment’ (i.e. Consequence Analysis). In order to ensure that safety is achieved, both hazard analysis and risk assessment is necessary. The hazard analysis identifies the hazards associated with the process or operation, the risk assessment determines the performance requirements of the safety function. The aim is to ensure that the safety integrity of the safety function is sufficient to ensure the risk associated with this hazardous event is lowered to a level considered to be acceptable.

To reinforce the definitions given, we will consider a machine tool, containing a guillotine blade, which is protected by a sliding guard to prevent access to the shearing element of the blade. The guillotine blade is accessed for routine maintenance by sliding the guard open. The guard is interlocked so that whenever it is opened an electrical circuit de-energises the machine tool. Therefore, the operation of the guillotine blade is stopped before the operator can access it and the possibility of shearing injury is prevented. In order to ensure that safety is achieved, both hazard analysis and risk assessment is necessary.

a) The hazard analysis identifies the hazard associated with the routine maintenance of the guillotine blade. For this machine tool it might show that it should not be possible to open the guard without the machine tool being de-energised. This describes the safety function.

b) The risk assessment determines the performance requirements of the safety function. The aim is to ensure that the safety integrity of the safety function is sufficient to ensure that no one is exposed to an unacceptable risk associated with this hazardous event. The harm resulting from a failure of the safety function could be shearing amputation of parts of the operator’s limbs. The risk also depends on how frequently the guard has to be opened. The level of safety integrity required increases with the severity of injury and the frequency of exposure (how often the guard is opened) to the hazard.

Process and Machinery safety is often achieved by the use of Safety Instrumented Systems (SIS) to provide safe control functions for processes; this would include functions such as emergency shutdown, gas or fire detection, explosion mitigation and dangerous level/pressure control. Safety Instrumented Systems are typically composed of some form of sensors (e.g. motion, pressure, temperature etc.), analyzers/processors (e.g. relay logic, PLC) and control elements (e.g. actuation, alarm). The integrity of each of these elements are collated to produce a ‘system’ safety integrity level, so the individual potential failure rate and mode of each part must be known to gauge the integrity of the system.

Example Safety Integrity Level related to Probability of Failure on Demand- Functional Safety

SIL PFD  Risk Reduction Factor  (1/PFD)
4 10-5 to 10-4 100,000 to 10,000
3 10-4 to 10-3 10,000 to 1,000
2 10-3 to 10-2 1,000 to 100
1 10-2 to 10-1 100 to 10

A Safety Integrity Level (SIL) is a simple numerical representation of the reliability of Safety Instrumented Systems (SIS) correlated to the probability of failure of demand (PFD), this is expressed as the unavailability of a system at the time of a defined unwanted event such as a process failure that could potentially injure people.