Developments in SIL determination and calculation
Introduction
IEC 61508 [1] and IEC 61511 [2] are standards used to measure the SIL of a SIS in the related industries such as oil, gas, chemicals and electricity [3]. SIL is a concept that was introduced during the development of IEC 61508 [1], which is a measure of the confidence with which the system can be expected to perform its safety function. SIL is the measure that indicates the importance of Safety Instrumented Function (SIF), as described in IEC 61508-6 [4].
Fig. 1 shows the block diagram of SIS subsystems and Fig. 2 shows an example of a SIS, which generally consists of three subsystems: sensor, logic solver and final element. The sensor subsystem detects the onset of possible hazardous situations, the logic solver subsystem decides what to do by evaluating the information from the sensor subsystem, and the final element subsystem takes action through control valves, safety valves, circuit breakers, among others.
A SIF is designed to respond to a specific hazardous event and implements an action. Bringing to safe state is the task for demand mode SIFs. Continuous mode SIFs 'maintain' plant in safe state. Demand mode SIFs bring Equipment under Control (EUC) into a safe state. Each SIF is defined with a SIL according to the risk reduction level that is required from that function.
The SIL has a discrete four-level scale, where SIL 1 is the minimum safety requirement and SIL 4 is the most stringent. These levels are used to specify the safety integrity requirements for the safety functions performed by safety systems. The target SIL indicates how significant the safety requirements would be for each SIF. The actual calculated SIL indicates how reliable a SIF is in performing its safety function. There are three different approaches in SIL determination [5], i.e., qualitative, quantitative and semi quantitative. Several methods under these approaches can be used and have their advantages and disadvantages.
Functional safety refers to a SIS that implements a SIF. SIL targets must first be determined, and later verified. SIS are widely used in the process industry to protect humans, the environment, and material assets against hazardous events, such as an explosion due to high pressure or product spillage due to high tank level.
The SIS must fulfil certain safety requirements to provide a specified level of risk reduction. Many standards and guidelines have been developed, which define the SIF requirements and how the SIL should be determined and its requirements should be fulfilled. Some examples are:
- •
IEC 62061 (Safety of machinery—functional safety of safety-related electrical, electronic and programmable electronic control systems, based on EN 61508),
- •
ISO 13849-1 (Safety of machinery—safety-related parts of control systems. Non-technology dependent standard for control system safety of machinery),
- •
EN 50129 (Railway industry specific/system safety in electronic systems),
- •
EN 50495 (Safety devices related to explosion risks), NASA Safety Critical Guidelines,
- •
EUROCAE ED-12B European Airborne Flight Safety Systems.
IEC 61508 [1] is the most common of these standards, which is a generic standard specifying the SIS functional safety requirements. IEC 61508 [1] also serves as the overarching standard for the development of industry-specific safety standards such as IEC 61511 [2] for the process industry, and IEC 62061 [6], [7] for machinery systems. SISs have been used for many years to perform SIF in the process industries. If a SIS is to be effectively used for a SIF, it is essential that the SIS achieves certain minimum standards and performance levels. IEC 61511 [2] standard addresses the application of a SIS in process industries. It also requires a process hazard and risk assessment to be carried out to enable the specification for a SIS to be derived.
Functional safety objectives can be implemented by Integrated Control and Safety Systems (ICSS), which are usually operating in a computer network using wired and/or wireless communication technologies. Risk managers may use a SIF together with several other risk reduction measures to control risk exposure. The target level of risk reduction for each SIF is determined to ensure that the overall risk to personnel is as low as reasonably practicable.
This paper presents a review of SIL determination and verification methods. SIL determination is the front-end engineering aspect to set the target SIL on each of a given SIF, while SIL verification is the process to ensure if the target SIL can be achieved using preferred methods. There are several calculation techniques described in the IEC 61508-7 [1] standard to verify the SIL for the systems comprised of programmable electronic and automation components. It was noted that the application of each one of these methods might be cumbersome depending on the different approaches that the analyst may take.
This paper is organised as follows: Section 2 discusses various SIL approaches, and reviews the key features of two key standards, which can be used to determine the SIL of a SIF in related industries. Section 3 presents research on SIL determination methods for selecting the required SIL for a SIF. Section 4 deals with the process of SIL calculation which is a critical part of the overall SIL verification process. Section 5 compares different SIL determination and calculation methods. Section 6 concludes the paper.
Section snippets
SIL approaches
IEC 61508 [8] is the generic approach for all safety lifecycle activities for systems comprised of Electrical and/or Electronic and/or Programmable Electronic Systems (E/E/PESs) that are designed to perform safety functions. This integrated approach has been utilised such that a rational and consistent technical policy can be developed for all electrically-based safety-related systems. The overall safety lifecycle of IEC 61508 [1] is shown in Fig. 3 [1]. IEC 61508 [8] has the following
Selective target SIL determination methods
SIL determination refers to selecting the required SIL for a SIF. It follows risk assessment when the required SIFs are defined. Qualitative and quantitative techniques can be used to evaluate the risk associated with a process. Risk assessment scores can be determined by multiplying the scores for the probability and severity values together based on Eq. (1) [9], [10]:where
R is the risk with no safety-related systems in place,
P is the probability of occurrence, which includes the exposure
Techniques in SIL calculation
SIL verification plays a critical role in reliability assessment. After the target SIL has been determined, then SIL verification must take place. One of the necessary procedures of the overall safety lifecycle is the SIL calculation, which verifies whether the PFDavg of designed safety-related system meets the required failure measure. The SIL of safety-related system can be calculated reliably by quantitative analysis techniques given in IEC 61508-6 [4] or ISA-TR84.00.02 [29]. They are both
Evaluation of SIL determination methods
The risk graph method has the advantage of being less complex and more cost-effective as analysts need to consider only the four risk parameters, namely: C, consequence of the hazardous event; F, frequency of, and exposure time in, the hazardous zone; P, possibility of failing to avoid the hazardous event; and W, probability of the unwanted occurrence, to determine SIL [1]. Due to its qualitative nature, it is not as accurate as the quantitative method. The FRGM [13] has more advantages when
Discussion and conclusion
This paper has presented the FRGM as a funnel technique to assess lower SIL ratings and presented a review and comparison of other SIL determination techniques against FRGM using a well-defined criteria. The study has primarily compared the advantages and disadvantages of reviewed methods from the perspectives of complexity, accuracy and cost-effectiveness. The authors have also reviewed and compared various selected SIL calculation methodologies using a similar criteria. Past experiences of
Angelito ‘Allan’ Gabriel received the Instrumentation Technology degree from the Don Bosco Technical College, B.S. degree in computer engineering from the ICS, Pennsylvania, USA, the B.S. degree in Mechanical Engineering from the Polytechnic University of the Philippines and the M.B.A. degree (Honours with distinction) from the Ateneo Graduate Schools of Business, Philippines, in 2003. He is now pursuing the Ph.D. degree at Victoria University, Australia and University of Western Australia. His
References (66)
- et al.
Common cause failures in safety instrumented systems on oil and gas installations: implementing defense measures through function testing
J Loss Prev Process Ind
(2007) Using risk tolerance criteria to determine safety integrity levels for safety instrumented functions
J Loss Prev Process Ind
(2012)Viewpoint on ISA TR84.0.02 — simplified methods and fault tree analysis
ISA Trans
(2000)- et al.
An evaluation approach using a HARA and FMEDA for the hardware SIL
J Loss Prev Process Ind
(2013) On the use of LOPA and risk graphs for SIL determination
J Loss Prev Process Ind
(2016)- et al.
Uncertainty analysis for target SIL determination in the offshore industry
J Loss Prev Process Ind
(2015) Overcoming challenges in using layers of protection analysis (LOPA) to determine safety integrity levels (SILs)
J Loss Prev Process Ind
(2017)- et al.
Some considerations on the treatment of uncertainties in risk assessment for practical decision making
Reliab Eng Syst Saf
(2011) - et al.
A cascaded fuzzy-LOPA risk assessment model applied in natural gas industry
J Loss Prev Process Ind
(2012) - et al.
Modified risk graph method using fuzzy rule-based approach
J Hazard Mater
(2009)
A simplified Markov-based approach for safety integrity level verification
J Loss Prev Process Ind
Expanding the applicability of ISA TR84.02 in the field
ISA Trans
3-Parameters SPW technique: a new method for evaluation of target safety integrity level
J Loss Prev Process Ind
A multiphase dynamic Bayesian networks methodology for the determination of safety integrity levels
Reliab Eng Syst Saf
SIL determination as a utility-based decision process
Process Saf Environ Prot
Optimization, a rational approach to SIL determination
Process Saf Environ Prot
Performance-based standards: safety instrumented functions and safety integrity levels
J Hazard Mater
Switching Markov chains for a holistic modeling of SIS unavailability
Reliab Eng Syst Saf
Combination of safety integrity levels (SILs): A study of IEC61508 merging rules
J Loss Prev Process Ind
Reliability assessment of safety instrumented systems subject to different demand modes
J Loss Prev Process Ind
Generalizing PFD formulas of IEC 61508 for KooN configurations
ISA Trans
Availability of systems with self-diagnostic components—applying Markov model to IEC 61508-6
Reliab Eng Syst Saf
Modeling safety instrumented systems with MooN voting architectures addressing system reconfiguration for testing
Reliab Eng Syst Saf
Reliability of safety-instrumented systems subject to partial testing and common-cause failures
Reliab Eng Syst Saf
Unavailability equations for K-out-of-N systems
Reliab Eng Syst Saf
A novel method for SIL verification based on system degradation using reliability block diagram
Reliab Eng Syst Saf
A reliability model for safety instrumented system
Saf Sci
Probabilistic assessments in relationship with safety integrity levels by using fault trees
Reliab Eng Syst Saf
Generalized analytical expressions for safety instrumented systems' performance measures: PFDavg and PFH
J Loss Prev Process Ind
Safety and operational integrity evaluation and design optimization of safety instrumented systems
Reliab Eng Syst Saf
Automatic creation of Markov models for reliability assessment of safety instrumented systems
Reliab Eng Syst Saf
Reliability performance of safety instrumented systems: a common approach for both low- and high-demand mode of operation
Reliab Eng Syst Saf
Hybrid reliability model for nuclear reactor safety system
Reliab Eng Syst Saf
Cited by (0)
Angelito ‘Allan’ Gabriel received the Instrumentation Technology degree from the Don Bosco Technical College, B.S. degree in computer engineering from the ICS, Pennsylvania, USA, the B.S. degree in Mechanical Engineering from the Polytechnic University of the Philippines and the M.B.A. degree (Honours with distinction) from the Ateneo Graduate Schools of Business, Philippines, in 2003. He is now pursuing the Ph.D. degree at Victoria University, Australia and University of Western Australia. His research interests include control systems, safety instrumented systems, cyber security and process control networks. He is a fellow and a Chartered Professional Engineer of the Institution of Engineers Australia, TUV Functional Safety Engineer from Rheinland, Germany, IEEE member and a Senior Member of ISA.
Cagil Ozansoy received his Bachelor of Engineering degree in Electrical and Electronic Engineering (Honours) and the Ph.D. research degree in power system communications from Victoria University, Melbourne, Australia, in 2002 and 2006, respectively. He is now working as a Senior Lecturer and Researcher in the College of Engineering and Science, Victoria University. His major teaching and research focus is in power systems protection and communications, and distributed generation. He has over 50 publications detailing his work and contributions to knowledge.
Juan Shi received the Bachelor of Engineering (Honours) in Electrical Engineering from Northeastern University, China in 1988 and PhD degree in Electrical Engineering from Victoria University (VU), Melbourne, Australia, in 1995. Dr Shi received the Graduate Certificate in Tertiary Education from VU in 2003. She joined VU as a Lecturer in 1994, where she is currently an Associate Professor in the College of Engineering and Science. Her current research interests include automatic control and applications, power system stability, intelligent control and applications to smart energy, systems identification, and engineering education.