1Honeywell - NL

Dr. Bert Knegtering

9th International Symposium Functional Safety in Industrial Application

Ten good reasons to go for SIL 3 certification

for Fire & Gas applications

Dr. Bert Knegtering

Honeywell Safety Solutions

The Netherlands

2Honeywell - NL

Dr. Bert Knegtering

What’s the problem?

� Process installations

� Aging

� Legislation

� Complexity

� Performance

� Cost

� Maintenance

� Testing

� Production capacity

� Society / community

� Insurance

3Honeywell - NL

Dr. Bert Knegtering

Reason # 1

� State of the art

� all major manufacturers of safety-PLC

systems today offer SIL 3 certified solutions. That is state of the art so to

say. As these systems are responsible for safety of numerous people and

protection of the facility, one should not

debate the application of ‘degraded’equipment for such a critical and central

control unit (if something goes wrong, can you square this with your own

conscience?)

4Honeywell - NL

Dr. Bert Knegtering

Reason # 2

� Reducing spurious trips

� In order to achieve a high integrity level (SIL 3), often a

combination of fault-tolerance with automatic self-testing (diagnostics) is implemented. This is not only improving

(lowering) the probability of failure on demand, but also reducing the probability of having spurious trips.

5Honeywell - NL

Dr. Bert Knegtering

Reason # 3

� Increasing risks due to aging

� As these systems are expected to run

for decades, it is difficult to judge today what the situation will be e.g. after 10 or

20 years of operation, with installations and equipment getting older. This may

lead to higher risks, which require higher

safety integrity protection

6Honeywell - NL

Dr. Bert Knegtering

Reason # 4

� Additional SIFs in future

� Considering the number of changes that are implemented over

time, it may happen that ‘today’ SIL 2 matches the requirements, whereas in future additional safety functions

might be implemented which do have to meet SIL 3. As such, anticipating on such changes it is logical to take this into

account by implementing a logic solver which is having some

margin in this respect, i.e. which is able to comply with SIL 3 .

SAFETY INSTRUMENTED FUNCTIONSAFETY INSTRUMENTED FUNCTION

Logic Solver(PLC)

Temperaturetransmitter

Temperaturetransmitter

Level switch

Flowtransmitter

Shut-offvalve

Solenoid

Globevalve

Solenoid

MCC

7Honeywell - NL

Dr. Bert Knegtering

Reason # 5

� Reducing other risk reduction measures

� As it often happens that in addition to the SIS, also other risk

reduction measures are defined, it sometimes may happen that with a SIL 3 certified system, the need for these other measures

is reduced or even not needed anymore at all.

Partial risk covered

by external risk reduction facilities

Partial risk covered

by other technologysafety-related systems

Residualrisk

Residual

riskEUC riskEUC risk

Necessary risk reduction Increasing

riskRisk covered

by E/E/PEsafety-related systems

Tolerable riskTolerable risk

8Honeywell - NL

Dr. Bert Knegtering

Reason # 6

� Anticipating on long term trends wrt. acceptable safety levels

� Over time, authorities and inspection bodies tend to strengthen

their vision on safety of people but also protection of the environment. This is being observed for the last 30 to 40 years.

Anticipating on these long term trends help by specifying SIL 3 for the safety-PLC.

9Honeywell - NL

Dr. Bert Knegtering

Reason # 7

� Price / performance ratio

� A SIL 3 certified system in general offers a 10 times higher

performance compared to SIL 2, whereas price wise, on average around one-fifth higher system prices apply .

10Honeywell - NL

Dr. Bert Knegtering

Reason # 8

� Small PFDavg consumption ~ more space for field devices

� With a SIL 3 compliant safety-PLC, an accompanying much

lower Probability of Failure on Demand (PFD), is achieved. This gives additional room for all implemented SIF when it

comes to the allowed PFD for the attached field devices. In general it is observed that 10 to 15% additional margin is

created with a SIL 3 selected logic solver.

1

0time t

PFD(t)

Average PFD

TI (Test Interval)

11Honeywell - NL

Dr. Bert Knegtering

Reason # 9

� Less systematic problems

� The difference between SIL 2 and SIL3 means much more than

PFD. Particularly, when potential systematic failures are considered, it is clearly the point that the probability of having

such failures in case of a SIL 3 compliant system is significantly less than for SIL 2.

12Honeywell - NL

Dr. Bert Knegtering

Reason # 10

� less need for off-line proof-testing

� Due to a high level of Diagnostic Coverage as required for SIL

3, less need for off-line proof-testing is required. In fact, some safety PLC systems do not have to be tested off-line at all.

These systems might be in operation for over 20 years without any need for additional testing .

13Honeywell - NL

Dr. Bert Knegtering

Conclusion

� CapEx � SIL 2 perhaps cheaper

� CapEx + OpEx � State of the art SIL 3 !!

�SIL 3 certified Safety Logic Solver