safety integrity level
DESCRIPTION
S.I.LTRANSCRIPT
Safety Integrity Level
From Wikipedia, the free encyclopedia
(Redirected from Safety integrity level)
Jump to: navigation, search
Safety Integrity Level (SIL) is defined as a relative level of risk-reduction provided by a safety function, or
to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for
a Safety Instrumented Function (SIF).
The requirements for a given SIL are not consistent among all of the functional safety standards. In the
European Functional Safety standards based on the IEC 61508 standard four SILs are defined, with SIL 4
being the most dependable and SIL 1 being the least. A SIL is determined based on a number of quantitative
factors in combination with qualitative factors such as development process and safety life cycle
management.
Contents
[hide]
1 SIL Assignment
2 Problems with the use of SIL
3 Advantages for Managers
4 Certification to a Safety Integrity Level
5 SIL in Safety Standards
6 See also
7 References
8 Textbooks
9 External links
SIL Assignment[edit]
Assignment of SIL is an exercise in risk analysis where the risk associated with a specific hazard, that is
intended to be protected against by a SIF, is calculated without the beneficial risk reduction effect of the SIF.
That "unmitigated" risk is then compared against a tolerable risk target. The difference between the
"unmitigated" risk and the tolerable risk, if the "unmitigated" risk is higher than tolerable, must be addressed
through risk reduction of the SIF. This amount of required risk reduction is correlated with the SIL target. In
essence, each order of magnitude of risk reduction that is required correlates with an increase in one of the
required SIL numbers.
There are several methods used to assign a SIL. These are normally used in combination, and may include:
Risk Matrices
Risk Graphs
Layers Of Protection Analysis (LOPA)
Of the methods presented above, LOPA is by far the most commonly used by large industrial facilities.
The assignment may be tested using both pragmatic and controllability approaches, applying guidance on
SIL assignment published by the UK HSE.[1] SIL assignment processes that use the HSE guidance to ratify
assignments developed from Risk Matrices have been certified to meet IEC EN 61508
Problems with the use of SIL[edit]
There are several problems inherent in the use of Safety Integrity Levels. These can be summarized as
follows:
Poor harmonization of definition across the different standards bodies which utilize SIL
Process-oriented metrics for derivation of SIL
Estimation of SIL based on reliability estimates
System complexity, particularly in software systems, making SIL estimation difficult to impossible
These lead to such erroneous statements as, "This system is a SIL N system because the process adopted
during its development was the standard process for the development of a SIL N system", or use of the SIL
concept out of context such as, "This is a SIL 3 heat exchanger" or "This software is SIL 2". According to
IEC 61508, the SIL concept must be related to the dangerous failure rate of a system, not just its failure rate
or the failure rate of a component part, such as the software. Definition of the dangerous failure modes by
safety analysis is intrinsic to the proper determination of the failure rate.[2]
SIL is for electrical controls only and does not relate directly to the caT architecture in EN 62061. It appears
to be a precursor to PL ratings that are now the new requirements which encompass hydraulic and pneumatic
valves.[citation needed]
It is sometimes assumed that the 'S' in SIL refers to software but the failure rate of the software component
of a system is merely a contribution to the overall SIL level of the system as a whole.
Advantages for Managers[edit]
Because SIL has a simple number scheme to represent its levels (1-4), a high-level understanding of each
level is typically all that is necessary to convey SIL at management levels. This saves management from
having to understand the technical aspects of SIL, while allowing them to discuss their concerns.
Certification to a Safety Integrity Level[edit]
The International Electrotechnical Commission's (IEC) standard IEC 61508, now IEC EN 61508, defines
SIL using requirements grouped into two broad categories: hardware safety integrity and systematic safety
integrity. A device or system must meet the requirements for both categories to achieve a given SIL.
The SIL requirements for hardware safety integrity are based on a probabilistic analysis of the device.In
order to achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure
and a minimum Safe Failure Fraction. The concept of 'dangerous failure' must be rigorously defined for the
system in question, normally in the form of requirement constraints whose integrity is verified throughout
system development. The actual targets required vary depending on the likelihood of a demand, the
complexity of the device(s), and types of redundancy used.
PFD (Probability of Failure on Demand) and RRF (Risk Reduction Factor) of low demand operation for
different SILs as defined in IEC EN 61508 are as follows:
SIL PFD PFD (power) RRF
1 0.1-0.01 10−1 - 10−2 10-100
2 0.01-0.001 10−2 - 10−3 100-1000
3 0.001-0.0001 10−3 - 10−4 1000-10,000
4 0.0001-0.00001 10−4 - 10−5 10,000-100,000
For continuous operation, these change to the following. (Probability of failure per hour)
SIL PFH PFH (power) RRF
1 0.00001-0.000001 10−5 - 10−6 100,000-1,000,000
2 0.000001-0.0000001 10−6 - 10−7 1,000,000-10,000,000
3 0.0000001-0.00000001 10−7 - 10−8 10,000,000-100,000,000
4 0.00000001-0.000000001 10−8 - 10−9 100,000,000-1,000,000,000
Hazards of a control system must be identified then analysed through risk analysis. Mitigation of these risks
continues until their overall contribution to the hazard are considered acceptable. The tolerable level of these
risks is specified as a safety requirement in the form of a target 'probability of a dangerous failure' in a given
period of time, stated as a discrete SIL.
Certification schemes are used to establish whether a device meets a particular SIL.[3] The requirements of
these schemes can be met either by establishing a rigorous development process, or by establishing that the
device has sufficient operating history to argue that it has been proven in use.
Electric and electronic devices can be certified for use in Functional Safety applications according to IEC
61508, providing application developers the evidence required to demonstrate that the application including
the device is also compliant. IEC 61511 is an application-specific adaptation of IEC 61508 for the Process
Industry sector. This standard is used in the petrochemical and hazardous chemical industries, among others.
SIL in Safety Standards[edit]
The following standards use SIL as a measure of reliability and/or risk reduction.
ANSI/ISA S84 (Functional safety of safety instrumented systems for the process industry sector)
IEC EN 61508 (Functional safety of electrical/electronic/programmable electronic safety related
systems)
IEC 61511 (Safety instrumented systems for the process industry sector)
IEC 61513 (Nuclear Industry)
IEC 62061 (Safety of machinery)
EN 50128 (Railway applications - Software for railway control and protection)
EN 50129 (Railway applications - Safety related electronic systems for signalling
EN 50402 (Fixed gas detection systems)
ISO 26262 (Automotive industry)
MISRA, various (Guidelines for safety analysis, modelling, and programming in automotive
applications)
Defence Standard 00-56 Issue 2 - accident consequence
The use of a SIL in specific safety standards may apply different number sequences or definitions to those in
IEC EN 61508.[4]
See also[edit]
ALARP
Spurious trip level
HIPPS (High Integrity Pressure Protection System)
All the major components of HIPPS system shall be SIL-3 Approved.
There is a whole family of C-level standards based more or less on IEC 61508 that also uses SIL, e.g.,
62061, 26262.
References[edit]
[5] [6]
1. Jump up ^ M. Charlwood, S Turner and N. Worsell, UK Health and Safety Executive Research Report 216,
"A methodology for the assignment of safety integrity levels (SILs) to safety-related control functions
implemented by safety-related electrical, electronic and programmable electronic control systems of
machines", 2004. ISBN 0-7176-2832-9
2. Jump up ^ F. Redmill, "Understanding the Use, Misuse, and Abuse of SILs"
http://www.csr.ncl.ac.uk/FELIX_Web/3A.SILs.pdf with capture date of 11 October 2010
3. Jump up ^ CASS Scheme, Conformity Assessment of Safety Systems, http://www.cass.uk.net/
4. Jump up ^ F. Redmill, "Understanding the Use, Misuse, and Abuse of SILs"
http://www.csr.ncl.ac.uk/FELIX_Web/3A.SILs.pdf with capture dates of 9 July 2010 and 11 October 2010
5. Jump up ^ Marszal, Edward, "Safety Integrity Level Selection - Systematic Methods Including Layer of
Protection Analysis", The Instrumentation, Systems, and Automation Society, Research Triangle Park, NC,
USA, 2002.
6. Jump up ^ Mitchell, KJ, Longendelpher, TM, Kuhn, MC, "Safety Instrumented Systems Engineering
Handbook", Kenexis, Columbus, OH, USA, 2010.
Textbooks[edit]
D. Smith, K. Simpson, "Safety Critical Systems Handbook - A Straightforward Guide to Functional Safety,
IEC 61508 (2010 Edition) and Related Standards" (3rd Edition, ISBN 978-0-08-096781-3, 270 Pages).
M. Punch, "Functional Safety for the Mining Industry – An Integrated Approach Using AS(IEC)61508,
AS(IEC)62061 and AS4024.1." (1st Edition, ISBN 978-0-9807660-0-4, in A4 paperback, 150 pages).
www.marcuspunch.com
M.J.M. Houtermans, "SIL and Functional Safety in a Nutshell (Risknowlogy Best Practices Series, 1st
Edition, eBook in PDF, ePub, and iBook format, 40 pages). * SIL and Functional Safery in a Nutshell
External links[edit]
61508.org The 61508 Association
IEC Safety Zone The IEC Functional safety zone
Functional Safety, A Basic Guide Functional Safety and IEC 61508: A basic guide
SIL Made Simple - White Paper presented at Valve World 2010
Safety Integrity Level Manual Pepperl+Fuchs SIL Manual
Partial stroke testing
From Wikipedia, the free encyclopedia
Jump to: navigation, search
Partial stroke testing (or PST) is a technique used in a control system to allow the user to test a percentage
of the possible failure modes of a shut down valve without the need to physically close the valve.
Contents
[hide]
1 Standards 2 Measuring safety performance 3 Benefits
o 3.1 Safety benefits o 3.2 Production benefits o 3.3 Capital cost benefits
4 Shortcomings 5 Techniques
o 5.1 Mechanical jammers o 5.2 Pneumatic valve positioners o 5.3 Electronic timer control systems
6 References 7 External links
Standards[edit]
Partial stroke testing is an accepted petroleum industry standard technique and is also quantified in detail by
regulatory bodies such as the International Electrotechnical Commission (or IEC) and the Instrument Society
of America (or ISA). The following are the standards appropriate to these hotbodies.
IEC61508 – Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC61511 – Functional safety – Safety instrumented systems for the process industry sector ANSI/ISA-84.00.01 – Functional Safety: Safety instrumented systems for the process industry sector
The Partial Stroke Test is used to check the function of the safe position of ESD (emergency shutdown)
valves. The partial valve stroke prevents unexpected failure of the safety function by breaking down solid
masses or the onset of corrosion, for example. Furthermore, a successfully executed partial stroke
demonstrates that certain unresolved errors that would otherwise go undetected, such as spring fractures in
the spring chamber of the pneumatic actuator, are not present. Consequently, the interval for testing for these
undetected errors can be extended.
The test can be started both locally on the device in a time-controlled manner or from remote. The positioner
evacuates output 1 until the position change defined in advance occurs. If this does not happen within the set
time (timeout value), an alarm can be output.
Additionally, monitoring is performed to establish whether the valve has moved out of its end position
within a defined period of time (dead time). If this has not happened, the test is cancelled as a "failed" test
and an alarm is output. This behavior prevents a blocked valve from suddenly freeing itself from the end
position and thereby disrupting the process.
At the end of the test, the positioner moves the valve to the last valid position and reverts to the most
recently active control mode.
For documentation purposes, the test result is saved in the non-volatile memory.
Examples for an electro-pneumatic positioner with partial stroke:
Manufacturer: ABB Type:PositionMaster EDP300
Manufacturer: Foxboro Eckardt Type:SRD991
Manufacturer: Emerson Type:DVC6200 SIS
Measuring safety performance[edit]
IEC61508 adapts a Safety life cycle approach to the management of plant safety. During the design phase of
this life cycle of a safety system the required safety performance level is determined using techniques such
as Markov analysis, FMEA, Fault tree analysis and Hazop. These techniques allow the user to determine the
potential frequency and consequence of hazardous activities and to quantify the level of risk. A common
method for this quantification is the Safety integrity level. This is quantified from 1 to 4 with level 4 being
the most hazardous.
Once the SIL level is determined this specifies the required performance level of the safety systems during
the operational phase of the plant. The metric for measuring the performance of a safety function is called
the average Probability of failure on demand (or PFDavg) and this correlates to the SIL level as follows
SIL PFDavg
4 ≥10−5 to <10−4
3 ≥10−4 to <10−3
2 ≥10−3 to <10−2
1 ≥10−2 to <10−1
One method of calculating the PFDavg for a basic safety function with no redundancy is using the formula
PFDavg = [(1-DC)×λD×(TIFC/2)] + [DC×λD×(TIPST/2)]
Where:
DC = Diagnostic coverage of the partial stroke test.
λD = The dangerous failure rate of the safety function.
TIFC = The full closure interval, i.e. how often the valve must be full closed for testing.
TIPST = The partial stroke test interval.
The diagnostic coverage is a measure of how effective the partial stroke test is and the higher the DC the
great the effect the test.
Benefits[edit]
The benefits of using PST are not limited to simply the safety performance but gains can also be made in the
production performance of a plant and the capital cost of a plant.[1][2] These are summarised as follows
Safety benefits[edit]
Gains can be made in the following areas by the use of PST.
Reducing the probability of failure on demand.
Production benefits[edit]
There are a number of areas where production efficiency can be improved by the successful implementation
of a PST system.
Extension of the time between compulsory plant shutdowns. Predicting potential valve failures facilitating the pre-ordering of spare parts. Prioritisation of maintenance tasks.
Capital cost benefits[edit]
If the gains of the SFF are of an appropriate level the need for costly redundant valves may be eliminated
Shortcomings[edit]
In some cases, a PST cannot be performed due to the limitations inherent in the process or the valve being
used. Many solenoid-operated valves do not have sufficient stroke length to insert a position sensor. Thus, in
this case, a PST would not yield any diagnostic information. Further, as the PST introduces a disturbance
into the process or system, it may not be appropriate for some a process or system that is sensitive to
disturbances. Finally, a PST cannot always differentiate between different faults or failures within the valve.
For example, a sluggish plunger movement could be the result of increased friction in the plunger tube, or it
could be the result of a faulty electrical coil.
Techniques[edit]
There are a number of different techniques available for partial stroke testing available and the selection of
the most appropriate technique depends on the main benefits the operator is trying to gain.
Mechanical jammers[edit]
Mechanical jammers are devices where a device is inserted into the valve and actuator assembly that
physically prevents the valve from moving past a certain point. These are used in cases where accidentally
shutting the valve would have severe consequences, or any application where the end user prefers a
mechanical device.
Typical benefits of this type of device are as follows:[3]
The devices assure metal-to-metal prevention of stroke past the specified set point. Unlike electronic systems, there is no need to commission and calibrate controls or continually train
personnel, resulting in additional significant cost savings. The devices are vibration resistant, making them highly reliable. The risk associated with having an ESD event occur at time of manual mechanical PST may be considered
statistically insignificant and allows a rational consideration of the advantages mechanical devices offer. Modular design allows for addition of limit switches, potentiometers, remote control operation, etc. When the device is tested, all the actual safety system components, controls and elements used in he ESD
Valve will be tested. No bleed valves or tiny orifices slowing down stroke time. The system will stroke in its "real world" time sequence and speed of operation. The user has real information about the exact controls that will be relied upon to protect his plant and
personnel. Cost savings can be significant. The system is simpler and will not cause spurious alarms due to ESD valve not performing in a repeatable
manner. SIS control loop is kept as simple as possible ESD valve remains an on/off valve, not a control valve. Limit switches can provide indication to control room if device is engaged.
However, opinions differ whether these devices are suitable for functional safety systems as the safety
function is offline for the duration of the test.
Modern mechanical PST devices may be automated.
Examples of this kind of device include direct interface products that mount between the valve and the
actuator and may use cams fitted to the valve stem. Good example of such a mechanical PST system: [4]
Other methods include adjustable actuator end stops.
Pneumatic valve positioners[edit]
The basic principle behind partial stroke testing is that the valve is moved to a predetermined position in
order to determine the performance of the shut down valve. This led to the adaptation of pneumatic
positioners used on flow control valve for use in partial stroke testing. These systems are often suitable for
use on shutdown valves up to and including SIL3. The main benefits are :
Elimination of the cost of manual testing Tracking and records of the PST tests for an optimum Safety monitoring. When the positioner is connected to
the Safety System, the date and result of the test are registered in the Sequence of Events, for Insurance purposes.
Remote access to valve diagnostics from the Control Room, with action oriented reports for predictive maintenance.
These systems are however limited to use on pneumatically actuated valves
Electronic timer control systems[edit]
Timer control systems use a configurable electronic timer that connects between the supply from the ESD
system and the solenoid valve. In order to perform a test the timer de-energises the solenoid valve to
simulate a shutdown and re-energises the soleniod when the required degree of partial stroke is reached.
These systems are fundamentally a miniature PLC dedicated to the testing of the valve.
Due to their nature these devices do not actually form part of the safety function and are therefore 100% fail
safe. With the addition of a pressure sensor and/or a position sensor for feedback timer systems are also
capable of providing intelligent diagnostics in order to diagnose the performance of all components
including the valve, actuator and solenoid valves.
In addition timers are capable of operating with any type of fluid power actuator and can also be used with
subsea valves where the solenoid valve is located top-side
References[edit]
1. Jump up ^ Web Exclusive: Valve failure not an option. ISA (2009-01-01). Retrieved on 2011-05-30. 2. Jump up ^ Partial stroking. Focus-nuclear.com. Retrieved on 2011-05-30. 3. Jump up ^ D-Stop Partial Stroke Test Device. Manual/Local and Remote Operated Mechanical Partial Stroke
Valve Testing. Cameron. Docs.google.com. Retrieved on 2011-05-30. 4. Jump up ^ Netherlocks mechanical PST system FAITH - known as the industry standard. Retrieved on 2013-
07-14.
External links[edit]
International Electrotechnical Commission Instrument Society of America Paladon Systems PST Controller Rotork Smart Valve Monitor Dynatorque D-Stop Mechanical Partial Stroke Test Device Foxboro PST positioner