Overcoming common misconceptions around SIL ratings
Major industrial accidents worldwide, like the Bhopal chemical plant disaster, have occurred due to insufficient and poorly designed safety systems. Safety Integrity Level (SIL) ratings were first introduced as part of IEC 61508 in 1998 and seek to quantify the probability of dangerous system failure..
Functional safety, as defined by IEC 61508, is the safety that control systems provide to an industrial process or plant. Its purpose is to prevent both direct and indirect risk to human life that could result from those industrial processes, including risk caused by damage to equipment, property or the environment. Functional safety is a focus across the industrial spectrum, from petrochemicals and tank farms to oil and gas and nuclear safety.
One metric used to assess the risk of unsafe failure in industrial settings is SIL ratings, which correspond to the frequency and severity of hazards. They describe the probability of failure on demand (PFD) and the performance required for a safety instrumented function (SIF) to maintain safety.
The ratings go from SIL-1 up to SIL-4 and the higher the level, the higher the associated safety and the lower the probability that the system will fail to perform. However, the installation and maintenance costs, as well as the system complexity, typically increase along with the SIL rating. The levels are distinguished by their acceptable rate of failure, which increases each time by factors of ten: i.e. SIL-1 systems accept one failure in every ten demands; SIL-2 systems accept one failure in every 100 demands, and so on.
One misconception is that higher SIL ratings are always superior for every application. Although SIL-4 does indeed offer the most reliability, the complexity involved with redundant back-up systems, more regular performance testing and hierarchical voting arrangements can be unwieldy and over-expensive if not necessary.
The correct SIL rating is application-dependent; for example, if you can rely on a human operator to take action on an abnormal condition, such as for an alarm annunciator alert, then a SIL-1 system will suffice. Indeed, a safety loop involving a human cannot be rated above SIL-1 as systems are required to operate independently of operators for SIL-2 and upwards.
While the most critical applications, such as aircraft flight systems or nuclear reactor protection, require SIL-4 protection, correct safety analysis during the design stage is vital to determine the minimum acceptable SIL rating. Adhering to this recommendation will provide an adequate level of functional safety while maintaining cost effectivity.
Independent validation of safety instruments is an important factor for customer confidence in every industrial sector. Evaluation International (EI), a member owned, not-for-profit organisation, offers consultation and evaluation services for electrical, control and instrumentation matters.
In March 2007, EI evaluated Omniflex’s alarm annunciator unit, the Omni16C, and found that it passed the various functionality tests, and that the results were in accordance with Omniflex’s specifications. Reports like the one written about the Omni16C are useful for facility planners and functional safety managers, as they provide reliable information about validated and qualified instrumentation.
Alarm annunciator systems are a vital layer of protection in plant safety strategy. They provide operators with early warnings of an abnormal condition that can facilitate action before hazards take effect and enable human logic-driven intervention.
SIL ratings have been an important metric for industrial functional safety for 25 years, but misinterpretations about their application linger on. To avoid incurring unnecessary cost and complexity, it’s important for facility planners and managers to work with safety system suppliers who truly understand safety integrity levels.