The term functional safety is defined as ‘Part of the overall safety relating to the equipment under control (EUC) and the EUC control system that depends on the correct functioning of the (electrical/electronic/programmable electronic) safety-related systems and other risk reduction measures (IEC61508:4 2010)’.
In other words, functional safety focuses on the ability of a given safety function to provide the necessary protection when required.
A simplified safety function is a system composed by a detector (detection unit), a logic solver (controller) and a device that do the requested action, as shown below:
For example, a flame detector read by a controller that stops fuel flowing to the burner when the flame detector cannot detect a flame; or a computer that reads a signal of a high-level switch to stop the feed to the tank when the level is too high; and more.
A safety function must be effective, available, independent, and reliable as determined by the safety integrity level (SIL) allocated to it.
SIL is an integer number from 1 to 4 that is used as a communication means to integrate between the safety requirements of a given process, on one hand, and the reliability and effectiveness of the corresponding safety function on the other hand.
Consequently, SIL is given in units of probability of failure or failure rates (failures per hour).
Even though the SIL standards IEC61508 and IEC61511 are focused on electrical/electronic/programmable electronic systems, in practice, and since safety functions are often a combination of instrumental and mechanical parts, the SIL approach is implemented on almost all kinds of safety functions in the process industry.
A good example is the implementation of the SIL standard on a shutoff valve. A shutoff valve is a mechanical instrument that may or may not include electrical parts (switches, solenoid and more). Yet, since, potentially, it may be a part of safety function that includes electrical/electronic/programmable electronic parts it is handled under the scope of the SIL standard.
Taken from the SIL standard IEC 61508, the SIL definition is as follows:
SIL approach is implemented in three distinct points or phases. This could be illustrated by the following chart:
Firstly, the risks of the process are evaluated and as a result, the actual value of the SIL is allocated to a safety function(s) that should accommodate / mitigate / control the given risk.
Secondly, the safety function must be designed in such a way that provides the requested SIL. This is a tricky part, because the SIL standard requires, in addition to limiting the failure rate of every single component in it, that the safety function as a whole, will fulfil other requests such as HFT (hardware fault tolerance), systematic capabilities, diagnostic coverage and more.
Thirdly, the failure rates of each component of the safety function are checked to verify the integrated SIL value is indeed adequate. This part is referred to as ‘SIL determination’ or ‘SIL claim’ because, the manufacturers of safety instruments has adopted the SIL language and instead of providing the failure rates, they provide the maximum SIL that could be achieved with the instrument/equipment they sell (without redundancies).
A very common way to perform SIL allocation is through a Hazard and Operability study (HAZOP), but other ways are also valid and applicable.
The following example demonstrates how a risk matrix modified for SIL allocation could be used easily during a HAZOP.
The risk matrix (top-right) is a 5X5 matrix with frequencies of occurrence ranging from less than a year (F4) to more than 10000 years (F0) and severity ranging from negligible (S0) to catastrophic (S4). The risk, which is the product/cross-section of severity and frequency ranges from TR (tolerable risk) to 5 (extremely high risk) and could be interpreted as the log10 of the risk reduction factor RRF, or simply as the SIL allocation.
The following table demonstrates a SIL claim for HABONIM’s actuators (Taken from report 2268-2-R6 HABONIM’s Actuators SIL determination report, Hazmat LTD June, 2021).
A somewhat different example is the SIL claim of a valve assembly composed of a valve, actuator and a mounting device that holds them tightly together.
In this case, there is a very important difference between spring-return (S/R) actuators and double acting (D/A) actuators. Unlike the latter, the S/R actuators enable choosing one direction to be a fail-safe direction. Namely, a failure that makes the system go to a fail-safe position, is considered as a safe state. This is shown in the table below (taken from report 2444-2-R1 HABONIM’s Valve assemblies SIL determination report, Hazmat LTD June, 2021).
This effect is reflected by lower dangerous-undetected failure rates of each S/R combination that has a safe-state.
Nevertheless, all failure rates listed in the table above yield, practically the same SIL 2 value.
SIL is a common way of communication between the level of safety integrity requested by the user, the process /control engineer, and the manufacturer of safety equipment. This universal language enables us to compose and build effective and reliable safety functions quickly, and to step forward into a safer process.
Habonim products offer is SIL certified:
Automated Valves
Valves – Industrial
Valves – Cryogenic
Valves – High Temperature / Metal Seated
Actuators
Mounting Kits
Contact us for more information about Functional Safety, Safety Integrity Level (SIL) and Habonim’s Valves