SIL (design) verification
SIL verification is demonstrating that the reliability of instrumental protections meets the SIL requirements according to the standards IEC 61511 and IEC 61508. A SIL verification must be performed for each individual SIL 1/2/3 or 4 safeguard. This verifies the following items:
- Identification of safeguard. It is wise to make a schematic drawing with all the relevant sensors, components and final elements.
- Verifying the functionality of the safeguard.
- Determine whether the safeguard is independent (enough) from the control system.
- Check against the architectural requirements (e.g. is one valve sufficient?).
- Check to the probabilistic requirements (calculation of probability of failure on demand).
- Check for systematic faults.
The relevant international standard for instrumental safeguards in the process industry is IEC 61511. This standard refers to the general SIL standard, IEC 61508. IEC 61511 and IEC 61508 indicate that a hazard identification and a risk assessment must be carried out in order to determine how an instrumental safeguard should prevent the identified hazard and how reliable the instrumental safeguard should performe.
The integrity of an instrumental safeguard is defined by the so-called ‘Safety Integrity Level’ SIL 1, SIL 2, SIL 3 and SIL 4. The SIL standards also indicate which activities must be performed during the ‘safety lifecycle’ of the instrumental security.
Integriteitseisen m.b.t. het ontwerp van instrumentele beveiligingen
Functional requirements
The SIFs shall prevent undesired scenarios. Functional requirements shall be fulfilled e.g.:
- The appropriate process parameter shall be measured.
- Setpoint shall be determined correctly.
- The appropriate final elements shall be activated.
- The SIF shall respond fast enough.
Independant layer of protection
The SIF shall be physically and functionally separated from other protective / control systems.
Probabilistic Requirements
A SIF’s Probability of Failure on Demand (PFD) shall be;
The failure rate is expressed as PFDavg (Probability of Failure on Demand). The PFDavg shall be sufficiently low .
For SIL 1: PFD < 10 -1
For SIL 2: PFD < 10 -2
For SIL 3: PFD < 10 -3
For SIL 4: PFD < 10 -4
Thee PFDavg shall be calculated for every SIL safeguard. For redundant systems a common cause factor of 10 to 15% is normally assumed (ref. SINTEF).
The following (simple) formulas can be used to calculate the PFDavgfor different configurations.
Architectural Requirements
The architectural requirements concern the level of redundancy of components/ instruments of the SIF. The definition of hardware fault tolerance (abbr.: HFT) is as follows:
‘The HFT is defined as the ability of a safety function to continue to perform its required function in the presence of a specified number of hardware failures’.
For example: if a valves configuration has a 1-out-of-2 architecture, then one dangerous hardware failure may occur without losing the safety function. Hence, the hardware fault tolerance is defined as 1. Standard IEC 61508 defines 2 types of components; type A and type B. A component can be regarded as type A if the failure modes of all constituent components are well defined, the behaviour of the element under fault conditions can be completely determined and there is sufficient dependable failure data to show that the claimed rates of failure for detected and undetected dangerous failures are met. Instruments, which do not meet the type A requirements, are called type B instruments. In the first table below the relation between Hardware Fault Tolerance, Safe Failure Fraction and SIL class is shown for type A instruments (route 1H). In the second table, it is shown for type B instruments.
Type A instruments
| Safe Failure Fraction (SFF) | HFT=0 | HFT=1 | HFT=2 |
|---|---|---|---|
| Safe Failure Fraction < 60% | SIL 1 | SIL 2 | SIL 3 |
| 60% < SFF < 90% | SIL 2 | SIL 3 | SIL 4 |
| 90% < SFF < 99% | SIL 3 | SIL 4 | SIL 4 |
| Safe Failure Fraction > 99% | SIL 3 | SIL 4 | SIL 4 |
Type B instruments
| Safe Failure Fraction (SFF) | HFT=0 | HFT=1 | HFT=2 |
|---|---|---|---|
| Safe Failure Fraction < 60% | – | SIL 1 | SIL 2 |
| 60% < SFF < 90% | SIL 1 | SIL 2 | SIL 3 |
| 90% < SFF < 99% | SIL 2 | SIL 3 | SIL 4 |
| Safe Failure Fraction > 99% | SIL 3 | SIL 4 | SIL 4 |
Another IEC-61508:2010 methodology to prove the architectural constraints is based on component reliability data from feedback from end users, increased confidence levels and hardware fault tolerance for specified safety integrity levels (route 2H).
In standard IEC 61511:2003 the term ‘prior use’ was introduced which means that appropriate evidence is available that a component is suitable for use in a safety instrumented system. IEC 61511-1:2016 paragraph 11.5.3.2; ‘The evidence of suitability shall include consideration of the manufacturer’s quality, management and configuration managements systems, adequate identification and specification of the devices, demonstration of the performance of the devices in similar environments and the volume of the operating experience’.
According IEC 61511-1:2016, devices selected for use as part of a SIS shall be in accordance with the prior use requirements or shall be in accordance with IEC 61508-2/3:2010. Only the plant owner/end-user can take the responsibility for defining ‘prior use’, not a vendor of instrumentation or an engineering contractor.
The following table can be applied if prior use instruments/components are used.
| SIL | Demand mode | Minimum HFT | Toe te passen configuratie |
|---|---|---|---|
| 1 | low/high/continuous | 0 | Enkelvoudig |
| 2 | low | 0 | Enkelvoudig |
| 2 | high/continuous | 1 | 1oo2 of 2oo3 configuratie |
| 3 | low/high/continuous | 1 | 1oo2 of 2oo3 configuratie |
| 4 | low/high/continuous | 2 | 1oo3 configuratie |
Route 1H and 2H of IEC 61508:2010 have been used for the architectural verification of the SIFs.
Preventing systematic failures
IEC 61511-1:2016 states in paragraph 3.2.68 “In determining safety integrity, all causes of random hardware and systematic failures which lead to an unsafe state can be included (e.g., hardware failures, software induced failures and failures due to electrical interferences). Some of these types of failure, in particular random hardware failures, may be quantified using such measures as the average dangerous failure frequency or the probability of failure on demand. However, safety integrity also depends on many systematic factors, which cannot be accurately quantified and are often considered qualitatively throughout the life-cycle. The likelihood that systematic failures result in dangerous failure of the SIS is reduced through hardware fault tolerance or other methods and techniques.”
Examples of systematic failure causes including human error could be in;
- the safety requirements specification
- the design, manufacture, installation and operation of the hardware
- the design and/or implementation of the software
IEC 61508:2010 introduced ‘systematic capability’ which applies to an element with respect to its confidence that the systematic safety integrity meets the requirements of the specified safety integrity level. Systematic capability(expressed on a scale of SC 1 to SC 4) is a measure of the confidence that the systematic safety integrity of an element meets the requirements of the specified SIL, in respect of the specified element safety function, when the element is applied in accordance with the instructions specified in the compliant item safety manual for the element.
Systematic capability is determined with reference to the requirements for the avoidance and control of systematic faults (reference can be made to IEC 61508-2 and IEC 61508-3).
Also for HIPPS systems (High-integrity pressure protection system) it is necessary to perform a SIL verification.