What does SIL and functional safety mean to operators of rotating equipment?

SIL - standing for Safety Integrity Level, is one very important safety indicator. Extensively discussed, described and often misunderstood within the industry over the past years.

Jost-A Anderhub

Viewed : 8958

Article Summary

The purpose of this article is to provide operators, reliability engineers; instrumentation engineers as well as department managers with a practical overview in which areas of your daily business life, SIL and Functional Safety are of importance. Please note, that in the light of the IEC (International Electrotechnical Commission) and most other safety relevant standards, RISK is strictly defined as “Harm to Health Safety Environment” (also called HSE).

Potential economic losses resulting from process downtimes are often one of the justification factors for the realisation of process improvements. However, there are concerns in the industry that the implementation of additional and SIL-certified machinery protection may add to the nuisance trip rate. This is also discussed at the end of this article.

As safety responsible staff members have gone through a HAZOP (Hazard and Operability Study), evaluating imposed process weaknesses, potential risks and even so worked out ways to improve process safety. This very systematic way brought huge improvements to the process industry safety and is still one of the key tools going through your process, step by step, looking left and right what can go wrong under certain, even rare circumstances. However, accidents are not entirely avoidable and in all cases some kind of risk still remains and severe accidents still do happen. This is where the IEC 61511, initially released in 1998, steps in, yet with another systematic evaluation based on those imposed risks found out through the HAZOP.

The IEC 61511 offers guidance to the process equipment operator defining the SIL requirements necessary to be met by the machinery protection system (also often called SIS Safety Instrumented System) of choice. It is important to notice that the end-user/operator is finally responsible for this evaluation as well as for the reduction of the remaining process risks to an acceptable damage level (HSE related). The IEC 61511 requirements are mandatory and to be followed by operators. In the United States ANSI/ISA84.00.01-2004 was issued in September 2004; it primarily mirrors IEC 61511, the European standards body CENELEC has adopted the standard as EN 61511.

LOPA, Risk Graph and risk assessments

Commonly, detailed risk assessments applying the IEC 61511 criteria on the Process Hazard Analysis (PHA) results are performed through expert consulting companies. An often seen approach is a LOPA (Layers of Protection Analysis) assessment. The required SIL of a Safety Instrumented System is derived by taking into account the required risk reduction to be provided by that function. IEC 61511 notes that this is best accomplished as part of a process hazards and risk analysis (PHA) to benefit from possible synergies and the information developed. Another way to obtain an overview which SIL level is appropriate is the Risk Graph. By following the path characterised through the four different risk parameters (Occurrence Probability, Extent of Damage, Exposure Time and Hazard Avoidance [once damaging occurs]) the appropriate SIL1 to SIL4 will turn out (with 4 being the highest, most stringent SI-Level). The example within the Risk Graph indicates, that even under rather dramatic circumstances (seldom, but expected death of one person) a SIL1 machinery protection system would meet the IEC61511 requirements in this respect.

The author wants to be very clear in saying that the SIS system is employed to prevent the severe HSE event and that no such thing as a severe harm or even death of a person is acceptable in any way. Every effort and technical advancement should be employed to prevent harm and HSE in general.

If a Safety Instrumented System is chosen to reduce the imposed process risks to the acceptable level it must meet the SIL requirement just evaluated.

IEC 61508, PFD and PTI
Vendors of SIS have to follow the guidance given under the IEC 61508 when developing, testing and having them SIL certified. Stringent availability criteria must be met by each individual component employed inside a SIS as well as every single algorithm embedded is tested, improved if needed and finally approved by a certifying body such as TUV or Exida, with the appropriate SIL certificate. During the certification process as well as during the implementation phase, the PFD (Probability of Failure on Demand) is one of the guiding values, characterising the availability and therefore reliability of a system. The PFD is calculated by adding up the probabilities of failure on demand for all individual components within each loop. (Demand = Dangerous event occurs & Component should act as supposed to).

One very important factor with linear impact on the PFD calculation is the PTI (Proof Test Interval). The shorter the chosen PTI, the lower the PFD. Modern machinery protection systems offer the convenience of a 2-3 year PTI along with a SIL2 certificate based upon a very low PFD value, and therefore reducing your testing and documentation effort to an acceptable level.

The following table shows the correlation between the Safety Integrity Level and PFD values to be met per safety loop to meet the requirements. The example framed below shows that in order to meet SIL2 requires a PFD value between 10-2–10-3 (per hour; low demand mode). The inverted value results in a theoretical systems availability of 99%–99,90%. To put that into perspective: A higher end SIL2 certified system may only fail to be available in 0.1% [99,9% available] of all safety relevant events – a SIL1 machinery protection system may have a 100x higher likelihood to fail on demand based on a PFD value between 10-1–10-2 acceptable [up to 10% of all safety relevant events or 90% availability].

It is important to note that the PFD evaluation must be done per each individual safety relevant loop, and must include all elements involved from the sensing element down to the acting relay finally stopping the process/machine at acute risk potentially resulting into HSE harm. It is not sufficient if one individual sensor, card or relay is SIL-certified and meets the appropriate PFD criteria – it must be the entire loop meeting the PFD hence SIL requirement. Which sensor and characteristic sensors should be incorporated into a safety strategy, depends heavily on the application and type of process equipment.

Other boundary conditions to be considered when installing and planning a machinery protection system
The two biggest fears related to machinery protection systems covering critical machinery are false trips resulting in economic loses, sometimes even into dangerous process situations and missed detects being simply dangerous.

Add your rating:

Current Rating: 4

Your rate: