The evolution of Safety Integrity Levels (SILs)
Derek Jones, Safety Business Manager, Rockwell Automation, discusses PLs and SILs, and sheds some light on how they differ and, more importantly, how they agree.
The standards that define PLs (performance levels) and SILs (safety integrity levels) both cover safety-related electrical control systems, producing the same or similar results – albeit via different methods. This gives users an option to choose the one most suitable for their application. The outputs of both standards offer comparable levels of safety performance or integrity with each standard offering differences that are appropriate for their intended users.
PLs are related to safety control system categories, which first appeared in the 90s as part of the European standard EN 954-1 that supported the EU Machinery Directive. It was decided that there should be a standard for the design of safety-related parts of control systems. The resulting standard introduced a number of categories that are used to describe the structure of a safety related circuit.
The system of safety integrity levels (SILs) as an alternative to performance levels (PLs) was introduced when it became clear that a new standard was required that would deal with all aspects of the modern control system |
Recognising that multiple fault conditions could exist within a machine, or its safety control system, a number of categories were created, namely B, 1, 2, 3 and 4, to classify the safety-related parts within the control system, their resistance to faults and their behaviour under fault conditions.
Category B determines that good quality components have been used and that all components are built or operate to recognised standards, in effect a self-certified due diligence exercise. The numbers that follow are what form the crux of the safety categories and the “strength” of the safety system. The first, category 1, is the simplest. It dictates that good, uncomplicated equipment has been used and is operating on sound principles but there are no diagnostics.
Category 2 is essentially the same as category 1 but procedures or routines have to be introduced to the check elements of the system. This may entail a simple start-up check to make sure everything is working and configured properly. A start-up check is the absolute minimum as, in some instances, risk assessments may dictate periodical checks of equipment within the safety circuit.
Category 3 raises the bar even further. It dictates that the safety functionality will not fail in the presence of single fault within the safety system. This is mainly achieved by redundancy or dual-channel technology where a single fault will not damage the integrity of the network. It also says “where possible, the fault should be detected”.
Category 4 expands on category 3 by making the user consider accumulated faults.
 | ||
SILs retain many of the principles of the category system but add a new level of detail and definition that better addresses modern control and safety architectures | ||
It soon became clear, though, that a new standard was required that would deal with all of the aspects of the modern control system. The end result was IEC61508:1999, ‘Functional safety of electrical/electronic/programmable electronic safety related systems’. This was followed in 2005 by IEC/EN 62061 ‘Safety of machinery – Functional safety of electrical/electronic/programmable electronic safety related systems’. This standard deals with the design of complex machinery systems and, like IEC 61508, offers the concept of safety integrity levels or SILs – another way of classifying the performance of the system.
SILs retain many of the principles of the category system but, importantly, they add a level of detail and definition that better addresses modern control and safety architectures. They are used to determine functional safety by quantifying the probability of failure for a device while performing its safety function. Three levels exist for machinery – SIL3 being the “most dependable”, with SIL1 the least. In conjunction with the “background assessments”, SILs also use a combination of technical factors to determine the level or rating, including the average probability of dangerous failure upon demand (PFHD) and the safety functions required for a process.
“Appropriate management systems must be in place to ensure that the right people with the right level of expertise are working on the job in hand.” |
Safety requirement specifications must also be addressed. These are used to determine exactly what safety requirements need to be met. This addresses both the components and the systems with respect to their design, validation and specification over the lifecycle of the project, while also looking at any environmental influences and other factors that may affect the optimum operation of the system.
The final addition is the way systems and sub-systems are addressed, with standards like IEC61508 covering complex subsystems such as safety PLCs. The first subdivision covers measures to avoid systematic failure and the subsequent measures to control the complex subsystem should a system failure happen. The second looks the reliability of the system, using the probability of dangerous failure per hour (PFHD) as a measurement.
The final subdivision deals with architectural constraints. An example would be the combination of fault tolerance capabilities within a subsystem, and the balance of these capabilities against the diagnostics in place – with a high tolerance and significant diagnostics resulting in the highest figure.
Many other factors exist in determining SIL levels, such as formal software design methods, validation techniques and modifications, but these go further to highlight the big differences between categories and SILs. In general, whether PLs, SILs or a combination of both are used, the choice should be related to the systems complexity and thus may give guidance which method to adopt.
For more information, please e-mail us at: info_at@ra.rockwell.com with ref: SIL
Print Page
Locations Email Sitemap Legal Notices
Call 0870 242 5000 for General Enquiries 0870 241 1802 for Tech Support