Click here to load reader
Upload
fredo405
View
34
Download
4
Embed Size (px)
DESCRIPTION
SIL FAQ
Citation preview
1. What is a SIS?
A SIS is a Safety Instrumented System. It is designed to prevent or mitigate hazardous
events by taking the process to a safe state when predetermined conditions are violated.
A SIS is composed of a combination of logic solver(s), sensor(s), and final element(s).
Other common terms for SISs are safety interlock systems, emergency shutdown
systems (ESD), and safety shutdown systems (SSD). A SIS can be one or more Safety
Instrumented Functions (SIF).
2. What is a SIF?
SIF stands for Safety Instrumented Function. A SIF is designed to prevent or mitigate a
hazardous event by taking a process to a tolerable risk level. A SIF is composed of a
combination of logic solver(s), sensor(s), and final element(s). A SIF has an assigned
SIL level depending on the amount of risk that needs to be reduced. One or more SIFs
comprise a SIS.
3. What is SIL?
SIL stands for Safety Integrity Level. A SIL is a measure of safety system performance,
or probability of failure on demand (PFD) for a SIF or SIS. There are four discrete
integrity levels associated with SIL. The higher the SIL level, the lower the probability of
failure on demand for the safety system and the better the system performance. It is
important to also note that as the SIL level increases, typically the cost and complexity
of the system also increase.
A SIL level applies to an entire system. Individual products or components do not have
SIL ratings. SIL levels are used when implementing a SIF that must reduce an existing
intolerable process risk level to a tolerable risk range.
4. What does functional safety mean?
Functional safety is a term used to describe the safety system that is dependent on the
correct functioning of the logic solver, sensors, and final elements to achieve the desired
risk reduction level. Functional safety is achieved when every SIF is successfully carried
out and the process risk is reduced to the desired level.
5. Why were the ANSI/ISA 84, IEC 61508, and IEC 61511 standards
developed?
The standards were a natural evolution for the need to reduce process risk and improve
safety through a more formalized and quantifiable methodology. Additionally, and
specifically for IEC 61508, as the application and usage of software has evolved and
proliferated, there was an increased need to develop a standard to guide system /
product designers and developers in what they needed to do to ensure and “claim” that
their systems / products were acceptably safe for their intended uses.
Click here for additional information on Standards.
6. When do I need a SIF or a SIS?
The philosophy of the standards suggests that a SIS or SIF should be implemented only
if there is no other non-instrumented way of adequately eliminating or mitigating
process risk. Specifically, the ANSI/ISA-84.00.01-2004 (IEC 61511 Mod) recommends a
multi-disciplined team approach that follows the Safety Lifecycle, conducts a process
hazard analysis, designs a variety of layers of protection (i.e., LOPA), and finally
implements a SIS when a hazardous event cannot be prevented or mitigated with
something other than instrumentation.
7. What is a proof-test interval?
Proof testing is a requirement of safety instrumented systems to ensure that everything
is working and performing as expected. Testing must include the verification of the
entire system, logic solver, sensors, and final elements. The interval is the period of
time that the testing occurs. The testing frequency varies for each SIS and is dependent
on the technology, system architecture, and target SIL level. The proof-test interval is
an important component of the probability of failure on demand calculation for the
system.
8. What is a Process Hazard Analysis (PHA) and who conducts this?
A PHA is an OSHA directive that identifies safety problems and risks within a process,
develops corrective actions to respond to safety issues, and preplans alternative
emergency actions if safety systems fail. The PHA must be conducted by a diverse team
that has specific expertise in the process being analyzed. There are many consulting and
engineering firms that also provide PHA services. PHA methodologies can include a
Page 1 of 4SIL Resource Center
What-If Analysis, Hazard and Operability Study (HAZOP), Failure Mode and Effects
Analysis (FEMA), and a Fault Tree Analysis.
9. What voting configurations are required for each SIL level?
Obtaining a desired SIL level is dependent on a multitude of factors. The type of
technology employed, the number of system components, the probability of failure on
demand (PFD) numbers for each component, the system architecture (e.g., redundancy,
voting), and the proof testing intervals all play a significant role in the determination of
a SIL level. There is not a standard answer for what voting configurations are required
for each SIL level. The voting architecture must be analyzed in the context of all the
factors noted above.
10. Will a SIL rated system require increased maintenance?
SIL solutions are certainly not always the most cost-effective solutions for decreasing
process risk. Many times, implementing a SIL solution will require increased equipment,
which inevitably will require increased maintenance. Additionally, it is likely that the
higher the SIL level, the more frequent the proof testing interval will be, which may
ultimately increase the amount of system maintenance that is required. This is why the
standards recommend a SIL based solution only when process risk cannot be reduced by
other methods, as determined by LOPA.
11. Can a F&G system be a SIF or SIS?
A Fire and Gas (F&G) system that automatically initiates process actions to prevent or
mitigate a hazardous event and subsequently takes the process to a safe state can be
considered a Safety Instrumented Function / Safety Instrumented System.
However, it is absolutely critical in a F&G system to ensure optimal sensor placement. If
there is incorrect placement of the gas / flame detectors and hazardous gases and
flames are not adequately detected, then the SIF / SIS will not be effective.
Correct sensor placement is more important than deciding whether a F&G SIF / SIS
should be SIL 2 or SIL 3.
12. What is SIL 4?
SIL 4 is the highest level of risk reduction that can be obtained through a Safety
Instrumented System. However, in the process industry this is not a realistic level and
currently there are few, if any, products / systems that support this safety integrity
level.
SIL 4 systems are typically so complex and costly that they are not economically
beneficial to implement. Additionally, if a process includes so much risk that a SIL 4
system is required to bring it to a safe state, then fundamentally there is a problem in
the process design which needs to be addressed by a process change or other non-
instrumented method.
13. Can an individual product be SIL rated?
No. Individual products are only suitable for use in a SIL environment. A SIL level
applies to a Safety Instrumented Function / Safety Instrumented System.
14. What type of communication buses or protocols are applicable for SIL 2 or
SIL 3 systems?
The type of communication protocol that is suitable for a SIL 2 or SIL 3 system is really
dependent on the type of platform that is being used. Options include, but are not
limited to: 4-20 mA output signal, ControlNet (Allen Bradley), DeviceNet Safety (Allen
Bradley), SafetyNet (MTL), and PROFIsafe. Currently, the ISA SP84 committee is
working on developing guidelines for a safety bus, to make sure that the foundations
comply with IEC 61508, and IEC 61511 standards. The first devices with a safety bus
should be available by 2008. The Fieldbus Foundation is actively involved in the
committee and working on establishing Foundation Fieldbus Safety Instrumented
Systems (FFSIS) project to work with vendors and end users to develop safety bus
specifications.
15. For General Monitors, how can I access the PFD and MTBF data for the
products?
The General Monitors SIL certificates have the PFD, SFF, and SIL numbers that
correspond to each product. MTBF data can be provided by request. 16. Can a manufacturer state their products are “SIL X certified” rather than
Page 2 of 4SIL Resource Center
“suitable for use in a SIL X system”?
Individual products are only suitable for use in a SIL environment. A SIL level applies to
a Safety Instrumented Function / Safety Instrumented System.
Product certificates are issued either by the manufacturer (self-certification), or other
independent agency to show that the appropriate calculations have been performed and
analysis has been completed on the individual products to indicate that they are
compatible for use within a system of a given SIL level.
However full IEC 61508 certification can apply to a manufacturer’s processes. Full
certification implies that a manufacturer’s product development process meets the
standards set forth in the appropriate parts of sections 2 – 3 of IEC 61508 (including
hardware / system and software). However, this does not mean that the individual
products are more reliable or more safe. It just means that the engineering process has
been reviewed.
There are very few nationally accredited bodies that can issue nationally accredited
certifications. Other consulting firms issue certificates that indicate that the product
and / or process has been reviewed by an independent third party. 17. Can a manufacturer state their products meet all parts of the requirements
of IEC 61508 parts 1 to 7?
IEC 61508 consists of the following parts, under the general title Functional Safety of
electrical/electronic/programmable electronic safety-related systems:
Part 1: General requirements
Part 2: Requirements for electrical/electronic/programmable electronic safety-related
systems
Part 3: Software requirements
Part 4: Definitions and abbreviations
Part 5: Examples of methods for the determination of safety integrity levels
Part 6: Guidelines on the application of parts 2 and 3
Part 7: Overview of techniques and measures
The following section have provisions to which it may be necessary to conform to in
order to be able to claim compliance with the standard: part 1 (excluding annexes); part
2 (including annexes); part 3 (including annexes A and B, excluding annex C); and part
4 (excluding the annex).
Sections 5, 6 and 7 are informative only, and assist in understanding the standard, but
are not necessary to conform to in order to be able to claim compliance.
Manufacturers of products generally meet Section 2 requirements to determine through
a FMEDA analysis that their products are suitable for use within a given SIL level
Companies choosing to certify their engineering processes and receive full IEC 61508
certification will also comply with Section 3 as it relates to software development.
18. What does SIL X suitable mean, is this a valid statement as per the
standard IEC 61508 or can any other wording be used?
SIL stands for Safety Integrity Level. A SIL is a measure of safety system performance,
or probability of failure on demand (PFD) for a SIF or SIS. There are four discrete
integrity levels associated with SIL. The higher the SIL level, the lower the probability of
failure on demand for the safety system and the better the system performance. It is
important to also note that as the SIL level increases, typically the cost and complexity
of the system also increase.
A SIL level applies to an entire system if it reduces the risk in the amount corresponding
to an appropriate SIL level. Individual products or components do not have SIL ratings.
SIL levels are used when implementing a SIF that must reduce an existing intolerable
process risk level to a tolerable risk range.
Only the end user can ensure that the safety system is implemented to be compliant
with the standards. It is up to the user to ensure that procedures have been followed
properly, the proof testing is conducted correctly, and suitable documentation of the
design, process, and procedures exists. The equipment or system must be used in the
manner in which it was intended in order to successfully obtain the desired risk
reduction level. Just buying SIL 2 or SIL 3 suitable components does not ensure a SIL 2
or SIL 3 system.
Page 3 of 4SIL Resource Center
Page 4 of 4SIL Resource Center