Electrical, electronic or programmable electronic (E/E/PE) equipment can be used as part of a safety-related system to improve operational or process safety. However, a safety-related system is more than just E/E/PE equipment. It is the combination of hardware, electronics, software, people and the reactions and interactions of each in the event of abnormal operating conditions, that is required to maintain process safety.
When specifying a safety-related system, there are two elements to consider:
When specifying a safety-related system, there are two elements to consider:
- Safety function: the specific task(s) that the system needs to perform, i.e. what it does.
- Safety integrity level (SIL): the reliability of the system and its ability to implement the actions required to perform its safety function, i.e. how well it does it.
Safety function
Determining the safety function is a matter of conducting a hazard analysis to identify the hazards that exist and the accident scenarios that could potentially arise. It is then possible to identify appropriate control measures to prevent such an accident from occurring.
Safety integrity level
Determining the required SIL is a matter of assessing the risk associated with a scenario, i.e. determining how likely the accident is to occur and how bad it would be if it did occur. There are four SILs defined in IEC 61508 'Functional safety of electrical / electronic / programmable electronic safety-related systems', as follows.
| SIL rating | Low demand mode: probability of failure on demand |
High demand mode: failures per hour |
| 4 | 10-5 to 10-4 | 10-9 to 10-8 |
| 3 | 10-4 to 10-3 | 10-8 to 10-7 |
| 2 | 10-3 to 10-2 | 10-7 to 10-6 |
| 1 | 10-2 to 10-1 | 10-6 to 10-5 |
It is important to note that SIL ratings apply to entire systems, including any human intervention required for systems to work, and not just to the individual products or components in systems.
Example
This concept is best illustrated by example. Consider overfill protection on a storage tank: the safety function for the system is as follows:
- It should be able to detect when the liquid level exceeds a certain threshold.
- It should be able to activate an alarm.
- It should be able to shut down the transfer to the tank (this shut down could either be done automatically or by operator intervention) before any loss of containment occurs.
Managing process risk
SIL-based systems can often be used to provide the required degree of additional protection when process risk cannot be reduced by other means. However, they are just one way of decreasing process risk and they may not always be the most cost-effective solutions available. They typically require increased levels of monitoring, control, maintenance and testing to ensure that the equipment functions properly.The assessment of the reliability of safety critical equipment is often a key element when conducting a LOPA (layers of protection analysis) of potential accident scenarios. This technique can assist an operator when quantifying the risk associated with an accident scenario and to determine whether the risk is as low as reasonably practicable (ALARP).