Functional safety standards
§1 : Risk reduction levels
A facility that presents risks is subject to analyses to determine whether or not the risks are acceptable. Risks for which the initial exposure (i.e. the probability/impact level pair) is considered unacceptable are subject to reduction measures, making it possible to bring their exposure to a target level considered tolerable. The instrumented electrical, electronic and programmable electronic safety functions (E/E/PE) are in addition to the other protective barriers, to bring the risk of unacceptable initial exposure to a tolerable target level:
The different safety barriers contributing to risk reduction are:
-
The Devices: design (containment), valves, rupture discs,…
-
Procedures: operator alarms, safety instructions and procedures, emergency procedures,…
-
SIF: carried out by Safety Instrumented Systems (SIS). A SIF is an automatic action.
§2 : Mission of the Safety Instrumented Functions (SIF or FIS)
The mission of the Safety Instrumented Functions (FIS or RIS) is to contribute to the reduction of installation risks
Improve or (re)Define the means of process control
A SIF is not reduced to a single PLC. It is ensured by the entire I&C chain, from the sensor to the actuator
Confidence in the risk reduction of the installation is reflected, at the SIF level, in two types of requirements:
-
On functional safety: properties (detection, action generated, when, performance,…) allowing the realization of the safety function
-
On safety integrity: the probability that a safety system will perform the required safety functions within the specified response time
The safety requirements for the implementation, evaluation and maintenance of SIF are developed in the standards NF EN 61508 and NF EN 61511.
These requirements apply only to electrical, electronic, and programmable electronic equipment (E/E/PE)
§3 : Definition of a required SIL levels
SIL (“Safety Integrity Level”): Safety integrity level of a SIF
It is the necessary contribution of a SIF to risk reduction that defines its requirement for “safety integrity” or “availability for solicitation” or “required SIL”.
The level of risk reduction required that has been assigned to a SIF is therefore expressed in SIL level :
-
SIL 1: risk reduction by a factor >10
-
SIL 2: risk reduction by a factor >100
-
SIL 3: risk reduction by a factor >1,000
-
SIL 4: risk reduction by a factor >10,000
The lowest level of risk reduction is SIL 1.
The highest level of risk reduction is SIL 4.
Note: The risk reduction provided by a SIF is indeed a contribution to the overall risk reduction provided by all security barriers. Thus, it is possible to have a required SIL level of 1 at a high-risk facility, as all safety barriers together ensure sufficient overall risk reduction. Similarly, it is possible to have a required SIL level of 3 at a low-risk facility if the other safety barriers are almost non-existent.
Determination of SIF and SIL required
The approach for determining the SIL required for a SIF is as follows:
-
Identify all risks (Risk Analysis, Hazard Study, FMECA, HAZOP,…)
-
Identify for each risk the reduction means put in place (safety barriers)
-
Define the SIF and their missions
-
Determine the tolerable target risk for each risk (legislation, site responsibilities, etc.)
-
Determine the risk reduction that SIF must achieve
-
Obtain the required SIL level for each SIF (semi-qualitative and quantitative methods)
§4 : Evaluate the actual SIL level
Evaluation of the actual SIL
The NF EN 61511 standard imposes 2 types of constraints that make it possible to evaluate the SIL level of a SIF: architectural constraints and probabilistic constraints.
-
Architectural Constraints
Example :
A Tr sensor is available. We want to verify that it can be integrated into an instrumented chain carrying out a SIL2 level SIF.
If Tr is neither positive logic designed nor self-diagnostic equipped (column 1), the assembly must include 3 redundant Tr sensors to obtain the required SIL2.
If Tr is positive logic designed or self-diagnostic equipped (column 2), the assembly must include 2 redundant Tr sensors to obtain the required SIL2.
If Tr is positive logic designed or self-diagnostic equipped, and if moreover Tr is said to be “proven by use” and the modification of its parameters is protected (column 3), then Tr alone is sufficient to obtain the required SIL2.
Remarks : It is impossible to achieve a SIL3 level without redundancy. The use of SIL4 is strongly discouraged. Very heavy requirements must be taken into account. The architectural constraints are slightly different for programmable safety controllers. We are interested in the proportion of safe failures of the PLC to evaluate the SIL level:
-
Probabilistic Constraints
This type of constraint characterizes the SIF reliability. The probability of the SIF failure when it is expected to be carried out is assessed.
For this purpose, we define: the PFD (probability of dangerous failure on demand, in the case of a SIF carried out on average less than once a year) and the PFH (probability of dangerous failure per hour, in the case of a SIF carried out more frequently or continuously).
§5 : Improve the life cycle / operation and maintenance provisions
Maintaining the SIL level
The evaluation of the SIL of a SIF is insufficient to ensure that the level of security is maintained over time.
- Periodic tests reveal dangerous failures which cannot be detected by the SIS. The periodic test interval needs to be wisely determined in order to maintain the required trust level (see figure below). This periodic test interval is in particular used during the PFD/PFH calculation.
- Preventive maintenance actions,
- Modification management procedures, bypass management procedures
- …