I’m just a SIL whose intentions are good...Oh Lord! Please don’t let me be misunderstood. (With apologies to The Animals)
Safety engineering has been around for a long time on process plant sites, with statistical calculation methods established for estimating failure risk factors for both systems and components. However, with the increased use of safety systems incorporating firmware and software, it was recognised that the traditional approaches needed to be modified to cope with, what was considered by some to be, a black art.
Following the enquiry into the Piper Alpha oil rig disaster, a new international standard was written to include requirements for both hardware and software used in safety-related systems, ie: safety systems designed to minimise the risk of occurrence of an identified potential hazard by recognising the onset and acting quickly to prevent it. This standard, IEC 61508, acknowledges that such a safety system must have a reliability consistent with the likelihood of its being called upon to perform its function and it differentiates between those systems, or parts of systems, which are in continuous use and have a high demand rate and those whose function has a low demand rate, eg an emergency shut-down system. The former category needs to reduce the probable failure rates of all parts to acceptable levels whereas, because the latter category may not be called upon to operate within the lifetime of the plant it protects, it is necessary to consider the probability of its failure on demand if called upon. Two different concepts.
Potential hazards in process plants are identified and quantified by long-established techniques; similarly the methodologies for estimating the potential risk of occurrence and, therefore, the measures required to reduce the risk as low as reasonably practicable are well documented. A number of means whereby this is achieved are employed to a greater or lesser extent depending on the process plant situation, one of which might be an electrical or electronic safety instrumented system.
IEC 61508 concentrates on electrical, electronic, and programmable electronic safety-related systems which typically are safety loops comprising a sensor element (eg: temperature, pressure, level, etc), some kind of logic-solver and a final operating element (eg: a valve/actuator assembly). What the standard brought to the party was to identify a spectrum of estimated failure probabilities for the whole system and to separate them into four decade groups of increasing severity for both high- and low-demand safety loop functions.
These are the SILs 1 - 4, ie: the safety integrity levels that the safety loop function must achieve in order to meet the risk-reduction target estimated for the individual potential hazard.
Unfortunately, this approach has lead to a widespread belief that the SIL applies to the individual elements of a safety-related system WHICH IT DOES NOT. The term ‘SIL 2 valve’ is meaningless but is often requested! What the valve needs to demonstrate is that it has the capability of being included in a safety loop target of up to SIL 2 based on design and usage data that have been validated and verified.
In order to design a safety-related system that meets an overall SIL target, the system integrator needs, for each element, data on failure modes, failure rates, PFD, safe failure fraction, recommended proof-test and maintenance intervals (down-time reduces availability and it cannot perform its function if unavailable), whether or not the device has some integral self-diagnostic capability, hard-ware fault tolerance - all of which go towards estimating either the probability of failure on demand (PFD) for valve/actuator assemblies, or failure rate for high-demand systems.
And, of course, not all failures are considered ‘dangerous’ i.e.: that the failure is such that the safety loop cannot perform its function thereby creating a dangerous situation. An example might be an emergency shutdown valve closing spuriously. That may cause a large loss of production but is not creating the hazard for which it was designed to protect so it is classed as a ‘safe’ failure. However, if the valve is intended to open for an emergency by-pass function then that failure can be classed as ‘dangerous’. All of which says that the valve manufacturer cannot say which failure mode is ‘safe’ or ‘dangerous’ without knowing the context of usage and, therefore, cannot give a meaningful answer to ‘what SIL is it?’.
So when a customer asks the valve supplier for the SIL of the device, what he actually needs is the above ‘base data’ set (plus a few extras). Which he won’t accept because A.N. Other supplier claims he has a certificate which says that his valve is SILx.
What that certificate probably says (if it has been issued by a reputable certifying body) is that the valve has a ‘capability of being used in a SILx safety loop’ provided... (long list of qualifying factors). But, through the well-understood principle of ‘Chinese whispers’, by the time the information has been passed to the customer’s purchasing team it comes to you as a request for a SILx valve and nothing else will do.
One could argue that certification of devices in this field has a lot to answer for!
So, what to do? The best that the valve manufacturer can do is probably to get expert advice on how to assemble the data that is required through failure mode effect analysis and to give the device a ‘SIL capability’ which should keep the customer’s purchasing people happy to make the sale. However it will also need to be accompanied by the base data set, details of which can be found in IEC 61508 in order for the system integrator to be able to include it into the design of a safety loop.
Roger Stillman ‘Bob’ Smith
arcSIL Consulting PRfsS Ltd
Published in Valve User Magazine Issue 15
The La Vertiente gas plant in the tropical zone of Villamontes in Bolivia ...
Flowserve Valtek Mark Series Valves and Actuators Certified to SIL Level ...
- confidence testing with seven more key aerospace manufacturers - Flowserve ...
"If something is to do an important job, it needs to be reliable, and the more ...
For critical applications, Pepperl+Fuchs provides a range of sensors of various ...
ESD valve An emergency shutdown (ESD) valve is part of a safety instrumented ...
Engineers from Severn Glocon Technologies have visited Korea to commission a ...
This edition of Valve User Magazine continues with the second article in the ...