Definition of Safety Integrity Levels
SIL stands for Safety Integrity Level and indicates the safety level on a device. The standards set out four safety integrity levels for minimising the risks of equipment. For example, a safety function designed in accordance with SIL 1 reduces the plant risk by a factor of 10-100, a function designed in accordance with SIL 2 reduces the plant risk by a factor of 100 – 1000, etc
A safety function (SIS – Safety Integrated Function) as per IEC 61508 essentially consists of three components:
sensor technology that has to identify a critical state in a plant component
(e.g. pressure or temperature sensors to identify overpressure or a critical temperature).
a safety system, which uses the sensor technology to identify and assess the critical plant state, and if necessary trigger safety measures to render the plant safe.
actuator technology which allows the plant to achieve a safe state
(e.g. gates to shut down plant components, or shut-off valves to stop the flow of material).
Criteria for the design of safety functions
The safety integrity level is defined by the plant operator in a risk assessment (HAZOP). Two criteria must be fulfilled for the safety function to be configured properly (e.g. as per SIL 2):
a maximum failure probability (PFD) of the entire safety loop must be achieved. To this end, the PFD values of the sensor technology, the safety system and the final elements are calculated individually and added together.
For example: the overall failure probability of an SIL 2 safety device must not exceed 0.01 per year, i.e. mathematically the safety functions must fail less than every 100 years.
The second criterion is known as the structural constraint, calculated from the hardware fault tolerance (HFT) and the safe failure fraction (SFF) of the devices. This structural fitness is always stated by device and system manufacturers in the safety manual.
What the SIL logos mean
SIL 2 means that the structural constraint allows the relevant device to be used in a single channel (1oo1) in safety equipment up to SIL 2. A type A device (equipment without software, for example variable area flowmeters or relais) can also be used redundantly (1oo2) in SIL 3 safety loops.
This does not, however, apply to smart field instruments (type B) with software or firmware. These devices can also be used in a redundant configuration in SIL 2 safety equipment at most, as the software in only certified in SIL 2.