Reading Time: 6 minutes Difficulty: Advanced
8 August 2019
8 August 2019
Reading Time: 6 minutes Difficulty: Advanced
Topics

Functional Safety is the branch of engineering that deals with the safety of systems that use electrical, electronic and programmable electronic technologies (E/E/PE). Functional Safety is the topic of IEC 61508 standard and defines 4 different levels of SIL (Safety Integrity Level): SIL 1, SIL 2, SIL 3 and SIL 4.

What is SIL?

SIL is a quantitative measure of risk reduction, which is a measure that indicates the degree of reliability that a system must achieve to reduce the risk of an accident during its use.

Control systems can usually be subject to failures of different natures and danger – let’s think about random or systematic hardware failures or failures caused by power issues, for example, due to a voltage drop -, and due to unpredictable failures. As we will see in the next section, compliance with the requirements of IEC 61508 minimizes any harmful effects caused by a potential system failure. To be used, safety systems must comply with IEC 61508 requirements.

SIL (Safety Integrity Level) is the quantification of the reliability (i.e. the degree of reliability) achieved by any object that performs a safety-related function. The higher the reliability is, the greater the ability of the system to perform critical functions.

SIL levels range from 1 to 4 (SIL 1, SIL 2, SIL 3, SIL 4). We should keep in mind that SIL doesn’t refer to complete plants, but it is rather related to single automatic control functions. Determining SIL levels is indispensable when certain functions are relevant to product safety.

 

Each component inside the control system – from the temperature probe to the shutdown button – gains a certain SIL degree. Likewise, any objects that compose a safety-related function – for example the temperature probe – can be used for more than one safety function, where each function could achieve a different SIL level.

Therefore, within a control system there are multiple safety functions, each one associated with a specific hazard and to a certain SIL level. The set of components that make up a system must respect the overall SIL level, according to IEC 61508 requirements.

 

What is IEC 61508?

IEC 61508 is the international technical-legislative reference for Functional Safety. The seven parts that compose IEC 61508 standard indicate the guidelines to be applied to a safety function. The review of IEC takes place every ten years. In addition, there are further standards referring to Functional Safety that extend the requirements of the IEC 61508 to specific sectors: for example, IEC 61511 applies to the process industry, such as the chemical or petrochemical industry, while IEC 62061 applies to machinery.

 

The legislation provides a set of mandatory requirements and best practices aiming at determining the reliability of a security system. In this sense, reliability is a measure of risk reduction. IEC 61508 states that any safety-related control system must work properly, otherwise it must fail in a predictable and safe manner.

A system must meet at least 3 SIL requirements:

        • Systematic Capability, which is the level of reliability in terms of product design – both for hardware and software (where applicable)
        • Architecture Constraints, which represents constraints on the architecture of the object and may influence its reliability
        • PFDavg or PFH, which is the probability of dangerous random failures, whether on-demand or on an hourly basis.

 

Control systems may fulfill each requirement with a different SIL level (with SIL from 1 to 4). The overall SIL level will correspond to the lowest one among the various levels. We will see in the next section how to calculate the SIL level according to each requirement.

IEC 61508

 

To minimize the risk, the standard requires limiting complexity as much as possible, which means that a system composed of a few components will be more reliable than one made of many devices. Furthermore, a component can fail whether when it is used frequently (i.e. along the production cycle) or when it is supposed to work only in case of an imminent dangerous event. Since the triggering factor can vary, the IEC standard defines different requirements for each case.

A further regulatory requirement concerns the personnel involved along with the various phases of the Safety Life Cycle, which is the entire production cycle, starting from the procurement all the way through the disposal of a product. The IEC standard dictates the guidelines to be followed to ensure that employees are adequately competent. Indeed, the importance of production departments is crucial: people must have (or acquire) technical and engineering skills that make them eligible to guarantee that the reliability of a safety function throughout the whole Safety Life Cycle.

 

How to calculate SIL: SIL 1, SIL 2, SIL 3, SIL 4

As mentioned, SIL levels must be calculated for each of the three requirements established by the IEC 61508:

      • Systematic Capability
      • Architecture Constraints
      • PFDavg or PFH

Equipment satisfies the first requirement when it is designed to prevent systematic errors in the implementation and testing of hardware. This must especially be true for software – always more frequently implemented in devices designed to perform safety functions. The maximum Systematic Capability that can be reached is assessed by carrying out audits and checks along the entire production flow – from design to procurement of parts, assembly, and testing, all the way to delivery to its user.

To calculate the maximum SIL level achievable by the Architecture Constraints requirement, it is necessary to quantify the Safe Failure Fraction (SFF):

 

SFF = (Safe + Dangerous Detected Failures) / Total Failures

 

The SFF calculation is achieved by breaking down the safe and dangerous failure rates. The Law establishes how to determine the SFF for any object aiming at performing a safety function. The breakdown can be obtained by realizing an FMEDA analysis (Failures Modes, Effects and Diagnostic Analysis).

Regarding the SIL calculation for the third requirement – related to the probability of random failures -, we report the tables below, that are also presented in the first part of the standard (IEC 61508-1). The first SIL table (PFDavg) represents the probability of failure on demand, while the second table (PFH) refers to the frequency of dangerous failures per hour:

 

Safety Integrity Level (SIL) Average probability of a dangerous failure on demand of the safety function (PFDavg)
4 ≥ 10-5 to < 10-4
3 ≥ 10-4 to < 10-3
2 ≥ 10-3 to < 10-2
1 ≥ 10-2 to < 10-1

 

Safety Integrity Level (SIL) Average frequence of a dangerous failure of the safety function [h-1] (PFH)
4 ≥ 10-9 to < 10-8
3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

 

Once the SIL level of a single safety function has been calculated for each IEC requirement, it will be possible to determine the overall degree of reliability.

IEC 61508 is a standard mainly addressed to suppliers of industrial components or systems and should be read as a set of best practices aiming at supporting users in complying with mandatory requirements.

However, SIL levels are always more frequently required as part of procurement procedures in the field of mechanical, electrical, and electronic systems. Even if the standard doesn’t impose the achievement of certification, many users are increasingly looking for suppliers that comply with IEC requirements by means of a SIL certificate.

 

Do you want to start the SIL certification journey?
Contact us arrow
Go back to the blog
Send this to a friend