Safety Integrity Level (SIL) Guidance Notes – Manual and Actuated Valves

Issue Date:     3/7/08

As a major supplier of manual and actuated Atomac and Durco valves, we are asked about the suitability of these valves for use in systems of a particular SIL level. The following notes provide background information on SILs, where they come from, and how they apply to CRP’s range of valves.

Introduction
To trace where the term SIL comes from, it is necessary to delve into the standards published by the IEC (the International Electrotechnical Commission), a body set up in 1906 to, amongst other things, produce standards for use in the, then fledgling, electrical industry. The standard in question is IEC 61508 (now BS EN 61508): “Functional Safety of Electrical/ Electronic/ Programmable Electronic Safety-related Systems.” This standard is split into 7 sections, with a total of 580 pages. It is a generic standard and is concerned mainly with electrical, electronic and programmable electronic systems whose failure could have an impact on the safety of people and/or the environment. However, due to the integrated nature of safety systems, its remit also covers mechanical components, such as actuated valves, that make up parts of safety systems.

Due to the large size of IEC 61508, several spin off standards were developed for particular industry sectors. Of relevance to valves is IEC 61511 (now BS EN 61511): “Functional Safety – Safety Instrumented Systems for the Process Industry Sector”. This standard deals with the requirements for the specification, design, installation, operation and maintenance of a Safety Instrumented System (SIS), so that it can be confidently relied on to take a system to, and keep it in, a safe state. Typically an SIS is made up of many Safety Instrumented Functions (SIF) – see below for details.

Hazards, Risks and Risk Assessments
Before looking at SIFs in any detail, it is necessary to discuss risk assessment on process plants. On any piece of process plant, strenuous efforts will be made to identify all of the possible hazards (potential sources of harm), how often these hazards are likely to occur, and what the consequences of them occurring would be. Roughly speaking, by multiplying the hazard by the likelihood of it occurring gives a measure of risk, and so for each hazard, a level of risk can be arrived at. For each hazard, a judgement then has to be made about whether the level of risk is acceptable or unacceptable, either from a damage to people, the environment, or to a company’s bank balance perspective. For risks that are deemed to be unacceptable, steps must be taken to reduce these to acceptable levels. Clearly, risks can be reduced either by reducing the hazard, or by reducing the likelihood of it occurring.

For example, suppose there is a hazard that, if it were to occur, would cause a single fatality. Now if the likelihood of it occurring is once in 100 years, this may be deemed to be an unacceptable risk. However, by reducing the likelihood of it occurring to once every 10000 years, the risk may then be deemed to be acceptable.

In terms of reducing the hazard, if the system is still at the design stage, it may be possible to alter the process, or the design of the process plant to reduce the hazard level, and hence the risks. Alternatively, it may be possible to reduce hazard level by the use of passive safety features, e.g. to build a protective wall between a hazardous area and an area where people work.

Safety Instrumented Functions (SIF) – Overview
On a process plant, it is often not practical to reduce a particular risk to an acceptable level by reducing the hazard level, and so the focus has to be on reducing the likelihood of the hazard occurring. In such circumstances it may be possible to do this by means of passive safety features, but often it is necessary to employ active safety systems, called “Safety Instrumented Functions” (SIF) in IEC 61511. Typically a SIF is a single control loop which monitors a particular aspect of a process, say its temperature, and if this goes out with pre-set limits, the control loop reacts to bring the process to a safe condition, for instance by cutting the power supply to the heaters. It is important to note that this SIF is not part of the control system of the process, it sits outside it and only carries out a safety function. Now, if a SIF is to bring a risk down to an acceptable level, it must reduce the risk by some predetermined amount, such as by a factor of 100.

Safety Integrity Levels (SIL)
Safety Integrity Levels (SIL) also refer to this reduction in risk. There are 4 SILs, 1 being the lowest, 4, the highest. Each level refers to a different amount of risk reduction as shown in the table below. Another way of expressing SILs is in terms of Probability of Failure on Demand (PFD), i.e. what is the chance that the SIF will fail when I really, really need it to work?  

SIL Level

Risk Reduction PFD

1

10 – 100 times 0.1 – 0.01

2

100 – 1,000 times 0.01 – 0.001

3

1,000 – 10,000 times 0.001 – 0.0001

4

10,000 – 100,000 times 0.0001 – 0.00001

Safety Instrumented Functions (SIF) – Testing & Failure Rates
Typically a SIF will comprise several components, such as a sensor, a programmable electronic controller, a power supply, an actuated valve etc. Clearly, there is a possibility that such a system could fail, due to the failure of one, or more, of its individual components. To ensure that a particular SIF will bring the risk down to an acceptable level, the system designer needs to know what the PFD for that SIF is, to ensure that it meets the required SIL.

 

The next concept that needs to be considered is that of testing a SIF, and the associated test interval (TI), which is the time, in years, between tests. Now, if a SIF is tested today, the likelihood of it not working (PFD) tomorrow is extremely small. However, as time passes, the likelihood of it failing steadily increases, until it is decided that it should be retested, at which point the probability of failure on demand (PFD) is reset to zero. Hence with regular testing, the graph of PFD level versus time of a particular SIF would look like a saw tooth. Consequently, the term used by system designers is average value of PFD (PFDavg), and it is this that decides what SIL level a particular SIF has. Conveniently, with this shape of graph, the PFDavg is half the peak level of the PFD.

At this stage another piece of terminology is required:   l= the failure rate for a particular component. It is defined as 1/expected time to failure in years. Hence, if a component is expected to work without failure for 100 years, its failure rate would be 1/100 = 0.01.

It is now possible to write a formula to determine the PFDavg for a particular SIF.
It is: P 
FDavg = 0.5 *  eld * TI,

Where:
eld= the sum of the individual ld values for each component of the SIF.

TI = test interval in years for the particular SIF.

This formula allows plant designers to calculate the PFDavg for a proposed SIF, thus its SIL, and therefore decide its suitability for the proposed duty.

Notes
• If it is necessary to reduce the value of PFDavg, to meet a higher SIL, one possible way to achieve this is to reduce the test interval. If the test interval is reduced from 1 year to 0.5 years, this will halve the PFDavg value. However, there is an associated cost in terms of the cost of testing, and possible plant downtime to carry out the tests. Another way to reduce the PFDavg is to build in duplicate independent systems into a particular SIF, so that if one fails, there is a second one to operate. Once again there is a cost penalty in terms of the purchase price of more equipment, increased amounts of maintenance, and an increased likelihood of false alarms.
• It is impossible for CRP to provide the SIL for a valve, or even an actuated valve, since by itself it does not make up a complete SIF, nor is the proposed test interval known. However the value of ld can be provided in most circumstances (provided that the component manufacturers can supply the information to CRP). However, great care must be taken with the published ld values for valves, because it will likely have been determined from laboratory tests in ideal conditions, and not those found on particular process plants.

Glossary
IEC International Electrotechnical Commission
SIS Safety Instrumented System
SIF Safety Instrumented Function
SIL Safety Integrity Level
PFD Probability of Failure on Demand
PFDavg Average Probability of Failure on Demand
ld    Failure Rate (measured in the reciprocal of years)
TI Test Interval (measured in years)

Disclaimer
The views expressed in this document are CRP’s best understanding of the subject, and every effort has been taken to ensure its accuracy. However, CRP is not expert in these areas, and therefore the reader must not rely upon the views expressed herein, nor can CRP be held responsible for any errors, omissions or mistakes.