Understanding SIL ratings and why it matters

Insufficient and poorly designed safety systems have been the cause of major industrial accidents all around the world.

Safety Integrity Level (SIL) ratings were introduced as part of IEC 61508 in 1998 and seek to quantify the probability of dangerous system failure. This article explores how SIL ratings work and the dangers of the misconceptions that exist around them.

Functional safety, as defined by IEC 61508, is the safety that control systems provide to an industrial process or plant. Its purpose is to prevent both direct and indirect risk to human life that could result from those industrial processes, including risk caused by damage to equipment, property or the environment. Functional safety is a focus across the industrial spectrum, from petrochemicals and tank farms to oil and gas and nuclear safety.

The concept of functional safety was developed in response to the growing global need for improved confidence in safety systems. Major accidents in the late 20th century — like the Chernobyl reactor explosion and the Bhopal tragedy — as well as the advent of electrical and programmable electronic systems to carry out safety functions, have prompted a desire to engineer safety systems to “fail safely” or control dangerous failures when they arise.

One metric used to assess the risk of unsafe failure in industrial settings is SIL ratings, which correspond to the frequency and severity of hazards. They describe the probability of failure on demand (PFD) and the performance required for a safety instrumented function (SIF) to maintain safety.

The ratings go from SIL-1 up to SIL-4 — the higher the level, the higher the associated safety, and the lower the level, the greater the probability that the system will fail to perform. However, the installation and maintenance costs, as well as the system complexity, typically increase along with the SIL rating. The levels are distinguished by their acceptable rate of failure, which increases each time by factors of 10. For instance, SIL-1 systems accept one failure in every 10 demands; SIL-2 systems accept one failure in every 100 demands, and so on.

Does higher mean better?

One misconception is that higher SIL ratings are always superior for every application. Although SIL-4 does indeed offer the most reliability, the complexity involved with redundant back-up systems, more regular performance testing and hierarchical voting arrangements can be unwieldy and over-expensive if not necessary.

The correct SIL rating is application-dependent; for example, if a human operator can be relied upon to take action on an abnormal condition, such as for an alarm going off, then a SIL-1 system will suffice. Indeed, a safety loop involving a human cannot be rated above SIL-1 as systems are required to operate independently of operators for SIL-2 and upwards.

While the most critical applications, such as aircraft flight systems or nuclear reactor protection, require SIL-4 protection, correct safety analysis during the design stage is vital to determine the minimum acceptable SIL rating. Adhering to this recommendation will provide an adequate level of functional safety while maintaining cost effectivity.

How are SIL ratings assigned?

SIL certification is a tool to measure the risk reduction provided by a SIF. To determine the safety integrity level of a SIF, the overall PFD must be calculated. This involves combining the failure rate data for each individual component within a SIF, such as sensors, programmable logic controllers and control elements, whether automated or human. The calculation must also account for the test frequency, redundancy and voting arrangements.

Companies such as TÜV Nord carry out independent assessments, although internal ratings can be done for systems up to SIL-1. Another common misunderstanding is that although individual modules can be SIL rated, it’s only the overall systems that are assessed this way.

While regulatory processes would prevent installation of any insufficiently rated safety systems, it isn’t unheard of for industrial facilities to purchase higher rated systems than they need. The consequences here are mostly financial: not only will the components add unnecessary expense, but the installation process will be more complex and therefore more disruptive to the facility’s daily production.

For these reasons, it’s essential to engage a company with safety system expertise that understands the SIL hierarchy and different levels’ suitability for different applications.

The difficulty of rating software

The normalisation of software-based or SMART components, as in those with embedded microprocessors, presented a new challenge in the early 21st century. While hardware assessments are straightforward, software verification in terms of safety function was less sure territory and led to reluctance in some industries to take advantage of technological developments.

The nuclear industry was no exception. Initially, each major UK nuclear operator launched separate verification programs to show compliance with the Nuclear Installation Inspectorate’s safety certification. To help nuclear site inspectors while eliminating redundancy and duplication of individual work, the EMPHASIS tool was developed.

EMPHASIS’s purpose is to achieve a common level of substantiation and assess SMART instruments for the nuclear industry against IEC 61508. Launched in 2005, it has been adopted by the Nuclear Industry SMART Instruments Working Group, made up of the significant entities in the UK’s nuclear industry.

Alarm annunciator systems are a vital layer of protection in plant safety strategy. They provide operators with early warnings of an abnormal condition that can facilitate action before hazards take effect and enable human logic-driven intervention. The importance of these SMART safety tools meant that substantiation by EMPHASIS was essential for UK nuclear safety.

SIL ratings have been an important metric for industrial functional safety for 25 years, but misinterpretations still linger with regard to their application. To avoid incurring unnecessary cost and complexity, it’s important for facility planners and managers to work with safety system suppliers who truly understand safety integrity levels.