Full form of SIL is Safety Integrity Level.

As per standard practice you can say that "a" transmitter is suitable for SIL 2 or SIL 3 loop. If any one component level is SIL 1 then loop will be always SIL 1, even Transmitter is suitable for SIL 3. Main difference between SIL 2 and SIL 3 is Probability of failure on demand per year (PFD). PFD for SIL 2 is >=0.001 to <0.01 and PFD for SIL 3 >=0.0001 to <0.001. it is achieved by redundant hardware (power supply and other electronics component), diagnostic hardware and software The difference between a transmitter certified for use in SIL3 applications and a SIL2 certified unit is that the SIL3 unit will have satisfied more onerous requirements with respect to its design, in particular reliability and failure modes. If you are talking about IEC61508/61511 SILs... Note that the use of SIL certified devices, be they PLCs or transmitters etc., does not itself guarantee that you have satisfied the requirements for the safety function. It is the safety function itself (e.g. trip of plant item r items) which carrys the requirement for a specific integrity level. Therefore the whole of the system for that specific function (from sensor(s) to final element(s)) must be designed with the performance requirements and management requirments that come with the integrity level specified. Use of certified devices does make the process of putting together your safety claims/arguments easier and more traceable. If you are unfamiliar with the design practices using the safety standards I suggest you get a specialist in who has a verifiable track record. Hope this helps Reply to this post...

Posted by Anonymous on 21 May, 2006 - 3:09 pm

A safety certified transmitter is different from regular transmitter as it has additional certification pertaining to IEC 61508. It does not differ in operational functionality but has documented failure modes with identification of lambda, SFF and finally has a defined reliabilty. You may achieve SIL3 risk miigation even by SIL2 transmitters used in 1oo2 or 2oo3 configuration as you meet the required Pfd(avg). Even uncertified hardware can be used in SIL2/3 application if you can get safe and dangerous failure

rates through OREDA or other reliability handbooks, achieve desired Pfd(avg) or compensate through enhanced loop inspection/maintenance frequency (though not desirable)as guided by IEC 61511.

Posted by Ricardo Almarza on 14 August, 2009 - 2:59 pm Dear sirs, Could you clarify the sentence "generic pressure transmitter" in SIL determination. What does this mean?? May I specify a normal pressure transmitter?? or should be SIL certified?? Thanks a lot Reply to this post...

Posted by P.Soma Hi Mr.Ricardo Almarza,

on 14 August, 2009 - 10:34 pm

Get different answers with different SIL selection techniques.. Which would you rather do, spend a few minutes using a simple qualitative technique and implement a safety integrity level (SIL) 3 design (with very high life-cycle costs), or spend a few more minutes in the up-front requirements using a more quantitative technique and end up implementing a SIL 1 design (with much lower life-cycle costs)? Here's how you can make the most of your SIL determination. Safety instrumented system (SIS) standards (ANSI/ISA 84, IEC 61508, and 61511) cover several techniques to determine safety integrity levels--the performance required of safety instrumented functions. The three-dimensional risk matrix (associated with North America) and the risk graph (associated with Europe) are two qualitative methods. Layer of protection analysis (LOPA) is a semiquantitative technique. It involves identifying hazardous events, determining initiating event frequencies, establishing tolerable levels of risk, and analyzing each independent safety layer to see if you can reach the overall level of risk. If not, you will need to add either additional safety layers, or strengthen existing layers. Experience has shown that the different techniques can yield significantly different answers. The qualitative techniques can result in overly pessimistic answers, such as false highintegrity level requirements. This is usually due to the difficulty of " these techniques to incorporate risk criteria. More quantitative techniques (which you can more easily calibrate to incorporate risk criteria) can yield significantly lower requirements. Therefore, spending a little more time in the up-front system requirements analysis using

more quantitative techniques can result in (1) a more realistic (and possibly lower) system performance requirement, and (2) considerable economic savings in the design, installation, and maintenance of the system. Take the sample case of a valve spuriously closing--resulting in pipeline overpressure and possible rupture. A valve in a pipeline application was recently modified from a motoroperated valve to a pneumatically controlled, solenoid-operated, spring-loaded, fail-safe (closed) valve. If this valve were to spuriously close, it would create an overpressure in a portion of the pipeline, resulting in a possible pipeline rupture and vapor cloud, with a potential for an explosion and fatalities. A proposed safety system called for a safety transmitter, logic box, and safety valve that would shut in a portion of the pipeline to prevent the over-pressure condition. As an exercise, the three-dimensional risk matrix, risk graph, and LOPA helped to determine what the differences in integrity level recommendations, if any, might be. You will find the methods described (and diagrams) in the standards themselves. Reply to this post...

Posted by Ricardo Almarza on 17 August, 2009 - 7:39 am Dear sir Thanks a lot for your answer, but my doubt was raised badly, in fact the SIL obtained for the loop (SIF) was SIL 1, in this case composed by: - iniciator: votation 1oo1, a *generic* level transmitter (LT-030) - logic solver: a certified SIL 3 PLC - actuator: XY-54 solenoid SIL3 (installed in a *generic* pneumatic XV-54 ball valve) Now... it comes the real world, to specify the data sheet for the generic level transmitter (LT030) and the generic ball pneumatic valve. Are both *regular instruments ?? *Or are they some special kind of instruments to acomplish some special items like MTTF, MTBF, PFD and some one?? For the ball valve data sheet, I think is easy... just to specify a SIL 3 solenoid..but what about the word "generic"??As you can see my problem is to specify the data sheet for "generic" instrument. The item mentioned above was obtained from a specific software like Exida or SilSolver. Thanks in advance for you help. ** *Ricardo Almarza* *Antes de imprimir* pense em seu PROJECTUS Consultoria Ltda. Gerente de Instrumentao e Eltrica compromisso com o *Meio Ambiente*

Email: ricardo.almarza [at] projectus.com.br Reply to this post...

Posted by DaveMH on 18 August, 2009 - 8:27 am Ricardo, The generic in this case I think refers to failure rate and failure mode data that are typical of the kind of device that was selected so it is not special in any way. As I said previously (it seems our posts crossed in the ether:)) select the right instrument for the job from a measurement/control point of view rather than a certified device. You should be able to find out what the assumptions were by the software tool with respect to failure data and make sure that the device you select equals or betters the parameters assumed. If the device is certified great, but it doesn't have to be. Also make sure you document your assumptions and get them checked. Regards David Reply to this post...

Posted by Ricardo Almarza on 19 August, 2009 - 7:01 am David Thanks so much for your tips. I will follow them Regards *Ricardo Almarza* Reply to this post...

Posted by DaveMH Ricardo,

on 17 August, 2009 - 7:56 am

You might be better giving us more details/better context to judge the use of these words and what the meaning is. SIL determination is usually referenced to process related events that have an associated hazard that is realised if they occur. Unless the initiating event is a control system related event or you are considering the PT as an element in a layer of protection the use of "generic PT" seems out of context. In general if you have a safety function that requires the use of an instrument - first select an instrument that measures the appropriate variable over an appropriate range in the environment to be encountered in service. If you then have a choice of a "certified" device

versus non-certifed examine it as a possibe improvement but be slightly sceptical of maufacturer's claims. Your application requirements may make the difference between the certified instrument being more suitable or perhaps not. Do not choose a device just because it is certified. Hope this helps David Reply to this post...

Posted by mapimentel Hi Guys,

on 8 September, 2009 - 9:31 pm

Im facing similar scenario as Ricardo had. Our automation guys did a SIL study and the SIL reports yield few loops to be clasified as SIL1. I tried to check availability of SIL 1 rated transmitters and MOVs, etc. and found that they can be certified SIL 2 or 3, there's no SIL 1. So my question is do we need a SIL 2 rated instruments for the SIL1 loop? I checked IEC61511, and some statements give me a clue that I can actually use a lower SIL rated field devices to satisfy a higher SIL. It means that if I have SIL 1 Loop, I can actually use a non SIL trasnmitters and MOVs, subject to some conditions. But those conditions I do not quite understand fully. Can you also please validate my understanding and in what conditions (if my understanding is correct) can I use non SIL instruments in SIL 1 loop. Thanks in advance. Marlon Reply to this post...

Posted by DaveMH Marlon,

on 10 September, 2009 - 8:23 am

> So my question is do we need a SIL 2 rated instruments for the SIL1 loop? < Short answer is no. As i said you do not need to use SIL certified devices for safety functions. And - you should not rely upon certified instruments to guarantee that you have met your obligations under 61508/61511. What matters most are the characteristics of the application for the instrument. If you use a SIL2 certified device in a function with a SIL1 requirement it may perform adequately or not. Check the failure rates/modesand certificate and verify assumptions. > It means that if I have SIL 1 Loop, I can actually use a non SIL trasnmitters and MOVs, < See answer above.

> subject to some conditions. But those conditions I do not quite understand fully. < If you don't understand the the conditions get somebody who does understand them and learn from them. Its hard to do that through a forum. > Can you also please validate my understanding and in what conditions (if my understanding is correct) can I use non-SIL instruments in SIL 1 loop < See first answer above. Consider the PFD requirements imposed upon the instrumentation and look at failure modes/rates, system fault responses etc. in the context of those requirements and the application. SIL cert or no SIL cert what is acceptable for one SIL1 function may not be acceptable for another SIL1 function. Sorry if the above is a little vague but without understanding of the application and systems its a hard to be very specific. DaveMH Reply to this post...

Posted by mapimentel Hi DaveMH, Thanks for your reply.

on 15 September, 2009 - 9:13 pm

Now I realize that SIL is not a simple stuff. What I actually did is I sent a query to our Automation and they too have to forward it to a SIL expert to do the SIL calculation in order to arrive at proper SIL rating of the field instruments. Thanks again, Marlon Reply to this post...

Posted by Allan Evans

on 17 September, 2009 - 6:02 am

Interesting these SIL loop calculations. How to think you are safe by multiplying a string of numbers! We recently had an "expert" SIL company check the SIL levels on a new Burner Management system. They confirmed it met the SIL level. I was surprised as no account had been taken of any of the boiler trips. Drum level, high steam temperature etc. How did we manage before this "fashion engineering" provided the opportunity for consultants to make many dollars based on fear. Before 61508/11 S84 we designed safety systems on the basis of "Good Engineering Practise". These calculations are a useful guide but do not think you can use them in

defending your decision in court. I am also amazed at why the engineering population use generic equipment, make up PLC's, waste company time in developing software. Buy tried and tested systems and be productive in maintaining them as well as improving plant performance. Who is going to look after all this Generic stuff when you leave? Reply to this post...

Posted by masoud sadra on 1 February, 2011 - 4:32 am Dear Ricardo, I believe the word generic pressure transmitter is the same as Conventional (normal as you call) pressure transmitter (ie,no SIL certification required). as you might know when you are dealing with SIL requirement of a safety loop (comprising sensors,Logic solver and final element), you may achieve it through using some non SIL elements of the loop provided that the overall PFDav, (low demand) or Failure rate /hr (continuous )of the loop meets the SIL required. as an example use of two redundant pressure transmitter (in 1 0 0 2, or 2 0 02) will affect both availability and reliability of the loop. Most of the time engineers would think that a SIL integrity is only used for Logic solvers eg. safety PLC's. but allocation of SIL integrity of the SIS which consist of the whole loop is more meaningful when result of risk analysis mandates use of a safety loop with certain SIL number. I hope this might be of help although I am responding to your request very late.