Understanding The How Why and What of A Safety Integrity Level (SIL) PDF

Understanding the How, Why, and What of a
Safety Integrity Level (SIL)
Audio is provided via internet. Please

enable your speaker (in all places) and
mute your microphone.
Copyright © exida.com LLC 2000-2016

Understanding the How, Why, and What
of a Safety Integrity Level (SIL)
•  Audio is provided via internet. Please enable your
speaker (in all places) and mute your microphone.
•  There is a Q&A tab on the side of your screen. Please use
this mechanism to type any questions you may have at
any time. Questions will be read and answered.
•  A recording of this session and a copy of the slides will be
posted on the exida website and made available for you.

Abstract
The certification process is thorough and provides instant recognition of product
reliability, safety, and security that many end users are requesting certifications for
products they buy to reduce liability and risk. Manufacturers, if they haven’t already,
are staying ahead of the requests by certifying their products. During the certification
process a manufacturer may have a requirement to certify their product to a certain
Safety Integrity Level (SIL) rating. This webinar will cover:
–  What happens in an exida certification?
–  How to find a safety integrity level
–  How is SIL used?
–  What this means for the manufacturer?
–  What is SIL Capability?
–  How to calculate SIL
–  How to reach a certain rating
–  Is there a way to improve a SIL rating?

Loren Stewart, CFSP
Loren Stewart graduated from
Virginia Tech with a BSME.
She has 8 years of professional
experience originating in custom
design and manufacturing. She
currently works for exida consulting
as a safety engineer, focusing on the
mechanical aspects of their
customers. Along with assessing the
safety of products and
certifications, she continually
researches and published reports
on stiction and is creating a
database for the 2H initiative
according to IEC 61508.

exida Worldwide Locations
5
exida Industry Focus
Automation Automotive
Process Industry Nuclear
6
Main Product / Service Categories
Consulting Engineering Product Training Reference Professional

Tools Certification Materials Certification
Process Safety Process Safety
(IEC 61511, IEC exSILentia Functional Databases CFSE
Control
62061, ISO (PHAx, Safety (IEC System Tutorials CFSP
26262) SIL Selection 61508) Security Includes:
LOPAx Textbooks
Alarm Control Onsite -Automotive
Management SRS System Cyber- Reference
SIL Verification) Offsite Books -CACE/CACS
Security
Safety Case -Hardware
Control Network Security Market
System FMEDA Robustness Development Studies -Machinery
Security (ISA SILAlarm (Achilles) Alarm -Process
S99) SILStat Management -Software
CyberPHAx
Processes - Products - People

Copyright © exida.com LLC 2000-2016 7
exida Certification
•  exida has established schemes for
functional safety and cybersecurity
certification of Systems, Products,
Components, and Personnel.
•  Functional Safety Certification
involves a detailed analysis of both
the engineering process and design
margins resulting in random failure
rate in all failure modes.
•  Cybersecurity Certification involves a
detailed analysis of the engineering
process, cyber defense mechanisms,
and network robustness.

Reference Materials
•  exida authored most industry
references for automation safety
and reliability
•  exida authored industry data
handbook on equipment failure
data
•  exida authored the most
comprehensive book on
functional safety in the market

•  exSILentia®
Engineering Tools
–  PHAx™ (HAZOP)
–  LOPAx™
•  Layer of Protection database built-in
–  SIL Selection
•  Risk Matrix or Risk Graph
•  Tolerable Frequency Basis
–  Safety Requirements Specification
–  SIL Verification
•  Instrumentation failure database built-in
•  Variables include reality – test coverage, service
–  Proof Test Generator
–  Life Cycle Cost Analysis
•  SILAlarm™ (Alarm Rationalization)
•  SILStat™ (Field Failure Data Collection and Analysis)

–  Proof Test & Maintenance Activity scheduling
–  Process demand recording
–  Failure recording
•  CyberPHAx™ (Cyber Risk Assessment)

Topics
•  What happens in an exida certification?
•  How to find a safety integrity level
•  How is SIL used?
•  What this means for the manufacturer?
•  What is SIL Capability?
•  How to calculate SIL
•  How to reach a certain rating
•  Is there a way to improve a SIL rating?

WHAT HAPPENS IN AN EXIDA
CERTIFICATION?

Certification Process
1. Kickoff Meeting
2. Perform FMEDA Analysis on Product
3. Creation of the Proven-In-Use Analysis
4. Process Analysis
5. Onsite audit
6. Certification Audit

IEC 61508 Full Certification
•  The end result of the
certification process is a
certificate listing the SIL level
for which a product is qualified
and the standards that were
used for the certification.
•  However, we must
understand that some
products are certified with
“restrictions.”
•  The restrictions essentially
indicate when a product does
not meet some requirements of
IEC 61508.
•  The restrictions are listed in the
safety manual and must be
followed if safe operation is
required.

HOW TO FIND A SAFETY INTEGRITY
LEVEL

The SIL level of a product is
determined by three things:
1. The Systematic Capability Rating

2. The Architectural Constraints for the
element
3. The PFDavg calculation for the product.

Compliance Requirements
SIL Capability
Compliance
Architectural Constraints Probability of Failure
February 19, 2016 Copyright © exida.com LLC 2000-2016 17

THE SYSTEMATIC CAPABILITY

The Systematic Capability
Systematic Capability is established by having
your quality management system audited per
IEC 61508. If the QMS meets the requirements
of 61508 a SIL Capability rating is issued. The
rating achieved depends on the effectiveness
of your QMS. The certificate is for the
systematic capability of a product.

THE ARCHITECTURAL
CONSTRAINTS

The Architectural Constraints
Architectural constraints are established by

following Route 1H or Route 2H. Route 1H
involves calculating the Safe Failure Fraction
for the element. A valve is typically one
component of the final element of a safety
instrumented function (SIF).

Architectural Constraints from FMEDA
Results
Route 1H - Safe Failure Fraction (SFF)
according to 7.4.4.2 of IEC 61508.
Safe Failures
Safe + Dangerous Failures
Route 2H - Assessment of the reliability

data for the entire element according to
7.4.4.3.3 of IEC 61508.
Route 1H
TYPE A
Safe Failure
Hardware Fault Tolerance
Fraction
0 1 2
< 60% SIL1 SIL2 SIL3
60% < 90% SIL2 SIL3 SIL4
90% < 99% SIL3 SIL4 SIL4
> 99% SIL3 SIL4 SIL4
Hardware Fault Tolerance = 1 (61508)
The quantity of failures that can be tolerated while maintaining the
safety function.

Route 2H Table
Type A Low Demand Applications

0 1 2
SIL2 SIL3 SIL4
Type B elements using Route 2H shall have a diagnostic coverage

not less than 60%.

THE PFDAVG CALCULATION

The PFDavg calculation
The PFDavg is based on the dangerous failure

rate, system diagnostics, proof test coverage
and test intervals. Typically, a final element
assembly will have a PFDavg the only meets SIL
1. However, there are things that can be done
with the diagnostics and proof test that would
improve the PFDavg to SIL 2.

HOW IS SIL USED?

Safety Integrity Level
Used FOUR ways:
1.  To establish risk reduction
Safety Integrity requirements
Level
2.  Probabilistic limits for
SIL 4 hardware random failure
SIL 3 3.  Architectural constraints
SIL 2 4.  To establish systematic
SIL 1 capability

TO ESTABLISH RISK REDUCTION

Example of Risk Reduction
PHA Determines that a specific hazard can
occur every 10 years causing a major release of
toxic fumes into the atmosphere.
Determine the RRF for the hazard to occur once
in 500 years.
RRF = 500/10 = 50

Safety Integrity
Risk Reduction Factor
Level
SIL 4 100000 to 10000
SIL 3 10000 to 1000
SIL 2 1000 to 100
SIL 1 100 to 10
1. Each safety function has a requirement to reduce risk.

SIL level - Order of magnitude level of risk reduction required

TO SET PROBABILISTIC LIMITS FOR
HARDWARE RANDOM FAILURE

Safety Integrity Levels
Random Failure Probability
Safety Integrity Probability of failure

Level on demand
(Demand mode of operation)
SIL 4 >=10-5 to <10-4
SIL 3 >=10-4 to <10-3
SIL 2 >=10-3 to <10-2
SIL 1 >=10-2 to <10-1
2.  To set probabilistic limits for hardware random failure

Random Failure Probability Factors
1. Dangerous Undetected Failure Rate (FMEDA)
2. Proof Test Coverage
3. Proof Test Interval
4. Mission Time
PFDavg = (PTC)*DU*TI/2 + (1-PTC)*DU*MT/2

Where
PTC = Proof Test Coverage
DU = Dangerous Undetected Failures
TI = Proof Test Interval
MT= Mission Time

Random vs. Systematic Faults
•  Random Failures
–  A failure occurring at a random time, which results from one or more
of degradation mechanisms.
•  Systematic Failures
–  A failure related in a deterministic way to a certain cause, which can
only be eliminated by a modification of the design or of the
manufacturing process, operational procedures, documentation,
or other relevant factors.

Random vs. Systematic Faults
Specification of requirements,
design, implementation
Well Designed System,

the system is correct
Systematic
Fault
Random Failure
Improperly Designed System,
the system is not correct
The system is not correct
The system has a failure

Stress – Strength: Failures
•  All failures occur when Heat
stress exceeds the Humidity
associated level of Shock
strength.
Vibration
Electrical Surge
Stress is usually a combination Electro-Static Discharge
of "stressors."
Radio Frequency Interference
Mis-calibration
Maintenance Errors
Operational Errors

Stress - Strength: Failures
1
0.9
0.8
0.7
0.6
0.5
Strength
0.4
Stress
0.3
0.2
0.1
Strength varies with time and with other stress. Stress also varies
with time. However they can be represented by probability
distributions.

1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
At some point in time, Strength decreases and the failure rate

increases rapidly – this causes wear-out.

0.025
0.02
Failure rate
0.015
0.01
0.005
0
101
201
301
401
501
601
701
801
1
Time
Stress-strength explains how failure rates vary with time.

Weak units from a production population fail early. This portion of the curve
is known as “infant mortality.”
When weak units are eliminated from the population stress-strength
indicates a steady but declining failure rate.
When strength declines, the failure rate increases significantly.
0.025
0.02 Area where IEC 61508 is applied

“Useful Life” in listed in Safety Manuals
Failure rate
0.015
0.01
End of “Useful Life”
0.005
0
101
201
301
401
501
601
701
801
1
Time
Note: Constant Failure Rate during “Useful Life”

Terms
•  Low Demand Mode
–  Where the frequency of demands for operation made on a safety-
related system is no greater than one per year and no greater than
twice the proof test frequency; Part 4, 3.5.12
–  If the ratio of diagnostic test rate to demand rate exceeds 100, then
the subsystem can be treated ... As low demand mode..., Part 2,
7.4.3.2.5 Note 2
–  ..the diagnostic test interval will need to be considered directly in the
reliability model if it is not at least an order of magnitude less than
the expected demand rate, Part 2, 7.4.3.2.2, Note 3
exida definition: A dangerous condition (a demand) occurs infrequently

and at least 2X less often than manual proof testing. [Therefore proof
testing can be given credit for risk reduction.]

Safety Integrity Levels – Low Demand

Level on demand
(Demand mode of operation)
SIL 4 >=10-5 to <10-4
SIL 3 >=10-4 to <10-3
SIL 2 >=10-3 to <10-2
SIL 1 >=10-2 to <10-1

Safety Integrity Levels – High Demand
Probability of
Safety Integrity dangerous failure per
Level hour
(Continuous mode of operation)
SIL 4 >=10-9 to <10-8
SIL 3 >=10-8 to <10-7
SIL 2 >=10-7 to <10-6
SIL 1 >=10-6 to <10-5
High Demand Mode

Where the frequency of demands for operation made on a safety-related system is
greater than twice the proof check frequency;

ARCHITECTURAL CONSTRAINTS

SFF Product Types
TYPE A – “A subsystem can be regarded as type A if, for the
components required to achieve the safety function
•  a) the failure modes of all constituent components are well
defined; and
•  b) the behavior of the subsystem under fault conditions can
be completely determined; and
•  c) there is sufficient dependable failure data from field
experience to show that the claimed rates of failure for
detected and undetected dangerous failures are met.”
TYPE B – everything else!
IEC 61508, Part 2, Section 7.4.3.1.2

IEC Safe Failure Fraction
TYPE A Low Demand Applications
Safe Failure
Fraction
0 1 2
< 60% SIL1 SIL2 SIL3
60% < 90% SIL2 SIL3 SIL4
90% < 99% SIL3 SIL4 SIL4
safety function.
Route 2H Table
Type A Low Demand Applications

0 1 2
SIL2 SIL3 SIL4
Type B elements using Route 2H shall have a diagnostic coverage

not less than 60%.

IEC Safe Failure Fraction
TYPE B
Safe Failure
Fraction
0 1 2
< 60% Not Allowed SIL1 SIL2
60% < 90% SIL1 SIL2 SIL3
90% < 99% SIL2 SIL3 SIL4
safety function.
TO ESTABLISH SYSTEMATIC
CAPABILITY

3) To establish systematic
capability
Safety Integrity
Level
SIL 4 The equipment used to implement any

safety function must be designed using
SIL 3 procedures intended to prevent
systematic design errors. The rigor of
SIL 2 the required procedure is a function of
SIL 1 SIL level.


on demand Risk Reduction Factor
Level (Demand mode of operation)
SIL 4 >=10-5 to <10-4 100000 to 10000
SIL 3 >=10-4 to <10-3 10000 to 1000
SIL 2 >=10-3 to <10-2 1000 to 100
SIL 1 >=10-2 to <10-1 100 to 10

Probability of
Safety Integrity dangerous failure per
Level hour
(Continuous mode of operation)
SIL 4 >=10-9 to <10-8
SIL 3 >=10-8 to <10-7
SIL 2 >=10-7 to <10-6
SIL 1 >=10-6 to <10-5

61508 Annexes: Tables
•  All Numbered Measures Are Required
(No Pick and Choose)
•  All Sub-alphabetized Measures are substitutable and partly
combinable
Technical / Measure SIL2 SIL3
1 Fault detection and diagnosis R HR

2 Error detecting and correcting codes R R
3a Failure assertion programming R R
3b Safety bag techniques R R
3c Diverse programming R R
R - Recommended (Not using the measure requires a Ra4onale)

HR - Highly Recommended (MUST)

COMPLETE COMPLIANCE

IEC 61508 Full Certification

Compliance Requirements
SIL Capability
Compliance

EXAMPLE

exSILentia Example

exSILentia Example

HOW CAN I IMPROVE MY SIL?

How can I improve my SIL?
SIL Capability
Compliance
1.  Improve SIL Capability

2.  Improve Architectural Constraints
3.  Improve PFDavg

How can I improve my SIL?
1.  Improve SIL Capability
•  Improve effectiveness of internal quality management
2.  Improve Architectural Constraints
•  1oo2
•  2oo3
•  Change your Hardware Fault Tolerance
3.  Improve PFDavg
•  Decrease Proof test interval
•  Decrease Mission time
•  Change the architecture
•  Revise Proof test coverage

excellence in dependable automation
Further questions? Email me: lstewart@exida.com

Understanding The How Why and What of A Safety Integrity Level (SIL) PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Understanding The How Why and What of A Safety Integrity Level (SIL) PDF

Uploaded by

Copyright:

Available Formats

Understanding the How, Why, and What of a

Safety Integrity Level (SIL)

Audio is provided via internet. Please

Copyright © exida.com LLC 2000-2016

Copyright © exida.com LLC 2000-2016

Copyright © exida.com LLC 2000-2016

Copyright © exida.com LLC 2000-2016

Consulting Engineering Product Training Reference Professional

Processes - Products - People

Copyright © exida.com LLC 2000-2016 8

Copyright © exida.com LLC 2000-2016 9

• SILAlarm™ (Alarm Rationalization)

• SILStat™ (Field Failure Data Collection and Analysis)

• CyberPHAx™ (Cyber Risk Assessment)

Copyright © exida.com LLC 2000-2016 10

Copyright © exida.com LLC 2000-2016

Copyright © exida.com LLC 2000-2016 12

Copyright © exida.com LLC 2000-2016

Copyright © exida.com LLC 2000-2016 14

Copyright © exida.com LLC 2000-2016 15

1. The Systematic Capability Rating

Copyright © exida.com LLC 2000-2016 16

Architectural Constraints Probability of Failure

February 19, 2016 Copyright © exida.com LLC 2000-2016 17

Copyright © exida.com LLC 2000-2016 18

Copyright © exida.com LLC 2000-2016 19

Copyright © exida.com LLC 2000-2016 20

Architectural constraints are established by

Copyright © exida.com LLC 2000-2016 21

Route 2H - Assessment of the reliability

Copyright © exida.com LLC 2000-2016 23

Type A Low Demand Applications

Hardware Fault Tolerance

Type B elements using Route 2H shall have a diagnostic coverage

Copyright © exida.com LLC 2000-2016 24

Copyright © exida.com LLC 2000-2016 25

The PFDavg is based on the dangerous failure

Copyright © exida.com LLC 2000-2016 26

Copyright © exida.com LLC 2000-2016 27

Copyright © exida.com LLC 2000-2016 28

Copyright © exida.com LLC 2000-2016 29

Copyright © exida.com LLC 2000-2016 30

SIL 4 100000 to 10000

SIL 3 10000 to 1000

SIL 2 1000 to 100

1. Each safety function has a requirement to reduce risk.

Copyright © exida.com LLC 2000-2016 31

Copyright © exida.com LLC 2000-2016 32

Safety Integrity Probability of failure

SIL 4 >=10-5 to <10-4

SIL 3 >=10-4 to <10-3

SIL 2 >=10-3 to <10-2

SIL 1 >=10-2 to <10-1

2. To set probabilistic limits for hardware random failure

PFDavg = (PTC)*DU*TI/2 + (1-PTC)*DU*MT/2

Copyright © exida.com LLC 2000-2016 34

Copyright © exida.com LLC 2000-2016

Well Designed System,

The system has a failure

Copyright © exida.com LLC 2000-2016

Copyright © exida.com LLC 2000-2016

Copyright © exida.com LLC 2000-2016

At some point in time, Strength decreases and the failure rate

•  SILAlarm™ (Alarm Rationalization)

•  SILStat™ (Field Failure Data Collection and Analysis)

•  CyberPHAx™ (Cyber Risk Assessment)

2.  To set probabilistic limits for hardware random failure

PFDavg = (PTC)DUTI/2 + (1-PTC)DUMT/2

1.  Improve SIL Capability