“Contrary to what many parents tell their children, talent and hard work are neither necessary nor sufficient for economic success.” —Robert H. Frank
We are all guilty of telling tales we know to be untrue in order to encourage virtuous behavior. Parents tell their children to be good so Santa Clause will come. OSHA tells employers that if only they complied with all regulations, there would be no work-related fatalities. And safety specialists tell end-users that the components in their safety instrumented systems—their SIS—need SIL Certification.
Despite the hundreds of gallons of ink that have been spilt on the subject of Safety Integrity Levels (SILs) of Safety Instrumented Functions (SIFs) installed in Safety Instrumented Systems (SISs), it seems as though there is no other way to explain some persistent misconceptions.
Some users, especially new users, have been convinced that an SIS must consist entirely of SIL Certified components. Not true. A variation of this misconception is that a SIL 2 SIF must consist of components that are all certified as at least SIL 2. Also not true. The most dangerous misconception, however, is that a SIF comprised entirely of components certified as SIL 2 is inherently a SIL 2 SIF.
SIL Certification, as valuable as it is, is neither necessary nor sufficient to assure that a SIF meets a particular SIL rating.
What Does a SIL Mean?
No field of endeavor is complete without its own jargon. Automated process safety is no exception. The three terms—SIL, SIF, and SIS—are all terms defined in the standards from the International Electrotechnical Commission (IEC 61508, IEC 61511), and from the International Society of Automation (ISA S84). They have no “natural” meaning; they are constructs of the committees that wrote those standards, which get to decide what they do and do not mean.
- An SIS (we pronounce it “S-I-S” although some pronounce it “sis”) is “used to implement one or more safety instrumented functions.”
- A SIF (we pronounce it “siff” and have never heard anyone pronounce it “S-I-F”) is “intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event.” [emphasis added]
- A SIL (we pronounce it “sill” and when using it as an adjective, refer to SIL ratings rather than SIL levels, since the “L” already stands for “level”) is a “discrete level (one out of four) for specifying” the reliability of a SIF, SIL 4 having the highest reliability and SIL 1 the lowest.
Note that “SIL” only applies to SIFs, not other risk reduction measures. Relief valves are not “SIL 2.” A SIL is applied to a SIF, not to an entire SIS. Also note that the standards do not define “SIL 0”, although the term is frequently applied to safety functions installed in an SIS that do not otherwise have SIL ratings.
Although the standards allow for SIL 1 (which provides at least 10-fold risk reduction), SIL 2 (at least 100-fold risk reduction), SIL 3 (at least 1,000-fold risk reduction, and SIL 4 (at least 10,000-fold risk reduction), a consensus has emerged in the process industries that any hazard that requires a 10,000-fold risk reduction should be redesigned rather than depend on a single SIL 4 SIF. So, you will typically find SIL 1 SIFs and SIL 2 SIFs in an SIS, along with the occasional SIL 3 SIF, but never a SIL 4 SIF.
Whether a SIF is sufficiently reliable to be SIL 1, SIL 2, or SIL 3 depends first on its Average Probability of Failure on Demand—its PFDAVG.
Average Probability of Failure on Demand—PFDAVG
PFDAVG is the most important feature of a SIF. The lower the PFDAVG, the better we like it. To be considered SIL 1, the PFDAVG of a SIF must be less than or equal to 0.1, meaning that you can expect it to work when you need it to work at least nine times out ten. For SIL 2, the PFDAVG must be less than or equal to 0.01, and for SIL 3, it must be less than or equal to 0.001.
Given a specific SIF design, or architecture, the PFDAVG of the SIF can be approximated fairly accurately as the sum of the PFDAVG of the subsystems that comprise the SIF. At its most basic, a SIF consists of three subsystems: sensing, logic solving, and final control. However, some SIFs have more than one sensing subsystem. Even more, SIFs have more than one final control subsystem.
If all subsystems had the same PFDAVG, then the more subsystems that comprise a SIF, the higher, so worse, the PFDAVG. There is nothing in a component SIL Certification that says anything about the number of subsystems that comprise a specific SIF design. So right off, the SIL Certification is not sufficient to guarantee the SIL for a SIF.
SIF Subsystems
For a particular subsystem design, the PFDAVG is a function of the failure rate of the components and the proof test interval of the subsystem. The more reliable the component, the lower the failure rate should be. SIL Certification for a component should provide the failure rate for that component, but components without SIL Certification can be used as long as they are “proven-in-use” and so have reasonable estimates of failure rates.
Of equal importance to component failure rates, however, are proof test intervals. The shorter the proof test interval, the lower (better) the PFDAVG. SIL Certification does not include recommendations for proof test interval and even if it did, the end user could choose to test more often, which would lower the PFDAVG, or less often, which would increase the PFDAVG.
Redundancy
Another approach to reducing PFDAVG is to incorporate redundancy into the design. A double-block design is much less likely to fail than a single-block design because even if one of the block valves fails to close, flow is still stopped as long as the other block valve closes. If the PFDAVG of a single valve is about 0.02, then the PFDAVG of the valve pair is about 0.0005.
This means that with redundant architectures, even SIL 3 SIFs can be designed using components that, by themselves, would only be suited for SIL 1.
SIL Certification
SIL Certification applies to specific components. It does not apply to either SIFs or SISs. It is something vendors may be able to provide and should be able to provide if they are offering their components explicitly for use in safety systems. Even in the absence of SIL Certification, however, it is possible to understand the potential reliability of “generic” components.
SIL Certification can provide information about failure rates of components, but it cannot say what the PFDAVG of that component is, much less the PFDAVG of the entire SIF, which is what really matters to the SIL.
In the case of PFDAVG, it turns out that SIL Certification is neither necessary nor sufficient.
Why Forego SIL Certification?
Given a choice between two devices, neither of which have ever been used in the plant before, that do the same thing and cost the same to purchase, install, operate, and maintain, use the one with SIL Certification.
That’s a lot of conditions, though.
If one device is familiar to your operations and maintenance personnel but doesn’t have SIL Certification, while the other device is unfamiliar and does, choose the device that is more likely to be operated and maintained correctly. Make doing the right thing easier.
If a device uses a new technology and is the only way to sense the hazard, but it doesn’t have SIL Certification, use the uncertified device that works, rather than a certified device that doesn’t work.
Good Judgment and the Calculations to Back It Up
There are no shortcuts to good engineering. Believing that a SIL 2 SIF is simply the assembly of SIL 2 components is a shortcut that doesn’t solve the problem. On the one hand, it may be more expensive than necessary, and there is no virtue is spending too much. On the other hand, it may not actually provide the required risk reduction.
What the standards require is good judgment and the calculations to back it up.
Parents want to encourage their children to use their talents and work hard at school. Those are virtuous things to do, and in an ideal world, virtue is its own reward. Convinced that only using SIL Certified components in an SIS is also virtuous, some have persuaded users that an SIS must consist entirely of SIL Certified components, or that a SIL 2 SIF must consist of components that are all certified as at least SIL 2. Neither statement is true, and either may stand as obstacles to using a risk-reducing SIS.
I really appreciate your viewpoint on this topic, Mike. I did all my SIL Verification study work in 2003 – 2004, before companies were in the habit of providing ratings for their instruments and valves. We used OREIDA data for component failure rates and did not pay much attention to how much the element cost or how special it was – they all bot the failure rating that came from average industry data. I did some LOPA work in 2011, and was amazed to learn that the industry had started a full-press effort to use “special” data for the failure rate of components based on the manufacturer’s information. I’d love to know how all that failure data was compiled in a short number of years. It made the process of doing SIL verification calculations much more nuanced, and tended to lead owners towards a strategy of using expensive valves and instruments in their safety systems, rather than “appropriate” architecture. I’m more comfortable with adequate redundancy than relying on some manufacturer’s claims, primarily because there isn’t any profit incentive in the outcome. You captured this sentiment very nicely. Thanks for the essay.