Misconceptions regarding SIL

Misconceptions regarding SIL

Do these statements sound familiar? "Having SIL means I've achieved safety" "Having a certificate means I’ve complied with the SIL" "Having redundancy means I’m safer" "Install SIL and forget about it" "Having SIL means the plant is running"

“Having SIL means I’ve achieved safety”

Machines and process plants are subject to complex functional safety regulations to provide the best possible protection against hazards for people and the environment. Operators have to conduct a hazard and risk assessment to determine the relevant safety integrity level (SIL 1 to SIL 4). One thing is key here: Cost and deadline pressures must not lead to superficial analyses or misjudgments in risk identification or classification, as experience in the field shows time and again that most incidents are the result of overlooked hazards and incorrect assumptions. After all, safety-related functions can only protect against dangers and risks that have been identified in advance. Diligent hazard analysis and clear documentation are therefore essential. They are fundamental to everything and must be re-evaluated and updated throughout the entire lifecycle of a plant or machine, including subsequent modifications.

“The first step is to identify all hazardous events in a process plant or on a machine, as far as possible, and to determine their damage potential and probability of occurrence. Decisions must then be made about what levels of protection to apply and how strong they must be to achieve tolerable risk. If a safety-related function is used for this purpose, the safety integrity level and the associated probability of failure of the safety device (PFD) must be specified.”
Fred Stay,
Director Safety Consulting at HIMA

“Having a certificate means I’ve complied with the SIL”

One mistake should never be made when implementing safety-related functions: assuming that a SIL certificate from a manufacturer is a sufficient basis for using the device in a safety loop. SIL is not a device feature, but always refers to the overall risk-reducing function. A safety integrity level can only be assigned to a complete safety loop, and each chain is only as strong as its weakest link.

“SIL compliance for a safety-related function is not achieved by filing the relevant device certificates. There are a number of criteria to be taken into account, ranging from the essential technological suitability of the equipment for the individual application and operating mode through the information in the safety manuals up to the operator’s own operating experience. These are usually not included in the certificate.”
Fred Stay,
Director Safety Consulting at HIMA

“Having redundancy means I’m safer”

From certain safety integrity levels, operators have to comply with minimum redundancy requirements (hardware fault tolerance). Using the same devices to build redundancy may be the wrong approach, as both devices could then fail dangerously due to a common cause, for example a fault caused by increased temperature. The same applies to other systematic faults, which may be present in the operating system of more complex devices and could therefore happen on both devices at the same time. In this case, it is important to check whether the devices explicitly and systematically satisfy the requirements for this SIL or whether, as an option, a diverse device from another manufacturer can be used to build up the redundancy.

“If it runs, it runs – install SIL and forget about it”

Just because everything is running smoothly at the moment, this is no reason to sit back and relax. Safety loops also deteriorate with age or wear and tear and need to be checked on a regular basis. Proof testing of safety instrumented systems can be compared to regular service intervals and roadworthiness checks of a car. The tests take place at intervals that depend on the plants and devices involved and are essential for safe operation. Functional Safety Management Systems support the correct timing, execution and documentation of proof tests. The good news: A considerable portion of these tests can be automated today.

“The integrity of the safety functions is not a snapshot taken when commissioning a plant or machine. It is to be preserved over the entire lifecycle. This requires regular testing and active management, even during operating phases or service lives, which are often very long.”
Fred Stay,
Director Safety Consulting at HIMA

“Having SIL means the plant is running”

There is also another factor: from the operator’s point of view, the safety precautions should not restrict plant availability. It is therefore important to design the safety-related function in a way that avoids unscheduled downtime and enables equipment maintenance and testing. Redundancy is therefore not only necessary for safety reasons. Preventive failure detection can also improve plant availability significantly. A buzzword in this context is the “Smart Safety Test”. Tests of “smart” field devices can then be fully or partially automated and performed at predefined times, for example, using test procedures stored in the safety controller, which can be carried out during operation to avoid plant shutdowns.

For those who engage plant safety consultants to deal with this very complex matter, the difficulty lies in knowing who to trust. Only those who regularly deal with the standards, regulations and authorities will really be familiar with all facets of functional safety. As your reliable partner, HIMA can offer the appropriate support with its safety services.