SIL: Safety under a new umbrella
Process automation must now meet functional safety requirements

Since the end of July, manufacturers of field devices and systems operators alike have had to address the requirements laid down by IEC 61508/IEC 61511. What does all of this mean for the manufacturers and plant operators?

As defined in IEC 61508 (functional safety of electrical/electronic/programmable electronic safety-related systems), safety system requirements are independent of the application. The purpose of the standard goes beyond harmonization of national regulations with international standards. Devices and sensors which contain microprocessors are being used to an increasing extent to perform safety tasks. The “functional safety” standard divides the requirements for these systems into four safety integrity levels (SIL 1-4). An SIL must be assigned to every device, sensor or controller.
For the first time, the international standards require the process industry to meet specific quantitative requirements. These minimal performance levels are related to the failure probability of process control protection systems, and they depend on what protection the systems are intended to provide.
Call out the statisticians...
Regular checks have to be run on field devices. To ensure that the measurement setup is commensurate with the potential risk, a review must be conducted of every element in the measurement sequence, and an overall probability of a hazardous failure is then calculated. Analysis of the measurement device is based on the
FMEDA (Failure Mode, Effect and Diagnostics Analysis) approach, which is used by companies like ABB. The analysis includes the electronics hardware configuration, the failure rates of the embedded components and historical reliability data. This, together with an analysis of the (electro-)mechanical components and device diagnostic functions, can be used to arrive at a failure rate for the device. The three main criteria that are used to rate the safety functions of a field device are:
-hardware fault tolerance (HFT),
-safe failure fraction (SFF), and
-probability of failure on demand (PFD).
To ensure safe system operation, IEC guidelines require an evaluation of the entire safety loop including the sensors/transducers, controllers and actuators. An SIL rating is then assigned. An SIL assessment is carried out prior to design and calculation of the safety loop to determine what applicable safety standard (e.g. SIL 2) applies.
...or get the right software
Confusion can easily set in when a large number of safety loops is involved. To address this problem, ABB offers two different software versions. Trac (Trip Requirement and Availability Calculator) covers all aspects of system certification, from the definition of the safety loop and the SIL
assessment (risk analysis) to design and calculation of the safety loops in compliance with IEC 61508 requirements. The software can handle components from all manufacturers. It also keeps a record of all decisions and the basis for all calculations.

During ongoing system operation, regular tests have to be conducted to ensure that safety loops perform the intended safety functions, and records must be maintained to document the tests. The ABB Trams (Trip and Alarm Management System) manages the test routines that are required by IEC 61508 along with the results, and it provides statistical summaries. Hima offers software that performs a similar function. IEC 61508 compliant SIL calculation software computes failure probabilities and SIL values for safety security loops containing sensors and actuators. The calculations are also based on the mathematical principles described in IEC 61508. Open databases contain all Hima system data as well as safety data for sensors and actuators. Device manufacturers have also been addressing this issue recently. New products which are safety relevant are given an SIL rating. Fill level sensors, which are used to prevent overfilling, are an example of this. The Levelflex M FMP45 from Endress+Hauser conforms to SIL 2 functional safety requirements as defined in IEC 61508/61511. Other sensors made by the company, such as the recently introduced Cerebar S pressure meter or the Deltabar S differential pressure meter, also meet SIL 2 requirements. This is also the case with Vega’s Vegaswing 60 sensor, which meets SIL 2 functional safety requirements as well as redundant SIL 3 requirements. It also complies with SIL dry running requirements in applications with low and high demand rates. Together with the Vegator 636 analyzer (offering electronic 8 mA/16 mA), it significantly reduces the cost and effort involved in performing recurrent testing, which is required in low demand mode. The entire test sequence can be initiated at the push of a button.
Emerson Process Management unveiled “intelligent” safety instrumentation at the beginning of the year, which is designed to reduce the effort needed to carry out work such as recurrent checks. The Smart Safety Instrumentation System includes field devices and sensors, diagnostic software and digital communications and is suitable for critical applications. The system features modular hardware design and can be upgraded in increments of 16 configurable inputs/outputs.
A pragmatic approach
In addition to calculations based on IEC 61508/61511, Namur recommendation
NE 93 can be used to demonstrate conformance with safety requirements. This could be of interest to operators who may have to take a new look at their safety strategies. The background is as follows. It
would take an enormous effort on the part of a company to provide a statistically sound basis for each application and every risk in a process control safety system. The statistical background is very important in all calculations. A sufficient number of devices of the same type must be in operation to guarantee a sound statistical basis. Because of wide variations in operating conditions, there is often not enough statistically sound data on the individual failure rates of components in a process control safety system. Even when they are at the same location, each measurement device is subjected to different conditions such as vibration, contamination, moisture or corrosive substances. Namur NE 93 uses a deductive approach that is based on four steps:
1.Assumption: all process control safety systems are designed, installed and operated in accordance with applicable regulations.
2.Action: fault data analysis is performed on all process control safety systems.
3.Objective: SIL requirements will be met by the systems taken as a whole.
4.Result: the safety strategy is confirmed in practical application.
For this approach to succeed, it is crucial that records are kept for all safety systems, and an analysis must be conducted on all faults.
Expert help
Those in Germany who are unsure about how to proceed can use the services of institutions like the InfraServ Höchst test laboratory in Frankfurt. This lab, along with the TÜV Rheinland testing agency, has specialized on actuators and offers SIL testing in this field.
The international consulting firm Exida also offers an SIL service. The company has a variety of software tools which can be used to assess risks related to safety loops. The results can be used to calculate failure probabilities based on IEC rules. Exida can also make suggestions on how to reduce cost and improve safety. It is generally advisable to contact the appropriate national authorities in order to identify the most suitable method. It is also important to keep in mind that the manufacturer’s declaration of conformity has very limited value if for example an overfill safety device has not been installed properly. In addition, the data provided by most manufacturers are based on testing performed in a climatic testing chamber. How well the device will perform in the
process when it comes into contact with the medium is something that will only become clear during practical application. In addition to generating cost, determining the proper safety integrity level can have benefits as well. It provides a good opportunity to evaluate why the devices are being used at that particular location.
Are they there to enhance precision, to monitor the process or to perform a safety or fault prevention function? A lower classification device might actually be sufficient at this particular location. This was actually the case at a petrochemical plant,
where 60 percent of the measurement loops were reported to be overdimensioned