An Introduction to Functional Safety and SIL (Safety Integrity Level) in the Process Industries (Oil & Gas, Chemicals, Power Generation, etc)
Functional Safety is a relatively new concept in the world of safety (and industry as well). This whitepaper seeks to explain the concept of Functional Safety and related concepts of demand, safety integrity level, Safety Instrumented Systems and standards used in the area of Functional Safety, to technical professionals, who do not have any background in functional safety. It also explains the importance of Functional Safety Management known as FSM for short, in industry.
II. WHAT IS FUNCTIONAL SAFETY? WHAT IS A SAFETY FUNCTION?
Safety is simply defined as “freedom from harm”. In colloquial terminology we use the words, risk, hazard, harm and unsafe interchangeably. However, all these terms are actually completely different. Before we start with the concept of Functional Safety, let us understand the differences between hazard, risk and harm.
A hazard is a property of a substance or equipment that has the potential to cause harm. Harm is of course, easily understood. So for example, a propane tank that stores propane (which is a highly flammable substance) in an industrial facility could be considered a hazard.
Is there a possibility that the propane tank in the above example can explode or catch fire? Yes, of course. If it does explode or catch fire, there is a certainty that it can cause harm to people in the vicinity, cause damage to nearby equipment and also the environment. These are known as consequences. In the world of safety, generally the word consequence always has a negative connotation. The probability that a hazard may cause negative consequences is called as Risk. Therefore Risk can be expressed as the equation below:
Risk = Probability of the occurrence X Consequence of occurrence
When the risk gets actualized into an event (an accident happens), it leads to a lot of consequences, almost all of which are undesirable, as they cause harm to people, damage equipment and cause environmental destruction. This is known as harm. Such incidents that cause harm are known as unsafe incidents.
Our goal to ensure safety is to ensure that there is very little likelihood of harm.
D. Inherent Safety
Processes and Systems can be designed to some extent to be inherently safe, but very often they are not. What do we mean by inherent safety? Consider a day tank in a chemical manufacturing plant, which is filled and emptied several times a day with a toxic liquid. The tank has an overflow line that connects to a containment vessel. In case of overfilling, the excess liquid in the day tank flows to the containment vessel, thus preventing spillage and other consequences. This is an example of inherent safety. It is also an example of what Functional Safety is not.
D. Functional Safety
If, instead of the overflow line, we had a level sensor that sensed the overfilling of the tank and on detection, sent a signal to a system that operates an actuated valve that cut off the inlet flow, then we would call this an example of “Functional Safety”. In our example above, we showed an example of Functional Safety in the chemical process industry. But this is not the only place where you will find Functional Safety. It is present in lots of other places such as trains, cars, aircraft, building automation systems, machinery, nuclear installations, to name a few.
E. Safety Function
In the above example, the system, comprising of the sensor, the controller or logic solver and the actuated valve together carry out a particular function, namely a Safety Function, that assures that in case of high level, spillage will not occur. It is now clear that in a plant, equipment or other piece of machinery, there would be several such Safety Functions. These Safety Functions taken together can be called as a Safety System.
Safety will be assured only if all these Safety Functions work when needed. The “when needed” part is as important as the “work” in the above sentence. Why is this so?
That brings us to the concept of something known as a demand.
In the context of functional safety, when the Safety Function is called upon to do its work, it is known as a demand. So in the above example, as long as the day tank is not filled to a high level (that can cause a spill), we can say that there is no demand on the Safety Function to carry out its work. However, the moment that the level in the tank goes to a high level (to cause a spill), the safety Function must act, as a demand is now raised on
it by the process. One can see that the Safety Function must act now, on demand, to ensure that safety is maintained.
This is an important concept, because most of the time a safety device just sits there, idle, when the process is in the safe state. The moment however that a demand occurs, it must swing into action immediately. The aim of Functional Safety and Functional Safety Management, is to ensure that it does, every time. It will won’t it?
Or can anything go wrong? What do you think?
IV. FAILURES & RELIABILITY
This brings us to the concept of Failures. Like everything else, a safety system can also fail. What if it fails at the precise moment that it is supposed to operate? (Just like the famous “Murphys Law”). Then, on demand, the Safety Function will not work and a disaster may take place. How do we avoid these situations? By using the techniques, tools and standards of Functional Safety Engineering, for example by adopting and following techniques outlined in International Standards such as IEC 61508.
What types of Failures can occur? Broadly speaking we could have three types of failures of the safety system. These are Random, Common Cause and Systematic failures. Any and all these three types of failures could make our safety function inoperable upon demand. Our goal therefore would be to design, build and maintain a safety system that will not fail upon demand even in the event of random, common cause and systematic failures.
Needless to say such a system, that would never fail is only a theoretical concept and not practical. All systems fail and safety systems are no exception. However, by using the principles and generally accepted good engineering practices of Functional Safety, we can make them almost fail safe.
V. SAFETY INTEGRITY LEVEL (SIL)
We have a measure for the reliability of a Safety Function and it is captured by the term “Safety Integrity”. As the name suggests, we need a safety function with integrity and the more the likelihood of the consequences of failure being really bad, the more the need for as high a safety integrity as possible. Hence Safety Integrity Level is defined in the IEC standards to represent the Safety Integrity of a particular Safety Function. It is a performance measure of the Safety Function.
There are four levels of Safety Integrity named as SIL 1, SIL 2, SIL 3 and SIL 4. Of these SIL 1 is the lowest and SIL 4 is the highest level.
So how does one decide the Safety Integrity? The IEC standards classify Safety Functions as being of two types based on how frequently one encounters a demand. So certain safety functions, such as those that are commonly found in the Chemical Industry (e.g. overfill protection system like the example of our day tank above), are generally classified as low demand ones. This is because we expect that the demand would be less than one per year. This of course is in line with our practical experience in this industry, where we do not expect that Safety Functions are called in to protect the plant every other day.
There is another category of Safety Functions that are found in places where the demand rate is very high and sometimes even continuously present, these are called high demand applications. Common examples are the braking system of a train, or car. Brakes are operated quite often (certainly more than once a year) and are classified as high demand systems.
The probability that the Safety Function will fail on demand is known as the PFD. The average probability that it will fail dangerously is called the PFDavg. The SIL levels correlate with the PFDavg of the Safety Function, as outlined in the table below, for Low Demand applications.
However, for High Demand applications, the probability of failure is represented by PFH or Probabilty to fail dangerous per hour. The SIL levels that correspond with the different PFH levels are given in the table below.
The above is of course, just a small introduction to the concept of Safety Integrity Level. Further reading and training is essential to understand it fully. For example if you take our SIS Training course today, you can learn everything about it in a very easy to understand manner.
In the next section we will now take a look at some standards that are used in Functional Safety.
Functional Safety standards are not new. They have been around in some form or the other for the past several decades. However, it is only after the IEC (International Electrotechnical Commission) published the first set of standards known as IEC 61508, sometime around 1990, that Functional Safety really came into its own. This standard, IEC 61508 is also known as an “umbrella standard” because a lot of other industry-specific Functional Safety standards are derived from it. The picture below shows the concept better.
Thus the process industry follows IEC 61511, , the Nuclear industry follows IEC 61513, the machinery industry follows IEC 62061, the automotive industry follows ISO 26262 and the Railway industry follows EN 50126 and so on. All of these are derived from the IEC 61508 standard.
Note that IEC 61508 applies to any Electrical/Electronic/ Programmable Electronic Safety Related System. It is followed all over the world. In the US the ANSI/ ISA S84 is also derived from IEC 61508. Typical applications where IEC 61508 is applied are Safety Instrumented Systems in process plants, nuclear plants and the like, High Integrity Pressure Protection Systems (HIPPS), Burner Management Systems, Emergency braking systems of trains and so on. Wherever an Electrical /Electronic/ Programmable Electronic Safety Related System exists, IEC 61508 is applicable.
IEC 61508 emphasizes a Life Cycle approach to Safety Related Systems. The Safety Life Cycle, starts from the day the first requirement to build a Safety Related System arises, to the day the entire system is de-commissioned. This means, given the life of a typical process plant (or a passenger train) the life cycle could be very long, like 30 years or so. During this time there could be minor or major modifications, or retrofits.
The Life Cycle approach is shown in the below diagram.
Note: The easiest and fastest way to learn all about Functional Safety and SIL is by downloading the Safety Instrumented Systems e-learning course now! Learn all you need to know about Functional Safety, Safety Integrity Level, doing SIL determination, doing verification calculations, understanding standards and more!
VII. FUNCTIONAL SAFETY MANAGEMENT (FSM)
One look at the above diagram tells us that a Safety Related Systems project, over its entire lifecycle, can be long, complex and a challenge to manage. However it must be well managed, at the risk of compromising on safety and resulting in yet another accident!
To ensure that this lifecycle does work in the manner shown above, one has to implement Functional Safety Management, or FSM for short. Thus all objectives must be clearly defined at the start of the lifecycle. Organizations, Departments and persons should be allotted responsibilities, based on their roles in the lifecycle. Note that this is more challenging than a typical project management issue, since the lifecycle can extend over decades, much longer than any project! Hence a different set of knowledge, experience and skills are needed to manage Functional Safety over the entire lifecycle.
The lifecycle diagram helps us identify who should do what and generate which documents, at which particular stages of the lifecycle. Note that the lifecycle also has verification, assessments and audits that are to be carried out. Every stakeholder in the project has different roles to play in the lifecycle. For example a Safety Instrumented Systems vendor who is building an Emergency Shutdown System needs to carry out different activities in the lifecycle, as compared to an engineering consultant. However, in the end, there has to be an overall responsible person or organization (very often from the end user) who can manage these different stakeholders in the entire lifecycle. Such a person is known as the Functional Safety Manager or FSM for short.The Functional Safety Manager should be able to understand the different roles played by different stakeholders in the Lifecycle, co-ordinate between them, manage the documentation, verification, assessments and audits that are part of the lifecycle and have sufficient managerial authority to do so. Also the end result should be Safety and not anything else!
It is now clear that the Functional Safety Manager should be a technically competent and experienced person, who understands Functional Safety very well. He/She should have adequate training and certification that demonstrates the knowledge and competence in Functional Safety. Also he/she should have people management skills, project management skills and co-ordination skills.
Functional Safety has grown in importance over the last decade. It is not just enough to understand Functional Safety, follow the appropriate and relevant standards such as IEC 61508 and install Safety Systems. It is also important to understand and adequately manage Functional Safety over the entire lifecycle of the plant or equipment. This is known as Functional Safety Management and it is skill that will only increase in demand in the years to come, as emphasis on safety increases.
To know more about Functional Safety, Safety Integrity Level and Safety Instrumented Systems, get the Safety Instrumented Systems learning software today. Contact us if your company or organization wants to train large numbers of people in Functional Safety and Safety Instrumented Systems.