Safety Integrity Level (SIL) Verification is needed when a Safety Instrumented Systems (SIS) is one of the critical independent protection layers for process safety. Applications of SIS include automated isolation, trips or interlocks found commonly in oil & gas upstream, refining, chemical and pharmaceutical production.
Get the correct inputs first
Before a SIL verification is worthwhile, projects will first need to estimate the required SIL target. A SIL target, typically ranging from SIL 1 to SIL 3, is needed for each safety instrumented function (SIF) in the system, and each SIF typically provides protection for one identified hazard.
International standard IEC 61511 identifies various options for estimating the SIL target (also known as SIL determination) , such as employing risk graphs or layer of protection analysis (LOPA). This article will assume that SIL determination is complete and that the SIL target is already selected for every planned SIF.
Nobody can complete a SIL verification exercise until good information is available. The primary reference source should be the safety requirements specification (SRS). There is no basis for SIL verification until the SRS is available for the SIF.
So, assuming that the SRS is adequate as an input, the exercise of SIL verification can begin. However, timing is still important. Waiting too long for the design to progress into the detailed engineering stage is not a good idea. See more on this below.
What are you verifying about SIL?
The SIL verification study must demonstrate that each SIL target can be met by the equipment and software being used.
Many project teams focus on completing calculations to quantify the "probability of failure" (PFD or PFH). These PFD/PFH calculations are a requirement in IEC 61511, but they are definitely not the full picture.
In another article, I wrote about the methods for PFD/PFH calculations using various different tools. If that's your main interest, then read more here.
However, the more complete picture for verification includes checking other very important aspects. In no particular order, below is a list of things that come to mind:
What if SIL is not initially achieved?
If the SIL target cannot be achieved by a proposed SIF design, then it's better to know this as early as possible. This is why the activity of SIL verification should get done BEFORE DETAILED DESIGN and certainly before any expensive equipment is purchased.
If the reason for SIL being unachievable is because of the PFD/PFH calculation, it still may be possible to alter the proof test interval, diagnostic capability or overall architecture to meet requirements.
If the non-compliance is related to HFT, then it's more likely a re-design and re-evaluation will be needed.
Other reasons for issues demonstrating SIL targets may occur later when equipment has been selected. This sounds unlikely, but it is fairly common to see poor decisions on equipment selection, or a lack of information available about embedded software or cyber-security aspects.
There are some challenges in demonstrating that SIL targets can be met, but it is possible with a methodical approach and experienced support.
Not all projects allow the time or money for complete SIL verification, so industry needs to continually improve the understanding of what's involved.
One way of minimising issues is to begin Functional Safety Assessment (FSA) as early as possible. An independent person with the right experience should be able to spot problems early and minimize costly late changes.