October 8, 2021

Last updated on October 8, 2021

Introduction

Safety Integrity Level (SIL) Verification is needed when a Safety Instrumented Systems (SIS) is one of the critical independent protection layers for process safety. Applications of SIS include automated isolation, trips or interlocks found commonly in oil & gas upstream, refining, chemical and pharmaceutical production.

Get the correct inputs first

Before a SIL verification is worthwhile, projects will first need to estimate the required SIL target. A SIL target, typically ranging from SIL 1 to SIL 3, is needed for each safety instrumented function (SIF) in the system, and each SIF typically provides protection for one identified hazard.

International standard IEC 61511 identifies various options for estimating the SIL target (also known as SIL determination) , such as employing risk graphs or layer of protection analysis (LOPA). This article will assume that SIL determination is complete and that the SIL target is already selected for every planned SIF.

Nobody can complete a SIL verification exercise until good information is available. The primary reference source should be the safety requirements specification (SRS). There is no basis for SIL verification until the SRS is available for the SIF.

So, assuming that the SRS is adequate as an input, the exercise of SIL verification can begin. However, timing is still important. Waiting too long for the design to progress into the detailed engineering stage is not a good idea. See more on this below.

What are you verifying about SIL?

The SIL verification study must demonstrate that each SIL target can be met by the equipment and software being used.

Many project teams focus on completing calculations to quantify the "probability of failure" (PFD or PFH). These PFD/PFH calculations are a requirement in IEC 61511, but they are definitely not the full picture.

In another article, I wrote about the methods for PFD/PFH calculations using various different tools. If that's your main interest, then read more here.

However, the more complete picture for verification includes checking other very important aspects. In no particular order, below is a list of things that come to mind:

  • Equipment suitability; assessing IEC 61508 certificates OR justifying equipment selection by prior use.
  • Hardware fault tolerance (HFT).
  • Frequency of demands on shared SIF equipment.
  • Capability of architecture and equipment for online proof testing.
  • Non-interference of communications buses.
  • Operator interface interaction, especially for bypass/override application and removal.
  • Embedded software systematic capability.
  • Application software systematic capability.
  • Utility software systematic capability.
  • Security and cyber-security.

What if SIL is not initially achieved?

If the SIL target cannot be achieved by a proposed SIF design, then it's better to know this as early as possible. This is why the activity of SIL verification should get done BEFORE DETAILED DESIGN and certainly before any expensive equipment is purchased.

If the reason for SIL being unachievable is because of the PFD/PFH calculation, it still may be possible to alter the proof test interval, diagnostic capability or overall architecture to meet requirements.

If the non-compliance is related to HFT, then it's more likely a re-design and re-evaluation will be needed.

Other reasons for issues demonstrating SIL targets may occur later when equipment has been selected. This sounds unlikely, but it is fairly common to see poor decisions on equipment selection, or a lack of information available about embedded software or cyber-security aspects.

Conclusion

There are some challenges in demonstrating that SIL targets can be met, but it is possible with a methodical approach and experienced support.  

Not all projects allow the time or money for complete SIL verification, so industry needs to continually improve the understanding of what's involved.

One way of minimising issues is to begin Functional Safety Assessment (FSA) as early as possible. An independent person with the right experience should be able to spot problems early and minimize costly late changes.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
>