SIL requirements – Systematic Capability, Failure Probability and Architectural Constraints.

 

The designer of the safety instrumented function must verify that the 3 SIL requirements of the IEC61508 Standard are met. Each requirement will meet a certain maximum SIL level. The final SIL of the SIF will be the lowest of the three and must be greater than or equal to the required target SIL.

1-The systematic capacity of the element (sensor, PLC, valve, etc.) is reflected in the certification issued by certain entities such as Exida or TÜV. The rating (SC 1/2/3) achieved depends on the effectiveness of the quality system and other aspects. A category, for example SC3, means that the product is certified for applications up to SIL 3. Another option is the “prior use” that must be documented and justified.

It is important to be clear that it is not enough, for complying with the SIL level, the use of certified products, but it is necessary to comply with all the SIL requirements. If the systematic capability of any of the elements is unknown, it should be indicated in the verification report.

sil requirements

2- The second requirement is determined by the average Probability of Failure on Demand of the SIF (PFDavg for low demand systems) or Probability of dangerous Failures per Hour in the SIF (PFH for high demand systems). The calculation is made for the selected architecture in each subsystem (sensor, logic solver and actuator) that are summed to obtain the probability of failure of the SIF (Safety Instrumented Function). If the required SIL is not met, it will have to be recalculated with another architecture (1oo2, 2oo3, etc.), or with products with lower failure rates or reducing other factors that affect this calculation (Interval Test, beta factor for common cause failures, etc.)

It is important to use realistic failure rate values and if possible that they are based on historical data from similar applications.

2-The third SIL requirement is called “Architectural Constraints” based on the minimum hardware redundancy requirements. The tables of the SFF values (safe failure fraction = proportion of safe failures) and HFT (hardware fault tolerance) are used. If the selected architecture does not comply with any of the subsystems (sensor, logic solver, actuator), it will have to be recalculated with another safer architecture (1oo2, 2oo3, etc). There are 2 options (Route 1H and Route 2H). The 2H is used if the failure rates are realistic for the specific application. Otherwise Route 1H should be used, which was created as a defense against too low rates that are not too realistic.

In Route 1H there are two HFT tables according to whether the element is type A (simple elements such as pressure switches, valves, etc.) or type B (complex elements such as smart transmitters or PLCs).

The three SIL requirements must be met. The maximum SIL achievable by the SIF will be the lowest of the three.

It’s the methodology we use in the tool SILcet to calculate and verify the SIL.