SIL – Safety Integrity Level

WIKA - Part of your business

1 SIL – Safety Integrity Level / Claus Nielsen

Introduction

Safety Integrity Level (SIL)

Safety Integrity Level (SIL) is defined as a relative level of risk-reduction provided by

a safety function, or to specify a target level of risk reduction.
In simple terms, SIL is a measurement of performance required for a Safety
Instrumented Function (SIF).
The requirements for a given SIL are not consistent among all of the functional
safety standards.
In the European Functional Safety standards based on the IEC 61508 standard four
SILs are defined, with SIL 4 being the most dependable and SIL 1 being the least.
A SIL is determined based on a number of quantitative factors in combination with
qualitative factors such as development process and safety life cycle management.

2 SIL – Safety Integrity Level / Claus Nielsen

Introduction

Safety Integrity Level (SIL)

The purpose of is to provide the process industry with a description of various

methodologies that can be used to evaluate the Safety Integrity Level (SIL.
This information does only provide guidance in the determination of the specific SIL
required e.g., SIL 1, 2, 3 or 4.
SIL is based on the Standard IEC61508 and the Standard Process industry
IEC61511.

3 SIL – Safety Integrity Level / Claus Nielsen

Introduction

Safety Integrity Level (SIL)

There are several methods used to assign a SIL. These are normally used in
combination, and may include:
Risk Matrices
Risk Graphs
Layers Of Protection Analysis (LOPA)
The assignment may be tested using both pragmatic and controllability approaches,
applying guidance on SIL assignment published by the UK HSE.[1] SIL assignment
processes that use the HSE guidance to ratify assignments developed from Risk
Matrices have been certified to meet IEC EN 61508

Source: Wikipedia

4 SIL – Safety Integrity Level / Claus Nielsen

What is the benefit of SIL?

Current situation:
More complex control systems in combination with critical, not safe process
fear for danger events – particular situations could not be controlled anymore.

Safety-critical application means that, in the event of a technical failure of the

instrument or of the entire safety circuit, a malfunction may take place which, in turn,
can lead to damage to the equipment and/or injury to persons.
SIL is a traditional risk assessment. The safety calculation makes the total risk of the
plant or of the safety circuit apparent or quantifiable and, by using the correct
components, will eventually lead to a sufficient reduction in risk.
SIL means that the complete safety circuit, i.e., sensor/transmitter, logic unit and
actuator must be considered as a safety-integrated system whose SIL level,
accordingly, is that of the sum of all individual components.
SIL is based on the Standard IEC61508 and the Standard Process industry
IEC61511.

5 SIL – Safety Integrity Level / Claus Nielsen

What does SIL mean?

Before applying SIL, you have to make a risk analysis of your plant acc. to
IEC 61508

After your plant designer has carried out

a risk assessment and performed a
SIL classification, he will then need the
appropriate measuring device for this
specific SIL. In most cases, SIL1 or SIL2
level is achieved.

For the SIL calculation, the weighting is

usually used: 35% for sensor/transmitter,
15% for the logic unit and 50% for the actor
=> Our values have a weight in the
calculation of max. 35%
If the figures required for the SIL level are not reached, the plant-designer
must either implement additional constructional measures, design his
systems redundantly or take other measures that further reduce the plant
risk.
6 SIL – Safety Integrity Level / Claus Nielsen
Risk Management – how to use?

You carry out

a risk assessment.
(Result: SIL-Level)

This SIL-Level is at the same

time the value for the necessary
risk reduction of the system

Aim: Balance between

not avoidable
potential risk
and
measures to
prevent damage

7 SIL – Safety Integrity Level / Claus Nielsen

Risk management – How to use it?

You carry out

Acceptable risk Danger a risk assessment.
(Result: SIL-Level)

This SIL-Level is at the same

time the value for the necessary
SIL 1 risk reduction of the system
SIL 2 Aim: Balance between
SIL 3 not avoidable
potential risk
and
SIL PFD Risk Reduction measures to
prevent damage
SIL 4 >=10-5 to <10-4 100000 to 10000
SIL 3 >=10-4 to <10-3 10000 to 1000
SIL 2 >=10-3 to <10-2 1000 to 100
SIL 1 >=10-2 to <10-1 100 to 10

8 SIL – Safety Integrity Level / Claus Nielsen

Common abbreviations and what is the
meaning of them?

SFF - Safe Failure Fraction

Safe Failure Fraction, describes the fraction of safe failures. This value should be very high.
Percentage of „safe“ (or not dangerous) failures that do not interfer in the safety function.
Best value: 100 % (all failures are detected)
For example SFF = 98 % means, that 98 from 100 failures are not dangerous to the
safety function
PFD - Probability of Failures on Demand
Probability of Failures on Demand, describes the probability of a failure occurring upon
initiating a safety function. This value should be very low.
Measure for the probability, that the system fails exactly in the moment when the safety
function is required.
For example PFD value = 1,482 *10 -4 means that the safety function fails with a
probability of 0.0001482 in one year – or in other words: in 1482 years it is very likely
that the safety function has failed one time (at least).
The lower the PFD value the higher the safety quality.

9 SIL – Safety Integrity Level / Claus Nielsen

Common abbreviations and what is the
meaning of them?
HFT - Hardware Fault Tolerance
Capability of a functional unit to continue the execution of the demanded function in
the case of faults or anomalies, without redundancy the HFT-value is usually 0.
Quality of safety function.
HFT = 0 for one channel systems. One failure can cancel the safety function
HFT = 1 for redundant systems. At least two failures at the same time necessary to
cancel the safety function
HFT = 2 for double redundant systems. At least three failures at the same time
necessary to cancel the safety function
Through a „proven in use“ assessment (plus several additional measures) the
necessary HFT can be reduced by „1“ (see IEC 61511)
Tproof = Proof interval
Time interval for a functional test of the safety system. The shorter the interval, the
higher SIL for a safety system can be achieved...but the higher the costs!
Time interval between the functional test of the safety function Proof-Tests are used to
disclose dangerous failures TProof interval: describes the recurring functional check.
Proof-Tests are necessary for the Transmitter only and for the whole functional
safety system.
10 SIL – Safety Integrity Level / Claus Nielsen
More abbreviations and the meaning of
them?

Low Demand and High Demand systems

Low Demand: Safety function may be required once a year or less (typical for process
automation; a shut down is not typical during normal operation; Tproof typical: 1 year)
High Demand: Safety function may be required several times a day (typical for machines
with workers; continous proof of safety function)
High / Low Stress Environment for the Sensors
Low Stress Environment means Vibrations smaller 0,1 g.
High Stress Environment means higher and steadily Vibrations.
Type A subsystem/ Type B subsystem
Type B = Complex subsystem with e.g. Microprocessors in the electronic.
Fit - Failure in Time
Failure rate of devices. For this values a special failure rate catalogue is in use.

11 SIL – Safety Integrity Level / Claus Nielsen

More abbreviations and the meaning of
them?

High / Low Demand Mode

The dangerous case of the process is not permanently existing, which means the
safety related system is not permanently in use.
High / Low Stress Environment for the Sensors
Low Stress Environment means Vibrations smaller 0,1 g.
High Stress Environment means higher and steadily Vibrations.
Type A subsystem/ Type B subsystem
Type B: complex subsystem with e.g. Microprocessors in the electronic.
Fit - Failure in Time
Failure rate of devices. For this values a special failure rate catalogue is in use.
XooY: (1oo1 / 1oo2 / 2oo3)
Classification and description of the safety-related system regarding redundancy
and the selection procedure used. “Y” indicates how often the safety function is
carried out (redundancy). “X” determines how many channels must work properly.

12 SIL – Safety Integrity Level / Claus Nielsen

What does SIL mean for WIKA in regard
to Temperature Transmitters?

General valid (not only for WIKA); only HART®-Transmitters are classified acc. to SIL
For devices used in functional safety applications (devices with SIL) is valid: WIKA have to
create a calculation called probability of failures. This covers also a FMEDA (Failure Mode
Effect and Diagnostic Analysis).
The calculated values are always valid with connected sensors only.
The WIKA Quality system have to fulfill IEC 61508 aspects,
the documentation is to use acc. to IEC 61508
For new developments with resulting in a SIL Transmitter the following is valid:
The Development process has to be done acc. to IEC 61508.
(Full assessment per IEC 61508)
This is the case for T32.1S / T32.3S

13 SIL – Safety Integrity Level / Claus Nielsen

Which kind of failure do we talk about and
how is it described?

λSD = Lamda Safe Detected

λDU
λDD = Lamda Dangerous Detected
λSU = Lamda Safe Undetected
λDU = Lamda Dangerous Undetected

λSD
λ SD + λ SU + λ DD λSU
SFF =
λ SD + λ SU + λ DD + λ DU
λ DU
SFF = 1 −
λ λDD

14 SIL – Safety Integrity Level / Claus Nielsen

What does SIL mean for the Sensors and
what are the possible failure modes?

RTD, 4 -wire
Cable Break (Pt100 or wire to Pt100) – Dangerous Detected 1400 FIT

Wire Short (Pt100 or wire to Pt100) – Dangerous Detected 550 FIT

Drift of the Pt100 – Dangerous Undetected 20 FIT
Resistance-Change wires or contacts – Safe Detected 30 FIT
(clamps)
=> SFF = 99,02 %

Thermocouple TC
Cable Break (TC or wire) – Dangerous Detected 4740 FIT
Wire Short (TC or wire) – Dangerous Undetected 50 FIT
Drift of the TC – Dangerous Undetected 200 FIT
Resistance-Change wires or contacts – Safe Detected 10 FIT
(clamps)
=> SFF = 94,97 %
Original values from the safety manual T32.xS and from EXIDA, Low Stress environment

15 SIL – Safety Integrity Level / Claus Nielsen

What is the SIL-classification for the T32?

SIL Classification according to IEC/EN 61508

SFF Type A subsystem Typ B subsystem

Percentage not HFT Fault tolerance Hardware HFT Fault tolerance Hardware
dangerous failures
0 1 2 0 1 2
< 60% SIL 1 SIL 2 SIL 3 ------ SIL 1 SIL 2
60% … < 90% SIL 2 SIL 3 SIL 4 SIL 1 SIL 2 SI L3
90% … < 99% SIL 3 SIL 4 SIL 4 SIL 2 SIL 3 SIL 4
> 99% SIL 3 SIL 4 SIL 4 SIL 3 SIL 4 SIL 4

Safety Integrity Low Demand Mode

Level(SIL) (Probability of Failures on Demand = PFDAVG)
4 > 10-5 … < 10-4
3 > 10-4 … < 10-3
2 > 10-3 … < 10-2
1 > 10-2 … < 10-1

16 SIL – Safety Integrity Level / Claus Nielsen

How do you calculate the SFF value?
(For example of a 4-wire RTD with a T32 Transmitter)

λDU T32.1S with 4-wire RTD = 34 * 10 -9 [h] λ SD + λ SU + λ DD

SFF =
λ DD T32.1S with 4-wire RTD = 2037 * 10 -9 [h] λ SD + λ SU + λ DD + λ DU
λSU + λ SD T32.1S with 4-wire RTD = 119 * 10 -9 [h] λ DU
SFF = 1 −
λ
SFF = [1 – 34/(34+2037+119)] * 100 % => SFF = 98,45% (SIL2)

SFF Type A subsystem Typ B subsystem

Percentage not HFT Fault tolerance Hardware HFT Fault tolerance Hardware
dangerous failures
0 1 2 0 1 2
< 60% SIL 1 SIL 2 SIL 3 ------ SIL 1 SIL 2
60% … < 90% SIL 2 SIL 3 SIL 4 SIL 1 SIL 2 SI L3
90% … < 99% SIL 3 SIL 4 SIL 4 SIL 2 SIL 3 SIL 4
> 99% SIL 3 SIL 4 SIL 4 SIL 3 SIL 4 SIL 4

Original values from the safety manual T32.xS

17 SIL – Safety Integrity Level / Claus Nielsen

How do I calculate the PFD value?
(For example of a 4-wire RTD with a T32 Transmitter)

T1
λ DU T32.1S with 4-wire RTD = (20 + 14) * 10 -9 [h]
PFD = λDU ⋅ T1 ⋅ 0,5 = λDU ⋅
Calibration Intervals: 1 Year = 8760 h 2
PFD = 34 * 10 -9 [h] * 8760 [h] * 0,5 => PFD = 1,482 *10 -4 [h] -> is suitable for SIL4

Safety Integrity Low Demand Mode

Level(SIL) (Probability of Failures on Demand = PFDAVG)
4 > 10-5 … < 10-4
3 > 10-4 … < 10-3
2 > 10-3 … < 10-2
1 > 10-2 … < 10-1
The lower value out of both calculated values, the SFF and the PFD is relevant for
the SIL of a device! Result = SIL 2

Original values from the safety manual T32.xS

18 SIL – Safety Integrity Level / Claus Nielsen
What does the customer need to use
the T32 in SIL - Applications?

The SIL-Manual has to be read carefully, especially:

The device-specific hints and the intended safety-related use has to be considered e.g.:
Some sensor connections are not usable for SIL-Applications (e.g. Potentiometer-
connection) some are usable for SIL1 only, some for SIL2
The limitations of the operation methods are to be considered
The hints for the Inadmissible safety-related use and the Commissioning
and periodic tests have to be considered
If the figures required for the SIL level are not reached, the designer must either implement
additional constructional measures, design his systems redundantly or take other
measures that further reduce his plant risk
T32.xS.xxx – S – xxx.xxx
If the write protection is not activated, the SIL T32.xS Transmitter will remain in the error
signalization fail low (Downscale < 3.5 mA)

19 SIL – Safety Integrity Level / Claus Nielsen

What does the customer need to use
the T32 in SIL - Applications?

Measure for the safety relevant performance of an electrical or electronical control system
A control normally system consists of three components: Sensor, Actuator, PLC

Weighting of the functional safety: For the SIL calculation, a weighting is usually used:
35% for sensor/transmitter, 15% for the logic unit and 50% for the actuator
=> Our SFF values have a weight in the calculation of max. 35%

20 SIL – Safety Integrity Level / Claus Nielsen

 SIL Assessment example
Calculation of the Safety Integrity Level of a protection system

SIL3 SIL2 SIL2

SFF = 95,1 % SFF = 90,5 % SFF = 78,8 %
PFD = 1.51*10-4 PFD = 1.2*10-3 PFD = 7,9*10-3

Considering the safety relevant values of the single components.

The SIL-classification of the whole protection system is calculated with these
values

21 SIL – Safety Integrity Level / Claus Nielsen

SIL Assessment – Max SIL SFF/HFT or PFD

PFDAV SIL
≥ 10-2 ... < 10-1 SIL 1
≥ 10-3 ... < 10-2 SIL 2
≥ 10-4 ... < 10-3 SIL 3
≥ 10-6 ... < 10-4 SIL 4

SIL3 SIL2 SIL2

SFF = 95,1 % SFF = 90,5 % SFF = 78,8 %
PFD = 1.51*10-4 PFD = 1.2*10-3 PFD = 7,9*10-3

Maximum SIL to SFF and HFT :

SIL 3 + SIL 2 + SIL 2 = max. SIL 2 (lowest value)
Maximum SIL to PFDAV:
PFDAV = 1.51*10-4 + 1.2*10-4 + 7.9*10-4 = 1.06*10-4 (PFDAVnew) = SIL 2

22 SIL – Safety Integrity Level / Claus Nielsen

SIL Assessment – Max SIL SFF/HFT or PFD

PFDAV SIL
≥ 10-2 ... < 10-1 SIL 1
≥ 10-3 ... < 10-2 SIL 2
≥ 10-4 ... < 10-3 SIL 3
≥ 10-6 ... < 10-4 SIL 4

SIL3 SIL2 SIL2 Important:

SFF = 95,1 % SFF = 90,5 % SFF = 78,8 %
PFD = 1.51*10-3 PFD = 1.2*10-1 PFD = 7,9*10-1
SIL 2 + SIL 2 + SIL 2
Is not necessarily SIL 2!

Maximum SIL to SFF and HFT :

SIL 3 + SIL 2 + SIL 2 = max. SIL 2 (lowest value)
Maximum SIL to PFDAV:
Σ PFDAV = 1,5*10-3 + 1,2 *10-1 + 7,9 *10-1 = 1,06 *10-1 (PFDAVnew) = SIL 1

23 SIL – Safety Integrity Level / Claus Nielsen

What does SIL mean for WIKA in regarding
To Sensors (RTD/TC) without Transmitters?

Despite the fact, that several customers ask for a SIL-certificate for sensors only
(RTD/TC), there is no chance to provide these because:
The sensor without Transmitter cannot supervise itself
The sensor without Transmitter content no further electronic components
But WIKA declares the possible usage of the sensors in combination with a suitable
Temperature Transmitters
With common used values (Literature)
With own values, from own experiences

24 SIL – Safety Integrity Level / Claus Nielsen

Which values are available for the T32?
(Dual Sensor Pt100/TC)

8 FMEDA
Doppelsensor Pt100 Sicherheitsfunktion für „4…20 mA Ausgang“
λDU 57 FIT
λDD 4017 FIT
λSU + λSD 119 FIT
SFF – Safe Failure Fraction 98,8 %
MTTR 8h
PFD für Tproof 1 Jahr 2,495 * 10-4
DC manual

9 FMEDA
Doppelsensor TC mit interner Sicherheitsfunktion für „4…20 mA Ausgang“
Vergleichsstelle
λDU 516 FIT
λDD 9557 FIT
λSU + λSD 117 FIT
SFF – Safe Failure Fraction 95,3 %
MTTR 8h
PFD für Tproof 1 Jahr 2,262 * 10-3
DC manual

25 SIL – Safety Integrity Level / Claus Nielsen

Which values are available for the T32?
(Pt100-Sensor)

3 FMEDA
Pt100 3-Leiter Sicherheitsfunktion für „4…20 mA Ausgang“
λDU 30 FIT
λDD 2037 FIT
λSU + λSD 118 FIT
SFF – Safe Failure Fraction 98,6 %
MTTR 8h
PFD für Tproof 1 Jahr 1,316 * 10-4
DC manual
4 FMEDA
Pt100 4-Leiter Sicherheitsfunktion für „4…20 mA Ausgang“
λDU 34 FIT
λDD 2037 FIT
λSU + λSD 119 FIT
SFF – Safe Failure Fraction 98,6 %
MTTR 8h
PFD für Tproof 1 Jahr 1,482 * 10-4
DC manual
5 FMEDA
Pt100 2-Leiter Sicherheitsfunktion für „4…20 mA Ausgang“
λDU 414 FIT
λDD 1657 FIT
λSU + λSD 118 FIT
SFF – Safe Failure Fraction 81,2 %
MTTR 8h
PFD für Tproof 1 Jahr 1,815 * 10-3
DC manual
26 SIL – Safety Integrity Level / Claus Nielsen
Which values are available for the T32?
(Thermocouple)

6 FMEDA
TC mit interner Vergleichsstelle Sicherheitsfunktion für „4…20 mA Ausgang“
λDU 265 FIT
λDD 4807 FIT
λSU + λSD 116 FIT
SFF – Safe Failure Fraction 94,9 %
MTTR 8h
PFD für Tproof 1 Jahr 1,162 * 10-3
DC manual

7 FMEDA
TC mit externer Vergleichsstelle Sicherheitsfunktion für „4…20 mA Ausgang“
λDU 664 FIT
λDD 6407 FIT
λSU + λSD 118 FIT
SFF – Safe Failure Fraction 90,7 %
MTTR 8h
PFD für Tproof 1 Jahr 2,91 * 10-3
DC manual

27 SIL – Safety Integrity Level / Claus Nielsen

Thank you very much
for your attention!