An Introduction to Functional Safety and SIL

Functional Safety is a relatively new concept in the world of safety (and

industry as well). This whitepaper seeks to explain the concept of Functional
Safety and related concepts of demand, safety integrity level, Safety
Instrumented Systems and standards used in the area of Functional Safety,
to technical professionals, who do not have any background in functional
safety. It also explains the importance of Functional Safety Management
known as FSM for short, in industry.
What is Functional Safety?
Safety is simply defined as “freedom from harm”. In colloquial terminology
we use the words, risk, hazard, harm and unsafe interchangeably. However,
all these terms are actually completely different. Before we start with the
concept of Functional Safety, let us understand the differences between
hazard, risk and harm.

What is a Hazard?
A hazard is a property of a substance or equipment that has the potential
to cause harm. Harm is of course, easily understood. So for example, a
propane tank that stores propane (which is a highly flammable substance)
in an industrial facility could be considered a hazard.

What is Risk?
Is there a possibility that the propane tank in the above example can
explode or catch fire? Yes, of course. If it does explode or catch fire, there is
a certainty that it can cause harm to people in the vicinity, cause damage to
nearby equipment and also the environment. These are known as
consequences. In the world of safety, generally the word consequence
always has a negative connotation. The probability that a hazard may cause
negative consequences is called as Risk.

Therefore Risk can be expressed as the equation below:

Risk = Probability of the occurrence X Consequence of occurrence

What is Harm?
When the risk gets actualized into an event (an accident happens), it leads
to a lot of consequences, almost all of which are undesirable, as they cause
harm to people, damage equipment and cause environmental destruction.
This is known as harm. Such incidents that cause harm are known as unsafe
incidents.
Our goal to ensure safety is to ensure that there is very little likelihood of
harm.

What is Inherent Safety?

Processes and Systems can be designed to some extent to be inherently
safe, but very often they are not. What do we mean by inherent safety?
Consider a day tank in a chemical manufacturing plant, which is filled and
emptied several times a day with a toxic liquid. The tank has an overflow
line that connects to a containment vessel. In case of overfilling, the excess
liquid in the day tank flows to the containment vessel, thus preventing
spillage and other consequences.

This is an example of inherent safety. It is also an example of what

Functional Safety is not.

What is Functional Safety?

If, instead of the overflow line, we had a level sensor that sensed the
overfilling of the tank and on detection, sent a signal to a system that
operates an actuated valve that cut off the inlet flow, then we would call this
an example of “Functional Safety”. In our example above, we showed an
example of Functional Safety in the chemical process industry. But this is
not the only place where you will find Functional Safety. It is present in lots
of other places such as trains, cars, aircraft, building automation systems,
machinery, nuclear installations, to name a few.
What is a Safety Function?
In the above example, the system, comprising of the sensor, the controller
or logic solver and the actuated valve together carry out a particular
function, namely a Safety Function, that assures that in case of high level,
spillage will not occur. It is now clear that in a plant, equipment or other
piece of machinery, there would be several such Safety Functions. These
Safety Functions taken together can be called as a Safety System.

Safety will be assured only if all these Safety Functions work when needed.
The “when needed” part is as important as the “work” in the above
sentence. Why is this so?

That brings us to the concept of something known as a demand.

Note: To learn and get certified in Functional Safety & SIL, please take either
of the courses below.

What do we mean by Demand?

In the context of functional safety, when the Safety Function is called upon
to do its work, it is known as a demand. So in the above example, as long as
the day tank is not filled to a high level (that can cause a spill), we can say
that there is no demand on the Safety Function to carry out its work.
However, the moment that the level in the tank goes to a high level (to cause
a spill), the safety Function must act, as a demand is now raised on it by the
process.

One can see that the Safety Function must act now, on demand, to ensure
that safety is maintained.

This is an important concept, because most of the time a safety device just
sits there, idle, when the process is in the safe state.

The moment however that a demand occurs, it must swing into action
immediately. The aim of Functional Safety and Functional Safety
Management, is to ensure that it does, every time. It will won’t it?

Or can anything go wrong? What do you think?

How do Failures affect Safety Functions?

What is the relationship between Reliability and Functional Safety?

This brings us to the concept of Failures. Like everything else, a safety
system can also fail. What if it fails at the precise moment that it is supposed
to operate? (Just like the famous “Murphys Law”).

Then, on demand, the Safety Function will not work and a disaster may take
place. How do we avoid these situations? By using the techniques, tools and
standards of Functional Safety Engineering, for example by adopting and
following techniques outlined in International Standards such as IEC 61508.

What types of Failures can occur?

Broadly speaking we could have three types of failures of the safety system.
These are Random, Common Cause and Systematic failures. Any and all
these three types of failures could make our safety function inoperable
upon demand. Our goal therefore would be to design, build and maintain a
safety system that will not fail upon demand even in the event of random,
common cause and systematic failures.

Needless to say such a system, that would never fail is only a theoretical
concept and not practical. All systems fail and safety systems are no
exception.

However, by using the principles and generally accepted good engineering

practices of Functional Safety, we can make them almost fail safe.
What is SIL? (Safety Integrity Level)
We have a measure for the reliability of a Safety Function and it is captured
by the term “Safety Integrity”. As the name suggests, we need a safety
function with integrity and the more the likelihood of the consequences of
failure being really bad, the more the need for as high a safety integrity as
possible. Hence Safety Integrity Level is defined in the IEC standards to
represent the Safety Integrity of a particular Safety Function. It is a
performance measure of the Safety Function.

There are four levels of Safety Integrity named as SIL 1, SIL 2, SIL 3 and SIL
4. Of these SIL 1 is the lowest and SIL 4 is the highest level.

So how does one decide the Safety Integrity? The IEC standards classify
Safety Functions as being of two types based on how frequently one
encounters a demand. So certain safety functions, such as those that are
commonly found in the Chemical Industry (e.g. overfill protection system
like the example of our day tank above), are generally classified as low
demand ones. This is because we expect that the demand would be less
than one per year. This of course is in line with our practical experience in
this industry, where we do not expect that Safety Functions are called in to
protect the plant every other day.

There is another category of Safety Functions that are found in places

where the demand rate is very high and sometimes even continuously
present, these are called high demand applications. Common examples are
the braking system of a train, or car. Brakes are operated quite often
(certainly more than once a year) and are classified as high demand
systems.
What do we understand by the SIL Rating?
The probability that the Safety Function will fail on demand is known as the
PFD. The average probability that it will fail dangerously is called the
PFDavg. The SIL levels correlate with the PFDavg of the Safety Function, as
outlined in the SIL Rating table below, for Low Demand applications.

Note that this is not the only criteria for a Safety Function to be categorized
as a SIL 1 or SIL 2 or SIL 3 or SIL 4. There are some other conditions too, but
this is the most famous one!

However, for High Demand applications, the probability of failure is

represented by PFH or Probabilty to fail dangerous per hour. The SIL levels
that correspond with the different PFH levels are given in the table below.

The above is of course, just a small introduction to the concept of Safety

Integrity Level. Further reading and training is essential to understand it
fully. For example if you take our courses today, you can learn everything
about it in a very easy to understand manner.
In the next section we will now take a look at some standards that are used
in Functional Safety.
Which are the important Functional Safety Standards?
Functional Safety standards are not new. They have been around in some
form or the other for the past several decades. However, it is only after the
IEC (International Electrotechnical Commission) published the first set of
standards known as IEC 61508, sometime around 1990, that Functional
Safety really came into its own. This standard, IEC 61508 is also known as
an “umbrella standard” because a lot of other industry-specific Functional
Safety standards are derived from it.

Thus the process industry follows IEC 61511, , the Nuclear industry follows
IEC 61513, the machinery industry follows IEC 62061, the automotive
industry follows ISO 26262 and the Railway industry follows EN 50126 and
so on. All of these are derived from the IEC 61508 standard.

Note that IEC 61508 applies to any Electrical/Electronic/ Programmable

Electronic Safety Related System. It is followed all over the world. In the US
the ANSI/ ISA S84 is also derived from IEC 61508. Typical applications where
IEC 61508 is applied are Safety Instrumented Systems in process plants,
nuclear plants and the like, High Integrity Pressure Protection
Systems (HIPPS), Burner Management Systems, Emergency braking
systems of trains and so on. Wherever an Electrical /Electronic/
Programmable Electronic Safety Related System exists, IEC 61508 is
applicable.
What do we mean by the Safety Life Cycle?
IEC 61508 emphasizes a Life Cycle approach to Safety Related Systems. The
Safety Life Cycle, starts from the day the first requirement to build a Safety
Related System arises, to the day the entire system is de-commissioned.
This means, given the life of a typical process plant (or a passenger train),
the life cycle could be very long, like 30 years or so or even 50 years. During
this time there could be minor or major modifications, or retrofits.

Sector specific functional safety standards have lifecycles applicable to

them. For example, below is the IEC 61511 safety lifecycle applicable to the
process industries.
Note: The easiest and fastest way to learn all about Functional Safety and
SIL is by Taking either of the two courses above. One is the Safety
Instrumented Systems course and the other is the Functional Safety, SIL and
SIS Cybersecurity Course.
What do we mean by Functional Safety Management?
One look at the above diagram tells us that a Safety Related Systems
project, over its entire lifecycle, can be long, complex and a challenge to
manage. However it must be well managed, at the risk of compromising on
safety and resulting in yet another accident!

To ensure that this lifecycle does work in the manner shown above, one has
to implement Functional Safety Management, or FSM for short. Thus all
objectives must be clearly defined at the start of the lifecycle. Organizations,
Departments and persons should be allotted responsibilities, based on
their roles in the lifecycle.

Note that this is more challenging than a typical project management issue,
since the lifecycle can extend over decades, much longer than any project!
Hence a different set of knowledge, experience and skills are needed to
manage Functional Safety over the entire lifecycle.

The lifecycle diagram helps us identify who should do what and generate
which documents, at which particular stages of the lifecycle. Note that the
lifecycle also has verification, assessments and audits that are to be carried
out.

Every stakeholder in the project has different roles to play in the lifecycle.
For example a Safety Instrumented Systems vendor who is building an
Emergency Shutdown System needs to carry out different activities in the
lifecycle, as compared to an engineering consultant. However, in the end,
there has to be an overall responsible person or organization (very often
from the end user) who can manage these different stakeholders in the
entire lifecycle. Such a person is known as the Functional Safety Manager
or FSM for short.

The Functional Safety Manager should be able to understand the different

roles played by different stakeholders in the Lifecycle, co-ordinate between
them, manage the documentation, verification, assessments and audits
that are part of the lifecycle and have sufficient managerial authority to do
so. Also the end result should be Safety and not anything else!

It is now clear that the Functional Safety Manager should be a technically

competent and experienced person, who understands Functional Safety
very well. He/She should have adequate training and certification that
demonstrates the knowledge and competence in Functional Safety. Also
he/she should have people management skills, project management skills
and co-ordination skills.

Functional Safety has grown in importance over the last decade. It is not
just enough to understand Functional Safety, follow the appropriate and
relevant standards such as IEC 61508 and install Safety Systems. It is also
important to understand and adequately manage Functional Safety over
the entire lifecycle of the plant or equipment. This is known as Functional
Safety Management and it is skill that will only increase in demand in the
years to come, as emphasis on safety increases.