Low integrity safety functions with required risk reduction factor RRF < 10 need not be implemented in the safety system.

The definition of target SIL for safety functions (SIFs) is an important step in the Safety Life Cycle as per IEC 61511. There are a number of methods to define SIL, ranging from qualitative (Risk-Matrix), semi-qualitative (calibrated Risk Graph), semi-quantitative (LOPA), to quantitative (QRA). These methods are described in IEC 61511-3, respectively VDI/VDE 2180-1.

There is an understandable tendency to assume that safety functions (trips, shutdowns) should be implemented via a ‘safety related’ control system. Such functions may already be defined in the project Cause & Effect Chart, prepared before SIL-analysis is carried out. It may then be a surprise when the SIL-Analysis, based on frequency and consequence defined in the HAZOP, results in a target SIL-a, SIL-0, or even SIL-1#. What do these categories actually mean?

The following tables show the allocation of SIL according to ‘Risk Graph’ method as per IEC 61511-3 and VDI/VDE 2180-1.

     

IEC gives the following definitions:

SIL-a:     ‘No special safety requirements’ or ‘SIS protection layer probably not needed’
SIL-0:     ‘No protection layer needed’
—:           ‘No safety requirements’

VDI/VDE gives the following definitions:

SIL-0:     ‘Operating Equipment with Safety Function / BPCS Protection Layer’ (Betriebseinrichtung mit Sicherheitsfunktion, Risikoreduzierungsfaktor maximal 10)
SIL-1#:   ‘Alternatively can be implemented as SIL-0’ (Alternativ ist eine Realisierung in SIL 0 möglich)

Clearly, there is some difference in terminology and even open definitions within the standards. Put simply, these are ‘low integrity safety functions’ with required risk reduction factor RRF < 10. What is further clear, is that such functions do not need to be implemented in the safety system. IEC 61511-1 Ed. 2 (latest version 2016) has eliminated the previous clear recommendation to physically separate safety and non-safety systems. However, there are still valid operational and financial reasons to avoid ‘overloading’ a high-integrity safety system with trip and shutdown functions that can be carried out with adequate reliability via the control system, while meeting risk acceptance criteria.

So how should such functions be implemented in practice? IEC 61511-1 Ed. 2. issued in 2016 gives general requirements regarding functions implemented as a BPCS protection layer, i.e. via the process control system. The latest version of VDI/VDE 2180-1 issued in 2018 gives more detailed guidelines, including ‘enhanced requirements’ for management of such functions (analogue to the functional safety management requirements as per IEC 61511). This covers details such as:

  • Safety and quality management
  • Independence of safety and control functions
  • Documentation
  • Management of change
  • IT-Security
  • Periodic testing

There are similar requirements given in the UK HSE Recommendation OG-00046 ‘Management of Instrumented systems Providing Safety Functions of Low / Undefined Safety Integrity’.

While VDI/VDE 2180-1 covers management and testing requirements, up to now there are no clear guidelines on how such functions should be physically configured in the control system, particularly considering requirements to guarantee independency from normal control functions. Namur is in the process of finalising a new Recommendation (NE 165 PLT-Betriebseinrichtungen mit Sicherheitsfunktion), which should be available early 2019. This is expected to give detailed recommendations on control system configuration to ensure independent implementation of such low integrity safety functions. Here is an interesting blog on the subject: NAMUR: Process control elements (PCEs) with protective functions

PSC provides analysis and engineering services according to IEC 61511 to define SIL requirements for safety functions and to provide optimum SIF designs considering lifetime O&M costs. Please download our FSM brochure.