SIL in the process industry

Functional safety plays a key role in every system that you design and build for the process industry. And the requirements in the chemical industry for the protection of people and the environment are especially demanding. Designing a safety circuit that complies with standards is no trivial matter. The best way to achieve this is with prudent design principles and reliable SIL data that can be used for calculations. We will be happy to provide you with the required documentation for your risk assessment and will support you during the implementation with our tried-and-tested components and redundant systems.

Safety integrity level (SIL)

To ensure that a system doesn't become a danger to people and the environment in the event of an emergency, you need to take a systematic approach to functional safety when designing it. The SIL specifications are therefore a key criterion when building systems, especially in the chemical process industry.

SIL stands for ‘safety integrity level’. It is an international measurement used to classify the functional safety of a system. There are four levels, from SIL1 up to SIL4, with SIL4 posing the highest risk and thus requiring the strictest measures. In practice, this means that you use the failure probabilities of the components to carry out an accurate risk assessment, take measures to minimise residual risk, select suitable devices and finally conduct regular tests and inspections to ensure compliance with SIL functions.

SIL safety standards

The SIL classification is based on two international standards: IEC 61508 and IEC 61511.

IEC 61508 ("Functional safety of electrical/electronic/programmable electronic safety-related systems") is the basic standard. It describes how to assess risks and the measures required to design suitable safety functions. It therefore also includes the requirements for the individual components of the safety circuit. These include sensors such as pressure sensors, temperature sensors and level gauges, the evaluation and output unit as well as automated process valves.

IEC 61511 ("Functional safety – safety instrumented systems for the process industry sector") applies specifically to process automation. This mainly focuses on low-demand applications with lower requirements, which are the most common in practice. It contains, among other things, the selection criteria for sensors and actuators, for example in terms of operational reliability.

SIL procedure in four steps

As the installer or operator of a system that could endanger employees, residents or the environment, you must keep the risk as low as possible. The IEC standards 61508 and 61511 prescribe four key steps to do this:

1. Risk definition and assessment: You start by determining the failure probabilities for all components, from the sensor to the controller and the actuator, for the entire service life of the system.

2. Determination and implementation of measures: You define and implement suitable measures to minimise the residual risk.

3. Use of appropriate devices: For a successful SIL circuit inspection of your system, you must have components and component groups that are suitable for a particular level and that are certified, if necessary.

4. Recurring tests and inspections: The operator monitors correct compliance with the safety functions at specific intervals.

1. Risk definition and assessment

What potential hazard does my system pose? Every engineer of a process plant in the chemical industry must ask this question. A risk graph that combines four defined parameters into a decision tree in accordance with IEC 61508 and 61511 can help to find the answer:

1. Severity of damage (S): How serious are the foreseeable consequences?

2. Frequency of exposure (F): How often and how long are people in the danger zone?

3. Avoiding/mitigating the danger (P): Can I prevent or contain the event?

4. Probability of occurrence (W): How often do I have to expect an incident?

Practical experience shows that safety-relevant risks are mostly about the details and often only come to light during operation. Such weaknesses can be identified using a systematic analysis as early as the planning stage. At Festo, we support you with risk assessments that are compliant with the standards and functional safety solutions that are tailored to your needs, whether through complete system solutions, carefully thought-out automation concepts or individual components. Please feel free to ask us for advice during this phase.

2. Definition and implementation of measures

The systematic risk assessment of your system also reveals which factors drive up SIL requirements. Some of these are fixed, for example the production location. Others are factors that you can alter.

The first thing to look at is the probability of failure. You can significantly increase availability and reliability by focusing first and foremost on fault-tolerant components and redundant systems. Depending on the process, even solutions that enable individual components to be tested and replaced during operation can be useful.

The structural safety measures, for example pressure relief systems, always depend on the individual, specific production scenario. In general, you should consider how the processes can be made as low risk as possible. Your considerations should include structural measures and precautions, for example exhaust, overfill protection (for instance for acid tanks) or concrete casing (in the case of an explosion hazard).

Choosing devices and components with a proven performance which will guarantee a long and reliable service life for the system is also recommended. This includes temperature-resistant, acid-resistant and corrosion-protected materials. In addition, we have developed standard-compliant solutions for almost all individual processes which have proven their worth in the chemical and electrochemical industries, from valve terminals with integrated switch-off to the highly reliable 2oo3 control.

3. Suitable devices

When determining the safety integrity level, the design of the SIL circuit in all individual parts must also reach this level. This means that, as an engineer, you need devices and components with a suitable SIL level. You need to be able to prove this using:

  • Manufacturer’s declaration: the manufacturers rate their devices themselves up to SIL2. For SIL1, an independent person performs the technical assessment; for a SIL2 classification, it is performed by an independent department.
  • Certificate: for SIL3 and above, each device used in a safety circuit must be certified by an independent institution in accordance with IEC 61508. In Germany, this could be the German Technical Control Board (TÜV) or Exida, for example.

You can find all SIL certificates and manufacturer’s declarations for our products by entering the product type or part number in the search box at the top of the page and on the product detail page in the ‘Product Support' section.

4. Recurring tests and inspections

The safety functions of your system must be checked at regular intervals. This is required by the statutory provisions of the German Ordinance on Industrial Health and Safety or accident prevention regulations. Under certain circumstances, local legal requirements also apply. The primary purpose of the recurring SIL tests is to prevent personal injury, damage to property and the environment, but it is also intended to ensure system reliability by preventing unplanned downtime and, last but not least, to ensure that the engineers have legal security. In the event of damage, these tests can prove that the malfunction was not caused by device or design defects.

The test intervals are set by the operator. The risk assessment is based on the safety characteristics of the individual SIL components, as well as other factors. From a design perspective, it can be very beneficial to have durable solutions that, if necessary, can be exchanged without interrupting operations. We would be happy to provide you with recommendations for our products.

SIL FAQ: Questions and answers

What do the codes on the SIL certificate mean?

Product datasheets, certificates and model calculations for functional safety use a series of reference data and terms. Here are the most important ones for the SIL calculation:

  • λ (failure rate ), the following classifications apply: S for the overall rate of safe failures; SD for the rate of safe, detected failures; SU for the rate of safe, undetected failures; D for the overall rate of dangerous failures; DD for the rate of dangerous, detected failures; and DU for the rate of dangerous, undetected failures.

  • Device types: A is the code for a device for which the failure behaviour of all components used and the failure characteristics are adequately determined, e.g. through operational reliability. Device type B, on the other hand, means that the failure behaviour of at least one component used and the behaviour in the event of a failure are not adequately determined.

  • HFT (hardware failure tolerance): the ability to continue to execute the required function in the event of faults and deviations. With HFT0, a single fault can result in the loss of the safety function (e.g. in 1oo1 circuits). With HFT1, a safety loss only occurs if at least two faults occur simultaneously (e.g. in 1oo2 circuits). With HFT2, at least three faults must occur simultaneously (e.g. 1oo3 circuits).

  • High demand: operating mode with a high frequency of demands or continuous demands to activate the safety system. It operates continuously or its activation is demanded more than once a year.

  • Low demand: operating mode with a low frequency of demands to activate the safety system. It must not be activated more than once a year.

  • MTBF (mean time between failures): the mean time between two successive failures.

  • PFD (Probability of failure on demand): the probability that a safety function will fail in low-demand mode (demands/year < 10) = low demand.

  • PFH (Probability of failure per hour): the probability that a safety function will fail during continuous use (demands/year > 10) = high demand.

  • SFF (safe failure fraction): the proportion of safe failures out of the total number of failures.

What does a safety system consist of?


A SIL circuit generally consists of three segments:

  • Sensors (e.g. pressure sensors, temperature sensors and level gauges)
  • Evaluation and output unit (e.g. safety PLC)
  • Automated process valve unit comprising solenoid valve, actuator and process valve

What is the PFD/PFH distribution for the subsystems?

The distribution of the failure probabilities to the subsystems of a safety function is as follows for single-channel systems: the greatest weight is given to the SD failure rate of the actuators.

SIL: safety integrated system

Where can I find the values for the SIL calculation?

All failure probabilities required for the SIL calculation can be found in the manufacturer’s declarations or certificates (highlighted in blue). You can use these to calculate the total probability of failure (the values ​​highlighted in grey) according to the SIL.

SIL calculation

When are certificates required?

The higher the required safety level of a system, the higher the level of independence that the standard requires for the body assessing the functional safety. According to IEC 61511, manufacturer’s declarations are perfectly adequate up to SIL2. For SIL3 and above, the certificate must be issued by an independent organisation such as TÜV or Exida.

Safety integrity level – assessing body

SIL1 – independent person

SIL2 – independent department

SIL3 – independent organisation

SIL4 – independent organisation

Where are the SIL certificates?

You can find all SIL certificates and SIL manufacturer’s declarations for Festo products on the relevant product detail page in the "Certificates" category of the "Product Support" section.

How can I control actuators redundantly?

SIL

What SIL redundancy solutions does Festo have?

SIL: redundant valve block

Festo can offer you the right redundant control for every safety requirement:

Redundant NAMUR block (1oo2, 2oo2): the NAMUR block enables two solenoid valves with a NAMUR connection pattern to be installed, which are wired redundantly via the NAMUR interface. The blocks are available in fail-safe function (1oo2) or with increased availability (2oo2). You can mount the block directly on quarter turn actuators using the interface. Separate installation with suitable piping is also possible.

Redundant inline valves (1oo2, 2oo2): in these compact systems, Festo uses the tried-and-tested VOFD valve technology. The valve’s redundant circuit ensures a redundant fail-safe function (1oo2) or provides increased availability (2oo2) for automated process valves. Thanks to the Ematal coating, these valves meet the highest safety standards in process engineering and can withstand the toughest of ambient conditions.

Combined valve block (2oo3): the 2oo3 system combines both technologies, therefore providing the highest level of safety and availability. This valve block is an in-line variant that is integrated into your system. The installed standard valves are defined and mounted on the block via the NAMUR interface in accordance with VDI/VDE 3845. This means that the block is installed once; only the valves are replaced via the interface according to a service life/safety lifecycle plan. With this system, you can also bypass the functions of the four valves so that maintenance can be performed during operation. The pressure indicators mounted directly on the valve block always give a reliable and swift indication if a valve is pressurised.

Who else should know about this?

Why not discuss this with your specialists before deciding on Festo? Just share our recommended solutions and application examples using this link.