Functional safety plays a key role in all process plants and the chemical industry has especially high requirements for the protection of people and the environment. Designing a standard-compliant safety circuit is no trivial matter. The best way to achieve this is with prudent design principles and reliable SIL data that can be used for calculations. We are happy to guide you during the risk assessment and also support you in the implementation with our tried-and-tested components and redundant systems.
To ensure that a system does not become a danger to people and the environment in the event of an emergency, you must design it systematically for functional safety. The SIL specifications are therefore a key criterion for plant engineering and construction, especially in the chemical process industry.
SIL stands for safety integrity level. It is an international measurement used to classify the functional safety of a system. There are four such levels, from SIL1 to SIL4, which poses the highest risk and therefore requires the strictest measures. What this means is that you use the failure probabilities of the components to perform an accurate risk assessment, take measures to minimize residual risk,select suitable devices and finally ensure the correct compliance of the SIL functions in recurring tests.
The SIL classification is based on two international standards: IEC 61508 and IEC 61511.
IEC 61508 (“Functional Safety of Electrical/Electronic/Programmable Electronic Safety Systems”) is the basic standard. It describes how to assess risks and the measures required to design suitable safety functions. It therefore also includes the requirements for the individual components of the safety circuit. These include sensors such as pressure sensors, temperature sensors, and level gauges or the evaluation and output unit plus automated process valves.
IEC 61511 (“Functional Safety – Safety Instrumented Systems for the Process Industry Sector”) applies specifically to process automation. This mainly focuses on low-demand applications with lower requirements, which are standard practice. Among other things, IEC 61511 contains the selection criteria for sensors and actuators, for example in terms of operational reliability.
As the installer or operator of a plant that could endanger employees, residents, or the environment, you must keep the risk as low as possible. The IEC standards 61508 and 61511 prescribe four key steps for this:
1. Risk definition and assessment: You start by determining the respective failure probabilities for all components, from the sensor to the controller to the actuator, for the entire service life of the plant.
2. Definition and implementation of measures: You define and implement suitable measures to minimize the residual risk.
3. Use of suitable devices: The prerequisite for a successful SIL circuit test of your plant are components and groups that are suitable for the respective level and certified if necessary.
4. Recurring test: The operator monitors correct compliance with the safety functions at defined intervals.
What potential hazard does my plant pose? Every engineer of a process plant in the chemical industry must ask this question. You can help answer it with a risk graph that combines four defined parameters into a decision tree in accordance with IEC 61508 and 61511 helps to answer it:
1. Severity of damage (S): How serious are the foreseeable consequences?
2. Frequency and exposure time (F): How often and long are people in the danger zone?
3. Avoiding/mitigating the danger (P): Can I prevent or contain the event?
4. Likelihood of occurrence (W): How often do I have to expect an incident?
Practical experience shows that safety-relevant risks are usually in the details and often only come to light during operation. A systematic analysis can already identify such weaknesses during planning. At Festo, we support you with a guideline-compliant risk assessment and functional safety solutions tailored to your needs – whether through complete system solutions, carefully planned automation concepts or individual components. Please feel free to consult us during this phase.
Four discrete levels (SIL1 to SIL4). The higher the SIL of a safety-related system, the lower the probability of the system not being able to execute the necessary safety functions.
The systematic risk assessment of your plant also reveals which factors drive SIL requirements upwards. Some of these, for example the production location, are a given. Others are factors that can be adjusted.
The first thing to look at is the probability of failure. You can significantly increase availability and reliability first and foremost through fault-tolerant components and redundantly designed systems. Depending on the process, even solutions in which individual components can be tested and replaced during operation can be useful.
The structural safety measures, for example pressure relief systems, depend on the actual production in each case. In principle it is possible to consider how the processes can be made as low risk as possible. Structural measures and precautions also belong here, for example ventilation, overfill protection (e.g., in the case of acid tanks) or concrete casing (in the case of explosion hazard).
Choosing devices and components with proven performance that ensures a long and reliable service life of the plant is also recommended. This includes temperature-resistance, acid-resistant and corrosion-protected materials. In addition, we have developed standard-compliant solutions for almost all individual processes which have proven their worth in the chemical and electrochemical industries - from the valve terminal with integrated shutdown to the highly reliable 2oo3 actuator.
When determining the safety integrity level, the design of the SIL circuit in all individual parts must also reach this level. This means that, as an engineer, you need devices and components with the necessary SIL suitability. Proof is required for this:
You will find all SIL certificates and manufacturer’s declarations for our products by entering the product type or part number in the search bar and on the product detail page under “Downloads and media".
The safety functions of your plant must undergo testing at regular intervals. This is exclusively required by the statutory provisions of the Ordinance on Industrial Health and Safety or accident prevention regulations; Under certain circumstances, local legal requirements also apply. The primary purpose of the SIL recurring test is to prevent personal injury, property damage and environmental damage but also to ensure system reliability by preventing unplanned downtimes and finally to safeguard the legal security of the engineers - in the event of damage, these tests can prove that the malfunction was not caused by device or design defects.
The test intervals are set by the operator. The risk assessment is performed, among other factors, on the basis of the safety characteristics of the individual SIL components. On the design side, durable solutions that can be exchanged without interruption when emergencies happen can be very beneficial. We are happy to give you recommendations in terms of time on our products.
Product data sheets, certificates and model calculations on functional safety use a series of key figures and terms. Here are the most important for the SIL calculation:
An SIL circuit generally consists of three segments:
The distribution of the failure probabilities to the subsystems of a safety function is as follows for single-channel systems: the greatest weight is given to the SD failure rate of the actuators.
All failure probabilities required for the SIL calculation can be found in the manufacturer’s declarations or certificates (highlighted in blue). They are used to calculate the total probability of failure (the values highlighted in gray) according to the SIL.
The safer the required safety level of a plant, the higher the level of independence required by the standard for the body that assesses functional safety. According to IEC 61511, manufacturer's declarations are perfectly adequate up to SIL2. Above SIL3, the certificate must be issued by an independent organization.
Safety integrity level - assessing body
SIL1 - independent person
SIL2 - independent department
SIL3 - independent organization
SIL4 - independent organization
The SIL certificates and SIL manufacturer’s declaration for Festo products can be found on the respective product detail page under “Downloads and media”, category "certificates".
Festo has the right redundant actuator for every safety requirement:
Redundant NAMUR block (1oo2, 2oo2): The NAMUR block permits the installation of two air solenoid valves with a NAMUR port pattern which are wired redundantly via the NAMUR interface. The blocks are available in fail-safe function (1oo2) or with increased availability (2oo2). You can mount the block directly on quarter turn actuators via the interface. Separate installation with suitable piping is also possible.
Redundant inline pneumatic valves (1oo2, 2oo2) With these compact systems, Festo is drawing on the tried-and-tested VOFD valve technology. The pneumatic valve’s redundant circuit ensures a redundant fail-safe function (1oo2) or provides increased availability (2oo2) for automated process valves. Thanks to the Ematal coating, these pneumatic valves meet the highest safety standards in process engineering and can withstand the toughest of ambient conditions.
Combined valve block (2003): The 2oo3 system combines both technologies, therefore providing the highest level of security and availability. This valve block is an inline variant that is integrated into your plant. The installed standards-based valves are defined and mounted on the block via the NAMUR interface in accordance with VDI/VDE 3845. This means that the block is installed once, only the pneumatic valves are replaced via the interface according to a service life/safety lifecycle plan. In addition, with this system the functions of the four pneumatic valves can be bypassed so that maintenance can take place during operation. The pressure gauge, mounted directly on the valve block, always give a reliable and swift indication if a pneumatic valve is pressurized.