Functional safety plays a key role in every system that you design and build for the process industry. And the requirements in the chemical industry for the protection of people and the environment are especially demanding. Designing a safety circuit that complies with standards is no trivial matter. The best way to achieve this is with prudent design principles and reliable SIL data that can be used for calculations. We will be happy to guide you during the risk assessment and to support you during implementation with our tried-and-tested components and redundant systems.
To ensure that a system doesn't become a danger to people and the environment in the event of an emergency, you need to take a systematic approach to functional safety when designing it. The SIL specifications are therefore a key criterion when building systems, especially in the chemical process industry.
SIL stands for ‘safety integrity level’. It is an international measurement used to classify the functional safety of a system. There are four levels, from SIL1 up to SIL4, with SIL4 posing the highest risk and thus requiring the strictest measures. In practice, this means that you use the failure probabilities of the components to carry out an accurate risk assessment, take measures to minimise residual risk, select suitable devices and finally conduct regular tests and inspections to ensure compliance with SIL functions.
The SIL classification is based on two international standards: IEC 61508 and IEC 61511.
IEC 61508 (‘Functional safety of electrical/electronic/programmable electronic safety-related systems’) is the basic standard. It describes how to assess risks and the measures required to design suitable safety functions. It therefore also includes the requirements for the individual components of the safety circuit. These include sensors such as pressure sensors, temperature sensors and level gauges, the evaluation and output unit as well as automated process valves.
IEC 61511 ("Functional safety – safety instrumented systems for the process industry sector") applies specifically to process automation. This mainly focuses on low-demand applications with lower requirements, which are the most common in practice. It has, among other things, the selection criteria for sensors and actuators, for example in terms of operational reliability.
As the installer or operator of a system that could endanger employees, residents or the environment, you must keep the risk as low as possible. The IEC standards 61508 and 61511 prescribe four key steps to do this:
1. Risk definition and assessment: You start by determining the failure probabilities for all components, from the sensor to the controller and the actuator, for the entire service life of the system.
2. Determination and implementation of measures: You define and implement suitable measures to minimise the residual risk.
3. Use of appropriate devices: For a successful SIL circuit inspection of your system, you must have components and component groups that are suitable for a particular level and that are certified, if necessary.
4. Recurring tests and inspections: The operator monitors correct compliance with the safety functions at specific intervals.
What potential hazard does my system pose? Every engineer of a process plant in the chemical industry must ask this question. A risk graph that combines four defined parameters into a decision tree in accordance with IEC 61508 and 61511 can help to find the answer:
1. Severity of damage (S): How serious are the foreseeable consequences?
2. Frequency of exposure (F): How often and how long are people in the danger zone?
3. Avoiding/mitigating the danger (P): Can I prevent or contain the event?
4. Probability of occurrence (W): How often do I have to expect an incident?
Practical experience shows that safety-relevant risks are mostly about the details and often only come to light during operation. Such weaknesses can be identified using a systematic analysis as early as the planning stage. At Festo, we support you with risk assessments that are compliant with the standards and functional safety solutions that are tailored to your needs, whether through complete system solutions, carefully thought-out automation concepts or individual components. Please feel free to ask us for advice during this phase.
Four discrete levels (SIL1 to SIL4). The higher the SIL of a safety-related system, the lower the probability of the system being unable to execute the necessary safety functions.
The systematic risk assessment of your system also reveals which factors drive up SIL requirements. Some of these are fixed, for example the production location. Others are factors that you can alter.
The first thing to look at is the probability of failure. You can significantly increase availability and reliability by focusing first and foremost on fault-tolerant components and redundant systems. Depending on the process, even solutions that enable individual components to be tested and replaced during operation can be useful.
The structural safety measures, for example pressure relief systems, always depend on the individual, specific production scenario. In general, you should consider how the processes can be made as low risk as possible. Your considerations should include structural measures and precautions, for example exhaust, overfill protection (for instance for acid tanks) or concrete casing (in the case of an explosion hazard).
Choosing devices and components with a proven performance which will guarantee a long and reliable service life for the system is also recommended. This includes temperature-resistant, acid-resistant and corrosion-protected materials. In addition, we have developed standard-compliant solutions for almost all individual processes which have proven their worth in the chemical and electrochemical industries, from valve terminals with integrated switch-off to the highly reliable 2oo3 control.
When determining the safety integrity level, the design of the SIL circuit in all individual parts must also reach this level. This means that, as an engineer, you need devices and components with a suitable SIL level. You need to be able to prove this using:
You can find all SIL certificates and manufacturer’s declarations for our products by entering the product type or part number in the search box at the top of the page and on the product detail page in the ‘Product Support' section.
The safety functions of your system must be checked at regular intervals. This is required by the statutory provisions of the German Ordinance on Industrial Health and Safety or accident prevention regulations. Under certain circumstances, local legal requirements also apply. The primary purpose of the recurring SIL tests is to prevent personal injury, damage to property and the environment, but it is also intended to ensure system reliability by preventing unplanned downtime and, last but not least, to ensure that the engineers have legal security. In the event of damage, these tests can prove that the malfunction was not caused by device or design defects.
The test intervals are set by the operator. The risk assessment is based on the safety characteristics of the individual SIL components, as well as other factors. From a design perspective, it can be very beneficial to have durable solutions that, if necessary, can be exchanged without interrupting operations. We would be happy to provide you with recommendations for our products.
Product data sheets, certificates and model calculations for functional safety use a series of reference data and terms. Here are the most important for the SIL calculation:
A SIL circuit generally consists of three segments:
The distribution of the failure probabilities to the subsystems of a safety function is as follows for single-channel systems: the greatest weight is given to the SD failure rate of the actuators.
All failure probabilities required for the SIL calculation can be found in the manufacturer’s declarations or certificates (highlighted in blue). You can use these to calculate the total probability of failure (the values highlighted in grey) according to the SIL.
The higher the required safety level of a system, the higher the level of independence that the standard requires for the body assessing the functional safety. According to IEC 61511, manufacturer’s declarations are perfectly adequate up to SIL2. For SIL3 and above, the certificate must be issued by an independent organisation such as TÜV or Exida.
Safety integrity level – assessing body
SIL1 – independent person
SIL2 – independent department
SIL3 – independent organisation
SIL4 – independent organisation
You can find all SIL certificates and SIL manufacturer’s declarations for Festo products on the relevant product detail page in the ‘Certificates’ category of the ‘Product Support' section.
Festo can offer you the right redundant control for every safety requirement:
Redundant NAMUR block (1oo2, 2oo2): the NAMUR block enables two solenoid valves with a NAMUR connection pattern to be installed, which are wired redundantly via the NAMUR interface. The blocks are available in fail-safe function (1oo2) or with increased availability (2oo2). You can mount the block directly on quarter turn actuators using the interface. Separate installation with suitable piping is also possible.
Redundant in-line valves (1oo2, 2oo2): in these compact systems, Festo uses the tried-and-tested VOFD valve technology. The valve’s redundant circuit ensures a redundant fail-safe function (1oo2) or provides increased availability (2oo2) for automated process valves. Thanks to the Ematal coating, these valves meet the highest safety standards in process engineering and can withstand the toughest of ambient conditions.
Combined valve block (2003): the 2oo3 system combines both technologies, therefore providing the highest level of safety and availability. This valve block is an in-line variant that is integrated into your system. The installed standard valves are defined and mounted on the block via the NAMUR interface in accordance with VDI/VDE 3845. This means that the block is installed once; only the valves are replaced via the interface according to a service life/safety lifecycle plan. With this system, you can also bypass the functions of the four valves so that maintenance can be performed during operation. The pressure indicators mounted directly on the valve block always give a reliable and swift indication if a valve is pressurised.