Three Misconceptions about Safety Integrity Level
The safety integrity level, or SIL for short, is an indicator that makes risk reduction quantifiable. Plant and machinery can pose risks that are so dangerous that people and the environment should not be exposed to them under any circumstances. If such a hazard exists, the associated risks must be mitigated to meet the need for safety.
SIL is a core element of functional safety and simultaneously the object of many misconceptions. Pepperl+Fuchs clarifies three of the most common misunderstandings.
Misconception 1: SIL Is a Device Characteristic
Despite the stubborn nature of this assumption: SIL is not a characteristic of a device, plant, or machine. SIL always relates to a risk-reducing function. A safety integrity level—and therefore the statement that “this circuit reduces the existing risk by the factor n”—can only be assigned to a complete safety loop. However, the devices used for the safety loop must be SIL-capable for such a statement to be made in the first place.
Misconception 2: SIL 3 Is Automatically the Better Choice Compared to SIL 2
The SIL rating required depends on the initial risk inherent to the plant’s systems or processes. The following applies: The residual risk remaining after risk reduction must be lower than the tolerable risk. If this is achievable with SIL 2, then the installation of a SIL 3 protective device could, in some circumstances, be too much of a good thing.
The over-fulfillment of a SIL can result in unnecessary effort and avoidable costs, much the same as over-insurance in the private sector. The aim is to design the protective device so that the risk reduction it achieves corresponds as closely as possible to the required SIL.
Misconception 3: Considering the Probability of a System Failure Is Sufficient with Regard to SIL
Quantifying the probability of failure of a protective device is not sufficient to fulfill a safety integrity level. Primary measures for the prevention and control of faults must be implemented to this end. The relevant standard requires, first and foremost, the application of a special quality management system (functional safety management).
In addition, failure control by means such as redundancy, fail-safe behavior, and fault detection (diagnostics) are mandatory. The extent to which these measures must be applied depends on the targeted SIL.