ファクトリーオートメーション(FA)
プロセスオートメーション(PA)

Three Misconceptions about the Safety Integrity Level (SIL)

2014-02-03

An often misunderstood core element of functional safety

The Safety Integrity Level, or SIL for short, is an indicator that makes risk reduction quantifiable
The Safety Integrity Level, or SIL for short, is an indicator that makes risk reduction quantifiable

Plant and machinery can pose risks that are so dangerous that people and the environment should not be exposed to them under any circumstances. If such a hazard exists, the associated risks must be mitigated to meet the need for safety.

The Safety Integrity Level, or SIL for short, is an indicator that makes risk reduction quantifiable. SIL is a core element of functional safety - and simultaneously the object of many misconceptions. Pepperl+Fuchs clarifies three of the most common misunderstandings.


Misconception 1: SIL is a device characteristic

Despite the stubborn nature of this assumption: SIL is not a characteristic of a device, plant, or machine. SIL always relates to a risk-reducing function. A Safety Integrity Level – and therefore the statement that "this circuit reduces the existing risk by the factor n" – can only be assigned to a complete fail-safe circuit. However, the devices used for the fail-safe circuit must be SIL-capable to enable such a statement to be made in the first place.

Misconception 2: SIL 3 is automatically the better choice compared to SIL 2

The SIL rating required depends on the initial risk inherent to the plant's systems or processes. The following applies: The residual risk remaining after risk reduction must be lower than the tolerable risk. If this is achievable with SIL 2, then the installation of a SIL 3 protective device could, in some circumstances, be too much of a good thing.

The over-fulfillment of a SIL can result in unnecessary effort and avoidable cost, much the same as over-insurance in the private sector is unnecessarily expensive and a waste of money. The aim is to design the protective device so that the risk reduction it achieves corresponds as closely as possible to the required SIL.


Misconception 3: Considering the probability of a system failure is sufficient with regard to SIL

Quantifying the failure probability of a protective device is not sufficient to fulfill a Safety Integrity Level. Primary measures for the prevention and control of faults must be implemented to this end. The relevant standard requires, first and foremost, the application of a special quality management system (Functional Safety Management System).

In addition, failure control by means such as redundancy, fail-safe behavior, and fault detection (diagnostics) are mandatory. The extent to which these measures need to be applied depends on the targeted SIL.