Valve Magazine - Summer 2011

Industry responded to this question with accepted industry standards ( essentially self-governing practices) such as ISA-S84.01 and IEC 61508/61511 to measure the acceptable level of performance of these systems. Adherence to the standards became a best practice. Note that the standards are not prescriptive— they are performance oriented. They say what level needs to be achieved, not how to reach those levels. Ultimately, it is up to the end user to make the decision of how that’s to be done.

An SIS is designed to prevent or reduce hazardous events by taking a process to a safe state when predetermined conditions are violated. An SIS can typically be an emergency shutdown system (ESD), a safety interlock system or a safety shutdown system. Each SIS will have one or more Safety Instrumented Functions (SIF). Such a function might be something like:

Figure 1. Safety Integrity Levels Safety Integrity Level Risk Reduction Factor

SIL 4 100,000 to 10,000

SIL 3 10,000 to 1,000

SIL 2 1,000 to 100

SIL 1 100 to 10

Probability of Failure on Demand
10-5 to 10-4
10-4 to 10-3
10-3 to 10-2
10-2 to 10-1

; When the solution in the tank gets too hot, the inlet steam valve closes.

goal is to reduce risk, we need to under-
stand what that risk is. The simplified
equation for risk is:
Risk = Probability X Consequence

; When the tank pressure gets too high, a safety valve opens.

Of course, each SIF loop will be a combination of logic solvers, sensors, solenoids and final control elements, such as an automated valve. Every SIF within an SIS will have an SIL level. These levels may be the same or they may differ, depending on the process. A common misconception is that an entire system must have the same SIL level for each safety function.

An SIL is essentially a measure of the
system performance in terms of Proba-
bility of Failure on Demand (PFD). If the
We can think of probability in terms
of hazard frequency (how often will a
process exceed normal conditions and
need to be brought to a safe state?); and
consequences in terms of hazard conse-
quences (what happens to the plant,
employees, environment and community
if the process upset is not brought to a
safe state?).