Safety Integrity Level (SIL): What You Need to Know About SIL to Protect Your People

and Your Processes

In the wake of catastrophic incidents such as the Bhopal disaster in India, the BP
explosion in Texas City, TX and the Buncefield Petrol Depot explosion in the UK,
safety has become a top priority for industrial companies running critical processes
that contain extreme temperatures and pressures, and flammable or toxic
materials. To improve the safety of such processes, the ISA SP84 committee
released IEC 61508 (and more specifically IEC 61511 which is the Process Sector
Implementation of IEC 61508). This standard is helping to increase the reliability of
the systems that ensure the safety of these processes.
Safety Integrity Level Layers of ProtectionUnderstanding Risk
All safety standards exist to reduce risk, which is inherent wherever manufacturing
or processing occurs. Although eliminating risk entirely and bringing about a state
of absolute safety is not attainable, the goal of any modern safety system is to
reduce risk to an acceptable level.
The formula for risk is:
Risk = Hazard Frequency x Hazard Consequence
Risk can be minimized first by incorporating inherently safe process and control
system designs but, ultimately, a full safety shutdown system may be necessary.
Layered Protection
No single safety measure can eliminate risk and protect a plant and its personnel
against harm or mitigate the spread of harm if a hazardous incident occurs. For this
reason, safety exists in protective layers: a sequence of mechanical devices,
process controls, shutdown systems, and external response measures that prevent
or mitigate a hazardous event. Detailed evaluation, including a hazard and risk
assessment, is required to identify the overall risk reduction requirements and to
properly allocate them into the independent protection layers.
If any protection layer fails, successive layers are available to take the process to a
safe state. If one of the protection layers is a safety instrumented function (SIF), the
risk reduction allocated to it determines its Safety Integrity Level (SIL). As the
number of protection layers and their reliabilities increase, the safety of the process
increases. Figure A shows the succession of typical safety layers in order of their
activation.
Hazards Analysis
To determine the levels of protective layers required, your company will need to
conduct a Process Hazards Analysis to analyze hazards and risks within a process.
Depending upon the complexity of the process operations and the severity of its
inherent risks, such an analysis may range from a simplified screening to a rigorous
Hazard and Operability engineering study, including reviewing process, electrical,
mechanical, safety, and managerial factors.

Once the risks and hazards have been assessed, one can determine if they are
below acceptable levels. If the study concludes that existing protection is
insufficient, a Safety Instrumented System may be required.
Even when emergency shutdown systems are not mandatory, many process control
industries today are using the reliability specifications defined in IEC 61508 to
separate great products from good ones. In fact, many companies are using a key
parameter Safe Failure Fraction (SFF), which is an indication of all of the safe and
dangerous detected failures within a device, to objectively compare the reliability of
instruments from different suppliers.

The Role of Safety Instrumented Systems in Industrial Process Systems

Posted on January 21, 2014

by Magnetrol International

Mitigating the risk of catastrophic overfill incidents in processes that contain

materials that are flammable or toxic is a top priority for all process industries today.
To do this, one needs to first understand the hazards that these types of processes
pose, and what can be done to mitigate them.

In last weeks blog post, we discussed how layered protection can minimize risk and
how a Hazards Analysis can help determine if a Safety Instrumented Systems (SIS)
is required. In this post, we will explain what a Safety Instrumented System (SIS) is
and the types of safety functions that the SIS requires.

Safety Instrumented Systems

The SIS plays a vital role in providing a protective layer around industrial process
systems. Its purpose is to take a process to a safe state when pre-determined set
points are exceeded or when safe operating conditions have been transgressed.

The SIS is comprised of Safety Instrumented Functions (SIFs) with sensors, logic
solvers and actuators:

Safety Instrumented Systems page 4 1

Sensors for signal input and power

Input signal interfacing and processing

Logic solver with power and communications

Output signal processing, interfacing and power

Actuators (valves, switching devices) for final control function

Safety Instrumented Functions

A Safety Instrumented Function (SIF) is a safety function with a specified Safety
Integrity Level (SIL) that is implemented by the SIS to achieve or maintain a safe
state. A SIFs sensors, logic solver and final elements act in concert to detect a
hazard and bring the process to a safe state.

Heres an example:
Safety Instrumented Systems pg 4 2
A process vessel sustains a buildup of pressure, which should open a vent valve.
The specific safety hazard is overpressure of the vessel.
When pressure rises above the normal set points, a pressure-sensing instrument
detects the increase. Logic (PLC, relay, hard-wired, etc.) then opens a vent valve to
return the system to a safe state.
In fact, the increased availability and use of SIL reliability data has allowed the
traditional example above to be improved using a High Integrity Process Pressure
System (HIPPS) to eliminate even the risk of venting to the environment. When the
HIPPS is implemented, the system controls are so thorough and reliable that there is
no need to vent, or use a relief valve.
Like the safety features on an automobile, a SIF may operate continuously like a
cars steering, or intermittently like a cars air bag. A safety function operating in
the demand mode is only performed when required in order to transfer the
Equipment Under Control (EUC) into a specified state. A safety function operating in
continuous mode operates to retain the EUC within its safe state.

Safety Standards of Level Control Devices

Posted on January 6, 2015

by Magnetrol International

Level Control Devices and SILMalfunctioning level controls allegedly contributed to

the 1986 Chernobyl meltdown and the 2005 Buncefield depot explosion north of

London, to name just two of the more notorious incidents. For decades, the
industrial firewall against safety incidents as they relate to level controls has been
governmental and professional association standards that require manufacturers to
make their products according to safety guidelines. The International Standards
Association, however, lists some 180,000 varieties of international standards. The
key health and safety standards that can affect level control devices and
applications fall into three categories: (1) Instrument and Component Standards, (2)
Safety Integrity Levels, and (3) Hygienic Standards.

Instrument Standards. The largest group of standards relates to equipment,

component and enclosure performance. These standards are authorized by NEMA
(National Electrical Manufacturers AssociationUSA); Underwriters Laboratories (UL
USA); American National Standards Institute (ANSI); American Society of
Mechanical Engineers (ASME); The Instrumentation, Systems, and Automation
Society (ISAoriginally named the Instrument Society of America); Canadian
Standards Association (CSA); the European EN 60529 = DIN VDE 0470; IEC
(International Electrotechnical Commission); VDE (Institute of German Electronics
Engineers); the International Electromechanical Commission (IEC); and TV
(Germany). Principal organizations with market-relevant technical standards for
materials, products, and systems also include the European Unions ATEX directives
(ATmosphere EXplosion); Americas OSHA (Occupational Safety and Health
Administration); the American Society for Testing and Materials (ASTM), and the
United Kingdoms Health and Safety Executive (HSE).

Safety Integrity Level (SIL). Another group of directives that relate specifically to
level control safety performance are those of the IEC concerning risk reduction.
These directives refer to the classification of Safety Instrumented Systems (SISs)
according to their Safety Integrity Level (SIL)that is, according to their potential
risk for people, manufacturing processes, and the environment in case of a
malfunction. Four SIL levels are defined in these directives, with SIL 4 being the
most stringent and SIL 1 being the least. (No standard process controls have yet
been defined and tested for SIL 4).\
There are two ways an instrument manufacturer can determine and declare their
devices suitable for a SIL level. For pre-existing devices, the supplier takes over the
proven in use procedure, in which the instruments are tested and described
according to IEC 61508 and 61511. For new devices, the supplier makes a direct
declaration to IEC. This declaration comprises an evaluation of the device based
partly on a Failure Modes, Effects and Diagnostics Analysis (FMEDA) and partly on
an assessment of the proven-in-use documentation.
Today, many instrument and plant engineers use an instruments SIL suitability level
as shorthand for an instruments overall reliability.

Hygienic Standards. A third group of standards relates to hygienic issues concerning

the food, beverage, dairy and pharmaceutical industries. These include the Federal
Drug Administration (USA authority), the 3-A Sanitary Standards (a group of three
USA milk and dairy authorities), the European Hygienic Equipment Design Group
(EHEDGa consortium of European equipment manufacturers, food industries,
research institutes, and public health authorities), and the Federal Health
Department (Germany).

Factors to Consider When Assessing Safety Integrity Level

Posted on January 28, 2014

by Magnetrol International

The occurrence of catastrophic overfill incidents in recent years has made improving
safety a mission-critical requirement for all process industries. To do this, one needs
to first understand the hazards that these types of processes pose, and what can be
done to mitigate them.

In prior posts, this blog has discussed how assessing the hazards and risks within
your processes can determine the need for a Safety Instrumented System (SIS). This
week, well explain Safety Integrity Level (SIL) and how assigning a target SIL can
help you measure the safety risk of a given process.

Four Levels of Integrity

Historically, safety thinking categorized a process as being either safe or unsafe.
However, for the new standards that have been developed of the past several
years, safety isnt considered a binary attribute. Instead, the ISA SP84 committee
stratified it into four discrete levels of safety. Each level represents an order of
magnitude of risk reduction. The higher the SIL level, the greater the impact of a
failure for the surrounding area and the lower the failure rate that is acceptable.

SIL is a way to indicate the tolerable failure rate of a safety function. Standards
require the assignment of a target SIL for any new or retrofitted SIF within a SIS. The
assignment of the target SIL is a decision that requires the extension of the Hazards
Analysis, which analyzes the hazards and risks within a process. The SIL assignment
is based on the amount of risk reduction that is necessary to maintain the risk at an
acceptable level. All of the SIS design, operation, and maintenance choices must
then be verified against the target SIL. This ensures that the SIS can mitigate the
assigned process risk.

Hardware Fault ToleranceSafety Integrity Level pg5 2

IEC61508-4 defines fault tolerance as the ability of a functional unit to continue
to perform a required function in the presence of faults or errors. Therefore,
hardware fault tolerance is the ability of the hardware (complete hardware and
software of the transmitter) to continue to perform a required function in the
presence of faults or errors.

A hardware fault tolerance of 0 means that if there is a single fault, the transmitter
will not be able to perform its function (for example, measure level). A hardware
fault tolerance of N means that N+1 faults could cause a loss of the safety function.
When a Failures Modes, Effects and Diagnostic Analysis (FMEDA) is performed on a
device, the resultant Safe Failure Fraction (SFF) has an associated hardware fault
tolerance of 0.

Determining SIL Levels Process

When a Process Hazards Analysis determines that a SIS is needed, the level of risk
reduction afforded by the SIS and the target SIL have to be assigned. The
effectiveness of a SIS is described in terms of the probability it will fail to perform
its required function when it is called upon to do so, which is its Probability of
Failure on Demand (PFD). The average PFD (PFDavg) is used for SIL evaluation. The
chart below shows the relationship between PFDavg, availability of the safety
system, risk reduction and SIL level.

Safety Integrity Level pg 6 1

Various methodologies are used to assign target SILs, including (but not limited to),
Simplified Calculations, Fault Tree Analysis, Layer of Protection Analysis and Markov
Analysis. The determination must also involve people who possess the relevant
expertise and experience.

Determining SIL Levels Instrumentation

SIL levels for field instruments are established by one of two methods:

FMEDA is best when reviewed or certified by a third party, such as exida or TUV,
but manufacturers can do self declarations. A systematic analysis technique is
necessary to determine failure rates, failure modes and the diagnostic capability as
defined by IEC 61508/651511.

Proven in Use (also called Prior Use) is typically used for mature instruments in
known processes. This approach requires sufficient product operational hours,
revision history, fault reporting systems and field failure data to determine if there is
evidence of systematic design faults in a product. IEC 61508 provides levels of
operational history required for each SIL. It is generally considered more valuable
when done by users in their facility when comparing like data. It is considered less
reliable when done by a device manufacturer whose data may be less relevant to
the end users application.

If using a manufacturers prior use data is necessary because a product does not
reach the required level under the standard FMEDA analysis, there are significant
requirements that are imposed. For example, a mature product must generally be
used (to have the required field experience) and the design and assembly must be
frozen in time so that no upgrades, modifications or even configuration changes
are allowed that may render the Proven in Use data useless. A key result of the
analysis is establishing a Safe Failure Fraction (SFF) for a product. The following
chart shows the relationship of SFF values, SIL ratings and the effects of
redundancy.

Saftey Integrity Level pg7 1While two SIL 1 devices can be used to achieve SIL 2
and two SIL 2 devices may be used to achieve SIL 3, it is not automatic. Using
redundancy to attain a higher SIL rating has an additional requirement of systematic
safety, which includes software integrity. It is important to note that the most
conservative approach to redundancy is to use dissimilar technologies. This reduces
failures due to application issues. Within the SFF determination is an understanding
of types of failures and the ability of the instrument to diagnose them.
Safety Integrity Level pg 7 2The most critical category of failures is called
Dangerous Undetected (DU). For example, the new Eclipse Model 706 has an SFF
of 93.0% with 61 Dangerous Undetected failures, which means that 93.0% of all
failures are detected or are safe (nuisance) failures. Conversely, 61 represents the
remaining 7% that are dangerous and undetected. The lower the number of
Dangerous Undetected failures the better. This number is key in a reliability
evaluation, even for non safety-related applications.

Different roles in the process industry

Seveso, Bhopal, Piper Alpha the scenes of some of the worst accidents ever in
the chemical and petrochemical industries. These catastrophes, which are still
remembered today for their very high death toll, were caused by human error and
technical failures. Taking the applicable rules and regulations governing industrial
accidents as a starting point, plant operators everywhere must endeavour to reduce
the residual risk created by their plant to a tolerable level.
Architecture of a safety instrumented system comprising a sensor, two final
elements and a safety control system (example taken from Samson training system)
An uncontrolled exothermic reaction in a reactor in Seveso, Italy, caused a safety
relief valve to burst open in 1976. As a result, an unknown amount of highly toxic
dioxin was released into the atmosphere. In Bhopal, India, several tons of toxins
were released into the atmosphere in 1984 due to the failure of the safety systems.
In 1988, a fire destroyed the Piper Alpha offshore oil platform moored in the North
Sea. This catastrophe was caused by a tempora-rily missing high-pressure valve as
well as several other sources of error such as a negligently secured pipeline,
insufficient explosion protection and external platforms continuing to pump oil
towards Piper Alpha during the fire. Deaths and severe injuries among staff and
residents as well as environmental damage are merely the visible consequences of
such accidents.

The risk created by a plant increases with the severity of the consequences in the
event of a fail-ure and the probability that such a failure will occur. To reduce the
residual risk to a tolerable level, plant-specific emergency plans, passive and active
mechanical safety measures and electronic safety instrumented systems (SIS) are
implemented. These safety instrumented systems, which are independent of the
basic process control system, comprise sensors, a safety control system and a final
element. There is a clear assignment of roles within the SIS. The sensors measure
the controlled variable (e. g. temperature, pressure, filling level) and transmit the
measured data to the safety control system. The safety control system processes

the received data independently of the basic process control system (BPCS) and
causes the final element to perform the safety instrumented function in case of a
failure. The final element executes the safety instrumented function, i. e. it opens or
closes the valve as required. The term "final element" refers to the entire control
valve including all mounted accessories, such as a solenoid valve, positioner and
booster.

These components are expected to interact in the event of a failure and maintain
the plant in a safe state. The performance required of a safety instrumented
function is quantified in four discrete safety integrity levels (SIL 1 to 4). The safety
instrumented system is categorised based on IEC 61508 and IEC 61511. While IEC
61508 (Functional safety of elec- trical/electronic/programmable electronic safetyrelated systems) is directed at manufacturers of individual components for use in a
safety instrumented system, IEC 61511 (Functional safety Safety instrumented
systems for the process industry sector) is relevant to planners, builders and
operators of safety instrumented systems.
Role of manufacturers

As part of a holistic safety lifecycle, manufacturers of safety components develop

the required hardware and software in compliance with IEC 61508. As a result, they
are also responsible for assessing the safety of their prod-ucts. The materials
employed and the technical design a unit is based on are just two of the most
important factors in this connection. Alternatively, the suitability of a product for
use in a safety instrumented system can be determined empirically, which has the
added benefit that real ambient and process-related influences are taken into
account.

The manufacturer identifies all characteristic values with a bearing on safety with
the help of the mathematical models and calculation methods of the FMEDA (failure
modes, effects and diagnostic analysis) and possibly also proven-in-use data (see
table). These values are documented and confirmed in a product-specific
manufacturer's declaration which the manufacturer is responsible for. The
development process can optionally be supervised and certified by an independent
body. The manufacturer is also responsible for providing instructions regarding a
prod-uct's proper use, which are given in the safety manual. The characteristic
values supplied by the manufacturer only describe the safety integrity that an
individual component can theoretically achieve. A manufacturer obviously cannot
make any statements regarding the safety integrity of a complete safety
instrumented system.
Role of planners, builders and operators

Plant owners assess the requirements placed on the safety instrumented system
(SIL rating) using a suitable method such as a risk graph, risk matrix or LOPA (layer
of protection analysis). Planners and builders are responsible for designing the
entire safety instrumented system to match the SIL rating and for selecting the
individual safety components (sensors, final elements and safety control system),
taking account of the latest advances in safety engineering. According to the
standard, the suitability of a selected component must be certified for the ambient
conditions and the specific process. As far as control valves are concerned, this
means they must be sized correctly and the sizing process documented
appropriately.
The performance achieved by the safety instrumented function, or SIL rating,
depends on the device type used (degree of complexity as defined by the standard),
the selected architecture and the probability of failure. Ideally, operators should rely
on probability of failure values gathered from their own experience, i. e. prior use.
These empirical values can be backed up by Namur data. The organisation also
publishes a series of practical recommendations for plant planners and builders
including Namur Recommendation 130, which deals with proven-in-use devices, and
Namur Recommendation 106 on the test intervals for safety instrumented systems.

Experienced occupational safety experts and safety engineers take on the project
management role and coordinate all safety personnel

Every plant shutdown presents a great challenge from an organisational,

process, economic and safety point of view. All decisions are marked by the conflict
of interests between adherence to schedules on the one hand and due diligence and
safety on the other hand. Work quality, environmental protection and especially
occupational health and safety as well as risk mitigation have to be ensured despite
tight deadlines. Five action points to guarantee safe work processes have been
identified for safety service providers.

Experienced occupational safety experts and safety engineers take on the project
management role and coordinate all safety personnel
Five tasks a service provider should provide
Safety during shutdowns
Drger provides the very latest equipment technology available and takes care of
maintenance and servicing of all equipment supplied
Drger provides the very latest equipment technology available and takes care of
maintenance and servicing of all equipment supplied

A study conducted by Drger and T.A. Cook shows that, according to the answers
received, 80% of all accidents during downtime are due to human error. The number
of accidents can be significantly reduced if a professional safety service provider is
present throughout the shutdown and accepted by all stakeholders. This partner can
take the required action from the planning phase onwards to help achieve the goal
of zero accidents. Many plant operators have realised that by cooperating with
partners, they can fully concentrate on their actual core competences. The overall
responsibility for health and safety at work remains with the customer, but a service
provider is appointed to implement and monitor the necessary measures.
Consistently high safety levels

During the first few days of a plant shutdown, the motivation of all parties involved
(plant operators and contractors) is still very high: the project is on time, all process
steps ideally have sufficient staff and material and everything is running smoothly.
However, after a while, this motivation starts to decrease, delays occur and it
becomes necessary to increase or reduce personnel and material levels, with
adjacent steps also affected. A professional safety service provider's task is to
monitor and support all work during the entire project phase and maintain an
overview of safety-relevant aspects. If appropriately authorised, this provider can
take preventive and corrective action, initiate the rescue chain in an emergency and
provide first aid where necessary.
Efficient approval processes

If up to 4000 additional employees of partner companies are on the premises

simultaneously during a plant-wide shutdown, all of whom need to be deployed as
efficiently and with as little waiting time as possible, everything has to run smoothly.
This is only realistic if the approval processes for each step are exactly defined.
Professional process management ensures transparency while appropriate tools
allow the flexible deployment of staff. Precise process planning also contributes to
increased efficiency: if confined spaces such as drums, columns, furnaces and
machinery to be cleaned or serviced are gas-tested and approved by gas testers in
the early morning before essential work is due to begin, a work permit can be
issued and the confined spaces accessed without any further delay.
Individual safety briefings

Due to time and cost restraints, safety briefings for staff and contractors frequently
only take place on the plant itself and in large groups shortly before the work starts.
Special tasks and individual skillsets, especially of contractor employees, cannot
always be taken into account here. The situation is different if an external safety
service provider is involved in the shutdown planning phase and can invite the

contractors to safety meetings in advance. These meetings may then be followed

by specific individual training. This saves time during the shutdown, reduces
uncertainties and motivates the external teams.
Optimised contractor selection

In the conflict between price and performance, the safety performance of

contractors is an important selection criterion accidents can have very serious
consequences. Systematic recording, documentation and analysis of unsafe
behaviour and near-accidents during shutdowns represent a good basis for
optimising the selection of contractors for the next project. Long-term reporting by
an independent service provider is also helpful since the selection decision can be
supported with data from earlier shutdowns.
Communication without stress
Especially during stressful projects such as shutdowns, misunderstandings can
occur between the plant operator's and the contractor's employees due to different
expectations, working cultures, etc. External safety service providers, on the other
hand, who see themselves as coaches, act as consultants on equal terms who can
help and negotiate in critical situations. This partnership approach makes it easier
to convey the meaning and purpose of safety guidelines and makes sure they are
complied with out of conviction rather than simply to avoid potential sanctions.
Drger Rental & Safety Services combines modules tailored to each customers
needs to ensure a safe and cost-optimised shutdown. The personnel charged with
this task are specifically trained and instructed to deal with shutdown scenarios.
From individual safety coordinators through to complete HR organisations and
management structures, Drger offers a comprehensive set of services for effective
personnel deployment. Its large pool of staff enables safety personnel to be flexibly
assigned. Safety-related material is also provided. As a manufacturer, Drger can
moreover satisfy explicit individual requirements. Service employees maintain and
clean the material on site in mobile breathing protection and gas detection
workshops. This combination of personnel and material provisioning ensures
holistic, customer-specific safety management throughout the shutdown.

Preventing valve failures

Distribution of roles in the process industry, taking the safety life cycle of the final
element as an example (manufacturer on the left; planner, builder and operator on
the right)
Distribution of roles in the process industry, taking the safety life cycle of the final
element as an example (manufacturer on the left; planner, builder and operator on
the right)

In the process industry, a safety-instrumented system (SIS) consists of sensors, a

safety-related control system (logic solver) and a final control element. If the safety
life cycle of the final element is considered, the clear distribution of roles is evident:
manufacturers of safety components develop and manufacture according to IEC
61508. Planners, builders and operators of safety-instrumented systems follow IEC
61511. German users find regulations with practical advice on planning, building
and operating safety-instrumented systems in VDI/VDE 2180, which is based on the
international IEC 61508 and IEC 61511 standards. The German equivalent stipulates
that measures be implemented to prevent systematic and random failures and
increase the fault tolerance.
Systematic failures often undetected

Systematic failures have a fundamental effect on the reliability of mechanical

components. For the proper selection and sizing of a component, it does not suffice
to achieve the required calculated safety integrity level. The component must also
be selected so that its operating principle and specifications match the process it is
to be used in. Moreover, suitable conditions must be established to ensure that it
functions reliably. For example, it is obvious that a safety valve can only provide
reliable service on demand if it can fulfil its fail-safe function (i. e. move to the
required end position) at any time. This can only be guaranteed if the valve
manufacturer's assembly, installation and operating instructions are ob-served. In
addition, no external mechanical influences or temporary events should impair the
proper functioning of the safety valve. Systematic failures cannot be expressed
statistically. They need to be mastered or excluded by suitable measures as part of
a comprehensive functional safety management (FSM) system focused on failure
prevention. Nevertheless, undetected systematic failures may occur. One classic
example of an undetected systematic failure is a ball valve that has been
assembled, installed and started up correctly, but does not perform its fail-safe
action on demand because the ball is jammed in its operating position. This can
happen if the valve has remained in this position for a long period of time. Suitable
counteraction to be taken by plant operators includes testing the proper functioning
of the valve at regular intervals du-ring plant shutdowns or performing automatic
tests while the process is running, e. g. partial stroke tests (PST). Such measures
represent the latest developments in safety engineering and are a reawsonable
addition to functional safety management.
Random failures can be expressed

In contrast to systematic failures, random fail-ures can be expressed statistically.

These fail-ures cannot be avoided in electronic components; in some cases, they
cause the safety function to fail. Random failures of mechanical components are
difficult to imagine if the stipulations of the applicable standards are followed by the

manufacturer (IEC 61508) and operator (IEC 61511) under a comprehensive safety
life cycle approach. Even though random failures hardly ever occur in mechanical
components, the standards mandate that they be taken into account. This is mainly
done through the dangerous undetected failure rate DU, which is given in the
manufacturer's specifications. Typical values based on a worst-case estimate for
proven-in-use equipment are also found in Namur Recommendation NE 130. The
average probability of failure on demand (PFDavg) can be calculated from the
dangerous undetected failure rate. The PFDavg value is directly related to the safety
integrity level (SIL) described in IEC 61511.

The fault tolerance expresses the capacity of a safety-instrumented system to still

perform its fail-safe function if a hardware fault or a software error occurs. One
common method of increasing the fault tolerance is to use redundant systems. In
redundant safety-instrumented systems, the failure of a single component does not
affect the safety function of the entire system as a second component takes over
the safety function of the faulty component.
Selection of safety-related components

Plant planners, builders and operators profit from the expertise of manufacturers
when selecting individual safety-related components. The companies belonging to
the Samson Group for example, develop and manufacture the entire range of final
elements from valves and actuators to valve accessories such as positioners,
solenoid valves or limit switches. Back in 1995, Samsomatic, a member of the
Group, applied for the certification of solenoid valves manufactured in compliance
with the then-preliminary DIN V 19251 standard. Since then, these solenoid valves
have been proven in use and are now being employed in smart Samson valve
accessories. In 2006, Samson launched the Series 3730 Positioner swith emergency
shutdown (ESD) function. Since then, Samson equipment has been capable of
emergency ventin: the Series 3730 and 3731 Positioners as well as the smart Type
3738 Electronic Limit Switch with integrated solenoid valve and limit contact
function.
In December 2011, Samson became one of the first valve manufacturers to have its
complete R&D, design, production and sales processes for valves audited by TV
Sd according to IEC 61508-1. For plant planners and operators, this manufacturer
certification has benefits when it comes to attesting prior use according to Namur
Recommendation NE 130 as the prior use period is shortened by six months.
Despite the different roles assigned by IEC 61508 and IEC 61511, the company
considers itself responsible for supporting operators and providing them with
information on functional safety. Samson does this by holding hands-on training and
participating in events like the SIL road show that tours Germany. In this connection
the authors would like to draw attention to the seminar dealing with control valves
and valve accessories used in safety-instrumented systems (SSA). The seminar

includes a demonstration of a comprehensive safety-instrumented system and is an

excellent opportunity for all participants and trainers from R&D, product
management and after-sales service to discuss topics first hand