Using Valves or Actuators in SIL Applications

Published: 22nd March 2018 | Issue 44 Share article:

Figure 1: Relationship between SIL and functional safety properties of devices

Figure 1: Relationship between SIL and functional safety properties of devices

Figure 2: Requirements (simplified) to determine the ‘Systematic Capability’ property

Figure 2: Requirements (simplified) to determine the ‘Systematic Capability’ property


Author - Paul Reeve

Author - Paul Reeve


This edition of Valve User Magazine continues with the second article in the series about using valves or actuators in SIL applications. The articles are written by Paul Reeve who is the BVAA SILs course trainer and a member of the BVAA technical expert group (TEG) on SILs.

Don’t forget, if you would like some in-depth training about SILs, specifically with valves and actuators in mind, consider attending the BVAA one-day SILs course coming up very soon in Banbury.

Here’s a recap of the main points, terms and abbreviations from Part 1 (previous edition of VU Magazine):

• A ‘safety instrumented function’ (SIF) is intended to provide a large amount of risk reduction in respect of a specific hazard

• The amount of risk reduction allocated to a SIF defines its ‘safety integrity level’ (SIL) from SIL 1 (lowest requirement of risk reduction) to SIL 4 (highest requirement)

• The relevant standards are the BS EN 61508-series (used by device manufacturers) and one of its derivatives BS EN 61511-1 (for process industry ‘safety instrumented systems’ - SIS)

• A SIF is engineered from sensors (measuring pressure, flow, temperature, etc), logic solvers (such as PLCs, trip amplifiers, electrical relay logic, etc) and actuated final elements

• When it is required to act, the SIF must put the plant into a defined ‘safe state’

• The safety instrumented system (SIS) that performs the SIF(s) should be detailed in a safety requirements specification and made available to those who are designing the SIS or bespoke parts of it (like actuated final elements)

• Each SIF (and its associated SIL) is determined prior to any detailed design of the physical safety system including its final elements

• The SIL is a measure of safety performance for the SIF in its specific application and is not a property of an individual device (like a valve or actuator)

Part 2: What properties need to be known about valves and actuators to enable their use in SIL applications?

Introduction to Part 2

Given the basic introduction in Part 1 of this series (see points above), the key task for manufacturers is to ascertain the functional safety properties of their device to determine whether it is suitable for use in a safety instrumented system (SIS) which performs safety functions at a required SIL (1 to 4).

Figure 1 shows that designing a SIS and verifying its SIL(s) is normally done by the system designer (typically a systems integrator or engineering company) – the middle box in the diagram. The organisation should already know the required safety function(s) and associated SIL(s) in order to design the system properly (from the information flowing “top down” in the diagram).

During system realisation, the designer must select suitable devices based on the manufacturers’ product specifications (from the information flowing “bottom up” in the diagram). For this article we shall assume that this is the case and that the valves/actuators are either mass-produced items or based on a standard product.

It is important to realise that in the model shown in Figure 1, the valve/actuator manufacturers often don’t know the safety application (i.e., the SIF and its SIL, shown in the centre box in Figure 1) that their products are going into.

Without this knowledge the manufacturer cannot say whether a SIL (1 to 4) can be achieved. However, the manufacturer can and should state the functional safety properties for their device; some properties will place a limit on the achievable SIL regardless of what other devices are used; some properties may limit the SIL depending on the other devices used.

Many manufacturers summarise this as a “SIL capability” (1 to 4). This S should probably be understood as a provisional indicator of what SIL might be achievable (like a best-case scenario with caveats).

The important thing to remember is that BS EN 61508 does not assign a SIL to a single element in the system, it applies to the overall SIF which is engineered from the sensor, logic and final element subsystems containing their respective elements (which can also be used in a voting arrangement to achieve a higher SIL).

For the purpose of this article we shall mainly concern ourselves with final element devices.

How can the system and its elements fail?

The functional safety properties for a device are concerned with how the product can fail to perform its specified function(s). Functional failures can occur for many different reasons, but broadly speaking, they can be divided into two main categories:

1. Failures that occur due to degradation mechanisms in the constituent components that take effect over time. Experience shows that for a very large number of a given component, observing the occurrence of these apparently random failures over an extended time indicates a reasonably constant ‘failure rate’ which can be measured using statistical methods. With knowledge of the failure data for all the components in a product, it is possible by analysis to determine the failure modes and rates of the assembled product. These types of failures are known as random hardware failures or probabilistic failures.
2. Failures that occur due to poor design or process (including documentation errors). Examples of these are design faults not identified by verification (e.g., testing), intolerance to the installed environment, programming mistakes, manufacturing defects, specification errors, calibration errors, human error, etc. Unlike random hardware failures, these failure types do not occur in a probabilistic manner and so cannot be analysed using statistical methods. (In fact, these failure types can also be introduced at any stage in the product’s life including operation, not just during design and manufacture). Rather than being a random effect, these failures will affect every unit in the same way (because the causes and effects are systematic) and so they are referred to as systematic failures.

Because the two failure categories above are fundamentally different, they need to be addressed and parameterised differently. The rest of this article focuses briefly on each one and the associated functional safety properties that need to be determined before the product can be qualified for use in a safety instrumented system.

Random hardware failures
These failures can be quantified using an appropriate analytical method. Methods such as failure modes and effects analysis (FMEA) can be used to explore how each component failure mode effects the overall unit function, i.e., how the failure is manifest in terms of the unit’s output behaviour (switch contacts stuck closed, no signal output, fail to move to the closed position, etc), and for each mode of failure, a failure rate can be obtained. Furthermore, knowing how the device is used in the overall safety function (i.e., with knowledge of the safety application – see Figure 1) each failure mode can be classified as ‘safe’ or ‘dangerous’. Although these failure modes and rates are inherent to the hardware design, the use of designed-in diagnostics and external testing can reveal faults if/when they occur so that action can be taken to maintain the safe state of the process plant.

Random hardware failures are quantified and given the Greek symbol lambda (λ). Units can vary, but typically a λ-value is in failures per hour (index or scientific notation is used) or failures per 1,000 million hours, known as ‘failures in time’ (FIT). Component failure rates are summed in the analysis according to their effect on the output behaviour of the product (typically one or two dominant failure mode descriptions, or classified as ‘safe’, ‘dangerous-undiagnosed’, ‘dangerous diagnosed’, etc, if the safety application is known or can be assumed).

Once the random hardware-related properties (described above) of all the devices in a SIS (or the ‘final element’ subsystem of the SIS) are determined for the safety application, the average probability of failure on demand (PFDAVG) for a ‘low demand’ safety function can be calculated. (Most SIFs in the process industry are ‘low demand’). The calculation requires a figure for the mean time to repair (MTTR) and the proof test interval (T1) (both are typically assumed in the first instance, for illustration).

The PFDAVG is usually calculated for each subsystem function (sensor, logic solver, final element) and then summed to obtain the PFDAVG for the overall safety instrumented function. The result can then be compared with the table from BS EN 61508-1 table 2 (see previous article) to establish what SIL is achieved. Note, the SIL also requires a suitable architecture (covered next time) and the ‘systematic capability’ number to at least equal the SIL.

Systematic failures
These failures do not lend themselves to being quantified with a rate, but their introduction needs to be avoided or their effects controlled in some way. This comes down to a careful, systematic and suitably rigorous approach to the specification, design, development, testing and manufacturing process for the product. Greater rigour in the methods used leads to a greater integrity against systematic failures. The techniques and measures to be used for systematic design integrity are defined in BS EN 61508-2. Use of the right groups of techniques and measures will define a product as having a Systematic Capability (i.e., a built-in defence against these systematic failures), classified as SC 1, 2, 3 or 4. The SC number relates directly to the suitability of the product in safety functions with SIL 1, 2, 3 or 4 respectively (as far as systematic integrity is concerned). This is shown diagrammatically in Figure 2.

Designing safety instrumented functions (SIFs) using functional safety device properties
It is essential that the system designer / integrator uses each product vendor’s failure data in accordance with what the device does in relation to the safety instrumented function (SIF). For example, if the vendor’s data is for a valve to fail to move to its closed position, then the data for this failure mode should not be used for a safety application that requires the valve to open.

The functional safety parameters and all related information (conditions, assumptions, restrictions in use) should be contained in the product vendors safety manual and should be made available to SIS designers/integrators. The product safety manual is a mandatory requirement for devices that comply with BS EN 61508.

The way that the functional safety properties for each device are used to create a SIF and verify its SIL is the main subject of the next article. You can also get more information on SILs in the BVAA Guidelines for suppliers of SIL capable products:
www.bvaa.org.uk/news/2056/new-guidelines-for-suppliers-of-silcapable- products

Summary of the main points in this article

• Safety requirements for the SIF(s) and their SIL(s) flow “top down” from a process hazard and risk analysis
• Valve and actuator manufacturers need to determine the “functional safety properties” of their devices (together with any conditions and restrictions in safety applications) from a “bottom up” analysis of the device’s reliability and integrity
• Some device (element) properties will place a limit on the achievable SIL regardless of the other devices used in the system; some properties may limit the SIL depending on the other devices used
• The SIL is not a property of a single device in the system, it applies to the overall SIF which is engineered from the sensor(s), logic and final element subsystems
• Devices have random hardware failures which, with knowledge of a particular safety application, can be divided into safe and dangerous failure modes and quantified with failure rates
• Devices are also designed with defences against systematic failures; the methods used determine the element’s systematic capability (assigned SC 1, 2, 3 or 4) which will limit the SIF they are used in to SIL 1, 2, 3 or 4 respectively
• Safety system designers must use each product vendor’s failure data (presented in the safety manual) in accordance with how the device contributes to the safety instrumented function (SIF)
• Safety system designers use the elemental functional safety properties according to the reliability model of the SIF they are designing (using the appropriate calculation) to establish the PFDAVG figure and hence achieve the required SIL – this area will be covered in the next article

Tel: 01244 457 671
Email: paul.reeve@silmetric.com
Web: www.silmetric.com

Search related articles:  

Recent magazine news articles