Understanding

Safety Instrumented
Systems
SIS
And Safety
Integrity Level

SIL

Worldwide Level and Flow SolutionsSM

2
THE NEW STANDARDS IN SAFETY

Protecting
People,
Profitability
and Productivity

I
ndustrial safety in pre-digital eras centered mainly around safe
work practices, hazardous materials control, and the protective
“armoring” of personnel and equipment. Today, safety penetrates far
deeper into more complex manufacturing infrastructures, extending its
protective influence all the way to a company’s bottom line.
Contemporary safety systems reduce risk with operational advancements
that frequently improve productivity and profitability as well.

New Standards. Until the 1980s safety management was largely self-
A WWII-era safety poster regulated. Prompted by the ascendency of electronic control devices,
growing complexities in manufacturing systems, environmental protec-
tion mandates, and a greater need to protect plant assets, new interna-
tional safety standards have emerged and continue to evolve. With the
M I L E S T O N E S introduction of standards such as IEC 61508, IEC 61511 and ISA 84,
interest in Safety Instrumented Systems (SIS) and general instrument
TUV (Bavaria) Microcomputers in
reliability has grown. In the pages ahead we’ll describe the basics of SIS
Safety-Related Systems (1984)
and Safety Integrity Level (SIL). We’ll conclude with an overview of
Health & Safety Executive (UK) Magnetrol’s level and flow instrumentation products that are suitable for
Programmable Electronic Systems in these new standards in safety and we’ll detail their reliability. Reliability
Safety Related Applications (1987) is the key, for even non-safety related people are now using analysis data
from these new regulations as an insight into device performance.
OSHA (29 CFR 1910.119) (1992):
Process Safety Management of
Highly Hazardous Chemicals
Understanding Risk. All safety standards exist to reduce risk, which is
inherent wherever manufacturing or processing occurs. The goal of elim-
Instrument Society of America inating risk and bringing about a state of absolute safety is not attain-
ANSI/ISA 84 (2004): able. More realistically, risk can be categorized as being either negligible,
Safety Instrumented Systems for tolerable or unacceptable. The foundation for any modern safety system,
the Process Industries
then, is to reduce risk to an acceptable or tolerable level. In this context,
International Electrotechnical
safety can be defined as “freedom from unacceptable risk.”
Commission (1998-2003) The formula for risk is:
IEC 61508 (2000): A general RISK = HAZARD FREQUENCY X HAZARD CONSEQUENCE
approach to Functional Safety Systems
IEC 61511 (2003): Process sector Risk can be minimized initially by inherently safe process design, by the Basic
implementation of IEC 61508
Process Control System (BPCS), and finally by a safety shutdown system.
 3

Layered Protection. No single safety measure can reduce risk and

protect a plant and its personnel against harm or mitigate the spread
of harm if a hazardous incident occurs. For this reason, safety exists Figure A
Layers of Protection*
in protective layers: a sequence of mechanical devices, process
controls, shutdown systems and external response measures which
prevent or mitigate a hazardous event. If one protection layer fails,
successive layers will be available to take the process to a safe state.
As the number of protection layers and their reliabilities increase,
the safety of the process increases. Figure A shows the succession
of safety layers in order of their activation:

1. Process Design: The Basic Process Control System

(BPCS) provides safety through proper design of process control.
This level consists of basic controls, alarms, and operator supervision.
2. Critical Alarms: This layer of protection provides critical
alarms which alert operators to a condition that a measurement
has exceeded its specified limits and may require intervention.
3. Automatic SIS: The SIS operates independently of the
BPCS to provide safety rather than process control. The SIS performs
shutdown actions when previous layers cannot resolve an emergency.
4. Relief Devices: This active protection layer employs valves,
pressure relief devices, or a flare system (if combustibles are present) PREVENTION LAYERS
to prevent a rupture, spill or other uncontrolled release. In-plant response layers
Prevent hazardous occurrences.
5. Plant Response: This passive protection layer consists of
containment barriers for fire or explosions as well as procedures for
evacuation. (Some models combine this and the next layer into one
“mitigation layer.”)
6. Community Response: The final (outermost) level of
protection is the emergency response action taken by the community
and consists of fire fighting and other emergency services.
MITIGATION LAYERS
External response layers
According to IEC standards, the methods that provide layers of protec- Mitigate hazardous occurrences.
tion should be: • Independent • Reliable • Auditable • Risk-specific in
design. The IEC definition of protective layers is rigorous because it
supports the use of safety layers in the determination of Safety Integrity
Level

*The above chart is based upon

Hazards Analysis. The levels of protective layers required is determined a Layers Of Protection Analysis
by conducting an analysis of a process’s hazards and risks known as a (LOPA) as described in IEC
61511 part 3 Annex F.
Process Hazards Analysis (PHA). Depending upon the complexity of the
process operations and the severity of its inherent risks, such an analysis
may range from a simplified screening to a rigorous Hazard and
Operability (HAZOP) engineering study reviewing process, electrical,
mechanical, safety, instrumental and managerial factors. Once risks and
hazards have been assessed, it can be determined whether they are below
acceptable levels. If the study concludes that existing protection is insuf-
ficient, a Safety Instrumented System (SIS) will be required.
4

Safety Instrumented
Systems (SIS)
The Safety Instrumented System (SIS) plays
a vital role in providing a protective layer
around industrial process systems. Whether
called an SIS, emergency or safety shutdown
system, or a safety interlock, its purpose is to
take process to a “safe state” when pre-deter-
mined set points have been exceeded or when
safe operating conditions have been trans-
gressed. A SIS is comprised of safety functions
(see SIF below) with sensors, logic solvers and
actuators. Figure B shows its basic components:
• Sensors for signal input and power
• Input signal interfacing and processing
Figure B Process schematic • Logic solver with power and communications
showing functional separation of • Output signal processing, interfacing and power
SIS (red) and BPCS (blue).
• Actuators (valves, switching devices) for final control function

SIF: Safety Instrumented Functions. A Safety Instrumented Function

(SIF) is a safety function with a specified Safety Integrity Level which is
implemented by a SIS in order to achieve or maintain a safe state. A
SIF’s sensors, logic solver, and final elements act in concert to detect a
SIS • SIF • SIL hazard and bring the process to a safe state. Here’s an example of a SIF:
R E L AT I O N S H I P A process vessel sustains a build-up of pressure which opens a vent
valve. The specific safety hazard is overpressure of the vessel. When
pressure rises above the normal set points a pressure-sensing instru-
SIS ment detects the increase. Logic (PLC, relay, hardwired, etc.) then opens
a vent valve to return the system to a safe state.

SIF 1 SIF 2 Like the safety features on an automobile, a SIF may operate continu-
SIL 2 SIL 2 ously like a car’s steering, or intermittently like a car’s air bag. A safety
function operating in the demand mode is only performed when
SIF 3 required in order to transfer the Equipment Under Control (EUC) into a
SIL 2 specified state. A safety function operating in continuous mode operates
to retain the EUC within its safe state. Figure C shows the relationship
between SIS, the Safety Instrumented Functions it implements, and the
Figure C Every SIS has one or Safety Integrity Level that’s assigned to each Safety Instrumented
more safety functions (SIFs) and Function.
each affords a measure of risk
reduction indicated by its safety
Safety Life Cycle. Earlier we mentioned how a Hazard and Risk
integrity level (SIL). The SIS and
the equipment do NOT have an Assessment study will determine the need for an SIS. This assessment is
assigned SIL. Process controls one part of a safety life cycle which all major safety standards have speci-
are “suitable for use” within a fied. The safety life cycle shows a systematic approach for the develop-
given SIL environment.
ment of a SIS. A simplified version is shown in Figure D.
 5

Figure D The Safety Life Cycle is a

sequential approach to developing
Safety Integrity Level (SIL) a Safety Instrumented System (SIS).
References to a Safety Life Cycle can
be found in ANSI/ISA 84.00.01 Parts
1–3; IEC 61508 Part 1; and IEC 61511
Parts 1–3.
To what extent can a process be expected to perform safely? And, in
the event of a failure, to what extent can the process be expected to
fail safely? These questions are answered through the assignment of
a target Safety Integrity Level (SIL). SILs are measures of the safety
risk of a given process.

Four Levels of Integrity. Historically, safety thinking categorized a

process as being either safe or unsafe. For the new standards, how-
ever, safety isn’t considered a binary attribute; rather, it is stratified
into four discrete levels of safety. Each level represents an order of
magnitude of risk reduction. The higher the SIL level, the greater
the impact of a failure and the lower the failure rate that is
acceptable.

Safety Integrity Level is a way to indicate the tolerable failure rate of

a particular safety function. Standards require the assignment of a
target SIL for any new or retrofitted SIF within the SIS. The assign-
ment of the target SIL is a decision requiring the extension of the
Hazards Analysis. The SIL assignment is based on the amount of
risk reduction that is necessary to maintain the risk at an acceptable
level. All of the SIS design, operation and maintenance choices must
then be verified against the target SIL. This ensures that the SIS can
mitigate the assigned process risk.

Determining SIL Levels. When a Process Hazards Analysis (PHA)

determines that a SIS is required, the level of risk reduction afforded
by the SIS and the target SIL have to be assigned. The effectiveness
of a SIS is described in terms of “the probability it will fail to per-
form its required function when it is called upon to do so.” This
is its Probability of Failure on Demand (PFD). The average PFD
(PFDavg) is used for SIL evaluation. Figure E shows the relationship
between PFDavg, availability of the safety system, risk reduction and
the SIL level values.

Various methodologies are used for assignment of target SILs. The

determination must involve people with the relevant expertise and
experience. Methodologies used for determining SILs include—but
are not limited to—Simplified Calculations, Fault Tree Analysis,
Layer of Protection Analysis (LOPA) and Markov Analysis.
6
SIL AVAILABILITY PFDavg Risk Reduction Qualitative Consequence

4 >99.99% 10-5 to <10-4 100,000 to 10,000 Potential for fatalities in the community
Figure E 3 99.9% 10-4 to <10-3 10,000 to 1,000 Potential for multiple fatalities
SIL and
2 99-99.9% 10-3 to <10-2 1,000 to 100 Potential for major injuries or one fatality
Related
Measures* 1 90-99% 10-2 to <10-1 100 to 10 Potential for minor injuries

SIL: Safety Integrity Level.

Assessing SIL-Suitable Controls. A Failure Modes, Effects and Diagnostic
AVAILABILITY: The probability Analysis (FMEDA) is a detailed performance evaluation that estimates the fail-
that equipment will perform its
ure rates, failure modes, and diagnostic capability of a device.
task.

PFDavg: The average PFD used The following concepts define key FMEDA data for SIL-suitable Magnetrol
in calculating safety system controls shown on pages 7 to 10:
reliability. (PFD: Probability of
Failure on Demand is the
probability of a system failing • FITS. Column one shows failure rates are shown as Failures in Time
to respond to a demand for (FITs) where 1 FIT = 1 x 10-9 failures per hour. A second failure rate column
action arising from a potentially has been added showing Annual data as it is becoming a commonly used
hazardous condition.)
value.

• SERIES. The brand and model designation of the control, e.g. Eclipse® 705.
* Both IEC and ANSI/ISA
standards utilize similar tables • SIL. A device’s Safety Integrity Level per IEC 61511. Because combined
covering the same range of sensors can increase the SIL, it is often stated as “1 as 1oo1 /2 as 1oo2,”
PFD values. ANSI/ISA, how-
meaning: SIL 1 if the device is one-out-of-one used; SIL 2 if it is one-out-of-two
ever, does not show a SIL 4.
No standard process controls devices used.
have yet been defined and
tested for SIL 4. • INSTRUMENT TYPE. Type “A” units are devices without a complex
micro- processor on board, and all possible failures on each component can
be defined. Type “B” units have a microprocessor on board and the failure
mode of a component is not well defined.

• SFF. Safe Failure Fraction indicates all safe and dangerous detected
failures. The formula for determining SFF is: The total failures minus the
dangerous undetected failures divided by the total failures. A SFF of 91%
FINAL WORD for the Eclipse 705-51A, for example, means that 91% of the possible failures
are self-identified by the device or are safe and have no effect.

• PFDavg. Average probability of failure on demand.

“The regulatory control
system affects the size of • FAIL DANGEROUS DETECTED. Dangerous failures detected by internal
diagnostics or a connected logic solver.
your paycheck; the safety
control system affects • FAIL SAFE. Failure that causes system to go to the fail-safe state with-
whether or not you will out a demand from the process.

be around to collect it.” • FAIL DANGEROUS UNDETECTED. Dangerous failures that are not
detected by the device.
—Irven H. Rinard
Professor and Chairman
Chemical Engineering
City College of New York
 7
SIL-Suitable Controls
• The SIL indicated below is per IEC 61508/61511. • Contact Magnetrol for complete FMEDA reports.
• Failure rates expressed in FITS and Annual. • FDFavg is calculated according to a proof
test interval of one year, though other proof test intervals can be applied.

LEVEL and FLOW TRANSMITTERS

• Transmitter failure rates assume the logic solver can detect both over-scale and under-scale currents.

• Eclipse® Guided Wave Radar Eclipse/Aurora 705 (510) 705 (51A)

Level Transmitter and Aurora®
Magnetic Level Indicator SIL 1 as 1oo1 2 as 1oo1
Instrument Type B B
The Model 705 Eclipse level transmit- SFF 84.5% 91.0%
ter (used in a redundant configuration PFDavg 8.06E-04 4.69E-04
with the Aurora Magnetic Level
Indicator) is the latest generation of FITS Annual FITS Annual
loop-powered 24 VDC transmitters. Fail Dangerous
Eclipse interchanges with coaxial, Undetected 183 1.60E-03 106 9.29E-04
twin rod, and single rod probes. An Fail Dangerous
optional PACTware™ DTM interface Detected 567 4.97E-03 650 5.69E-03
offers the leading-edge in configura-
tion, diagnostics and graphics. Safe 431 3.78E-03 424 3.71E-03

• Pulsar™ Thru-Air Pulsar Model RO5

Radar Level Transmitter
SIL 1 as 1oo1
The Pulsar Pulse Burst Radar level Instrument Type B
transmitter is the latest loop- SFF 73.7%
powered, 24 VDC thru-air radar PFDavg 9.72E-04
transmitter. It offers lower power
consumption, faster response time FITS Annual
and easy operation. Pulsar’s per- Fail Dangerous
formance is not process dependent. Undetected 222 1.94E-03
Its 5.8/6.3 GHz frequency performs Fail Dangerous
well in turbulence, foam and vapor. Detected 308 2.70E-03
Available with PACTware™ configu-
ration and diagnostics software. Safe 314 2.75E-03

• Modulevel® Displacer Modulevel Model ES II

Level Transmitter
SIL 1 as 1oo1
Digital ES II electronic transmitters Instrument Type B
are advanced, intrinsically safe two- SFF 66.5%
wire instruments. Features standard PFDavg 8.94E10-4
4-20 mA output, microprocessor-
based electronics, HART® compati- FITS Annual
ble output, remote calibration with- Fail Dangerous
out level movement, standard out- Undetected 204 1.79E-03
put range from 3.8 to 20.5 mA, Fail Dangerous
push-button program local calibra- Detected 257 2.25E-03
tion, and continuous self-test.
Safe 148 1.30E-03
8
SIL-Suitable Controls
LEVEL and FLOW TRANSMITTERS CONTINUED

• Jupiter™ Magnetostrictive Jupiter 20X / 22X / 24X 26X

Level Transmitter
SIL 1 as 1oo1 2 as 1oo1
The Jupiter magnetostrictive level Instrument Type B B
transmitter provides a 4-20 mA out- SFF 83.7% 90.7%
put proportional to level. Unit can be PFDavg 9.60E-04 5.45E-04
externally mounted to a magnetic level
indicator or directly inserted into a FITS Annual FITS Annual
vessel. Features 4-20 mA output; LCD Fail Dangerous
with push button operation; simple Undetected 218 1.91E-03 123 1.08E-03
set-up and configuration; easy attach- Fail Dangerous
ment to an MLI; direct insertion into Detected 698 6.11E-03 793 6.95E-03
a wide variety of vessels; and optional
HART® Communications. Safe 421 3.69E-03 413 3.62E-03

• Thermatel® TA2 Mass Thermatel Flow Meter Model TA2

Flow Meter
SIL 1 as 1oo1
Available in both in-line and inser- Instrument Type B
tion styles, the Thermatel TA2 SFF 69.0%
Mass Flow Transmitters provide PFDavg 1.42E-03
reliable mass measurement of air
and gas flow. The integral electron- FITS Annual
ics are contained within an explo- Fail Dangerous
sion-proof enclosure. The units Undetected 323 2.83E-03
come pre-calibrated and set up for Fail Dangerous
the user's applications. Easy to fol- Detected 343 3.00E-03
low software permits field changes
in the instrument's configuration. Safe 376 3.29E-03
 9
SIL-Suitable Controls
LEVEL and FLOW SWITCHES
• Relay-only devices assume the relay is configured Fail-safe (i.e. de-energize upon alarm or failure).
• Current shift devices assume the logic solver can detect both over-scale and under-scale currents.

• Echotel® Compact Echotel Model 940 Model 941

Ultrasonic Level Switches RELAY CURRENT SHIFT
SIL 2 as 1oo1 1 as 1oo1
Echotel Model 940 (relay version) Instrument Type B B
and Model 941 (current-shift SFF 92.8% 86.7%
version) switches are economical, PFDavg 1.07E-04 1.90E-04
compact switches with pulsed
signal ultrasound and tip-sensitive FITS Annual FITS Annual
transducers. High-performance Fail Dangerous
pulsed signal technology excels in Undetected 24 2.10E-04 43 3.77E-04
difficult conditions and provides Fail Dangerous
excellent immunity from electrical Detected 220 1.93E-03 191 1.67E-03
noise that is common in many
industrial applications. Safe 91 7.97E-04 91 7.97E-04

• Echotel Single Point Echotel Model 961-5 Model 961-2/7

Ultrasonic Level Switches CURRENT SHIFT RELAY
SIL 2 as 1oo1 2 as 1oo1
Echotel Model 961 single point Instrument Type B B
switches feature pulse wave technolo- SFF 91.4% 92.0%
gy with a tip-sensitive set point. The PFDavg 1.61E-04 1.77E-04
Model 961 is used as a high or low
level alarm. Features include FITS Annual FITS Annual
advanced diagnostics that continu- Fail Dangerous
ously check sensor and electronics. Undetected 36 3.15E-04 40 3.50E-04
An alarm will sound in the event of Fail Dangerous
electrical noise interference. Detected 288 2.52E-03 351 3.07E-03

Safe 96 8.41E-04 106 9.29E-04

• Echotel Dual Point Echotel Model 962-5 Model 962-2/7

Ultrasonic Level Switches CURRENT SHIFT RELAY
SIL 2 as 1oo1 2 as 1oo1
Echotel Model 962 dual point Instrument Type B B
switches are designed for level SFF 91.8% 91.5%
alarming or pump control. Features PFDavg 1.87E-04 2.31E-04
include pulse wave technology and
advanced diagnostics that continu- FITS Annual FITS Annual
ously check sensor and electronics. Fail Dangerous
An alarm will sound in the event of Undetected 42 3.68E-04 52 4.56E-04
electrical noise interference. Fail Dangerous
Detected 362 3.17E-03 427 3.74E-03

Safe 110 9.64E-04 130 1.14E-03

10

SIL-Suitable Controls
LEVEL and FLOW SWITCHES CONTINUED

• Sealed Cage Mechanical Cage Switches SPDT DPDT

Level Switches (Low Level Applications only)
SIL 2 as 1oo1 2 as 1oo1
External cage type level switches Instrument Type A A
are completely self-contained units SFF 76.1% 82.6%
designed for side mounting to a tank PFDavg 4.82E-05 3.50E-05
or vessel with threaded or flanged
pipe connections. These float- FITS Annual FITS Annual
actuated controls have proven Fail Dangerous
their reliability in process control Undetected 11 9.64E-05 8 7.01E-05
for decades. Nearly 30 Magnetrol Fail Dangerous
mechanical switch models are suitable Detected 0 0.00E+00 0 0.00E+00
for SIL 2 and SIL 3 environments.
Safe 35 3.07E-04 38 3.33E-04

• Thermatel TD Series Level, Thermatel Model TD1 Model TD2

Flow, Interface Switches
SIL 1 as 1oo1 1 as 1oo1
Thermatel Model TD1/TD2 flow, level, Instrument Type B B
interface switches feature continuous SFF 69.3% 73.0%
diagnostics with fault indication, PFDavg 6.13E-04 7.05E-04
temperature compensation, narrow
hysteresis and fast response time. FITS Annual FITS Annual
Non-linear mA output signal can be Fail Dangerous
used for trending, diagnostics and Undetected 140 1.23E-03 161 1.41E-03
repeatable flow/level indication. Fail Dangerous
Models will detect minimum flow Detected 252 2.21E-03 390 3.42E-03
or the presence or absence of flow.
Safe 65 4.69E-04 46 4.03E-04

• Thermatel TG Series Level, Thermatel Models TG1 / TG2

Flow, Interface Switches
SIL 1 as 1oo1
Thermatel TG1/TG2 switches provide Instrument Type B
a two-wire, intrinsically safe circuit SFF 79.4%
between the probe and remote din PFDavg 5.04E-04
rail enclosure. Switches are suitable
for liquid or gas flow, level, or FITS Annual
interface detection. TG1 (with red Fail Dangerous
alarm LED) and TG2 (no red alarm) Undetected 115 1.01E-03
feature 24 VDC input power, mA Fail Dangerous
output signal for diagnostics and Detected 188 1.65E-03
repeatable flow/level indication, and
adjustable set point and time delay. Safe 255 2.23E-03
 11

Visit magnetrol.com for more information on SIL-suitable Magnetrol controls

including complete FMEDA reports. For further information regarding SIS, SIL and
general process safety we recommend these online resources:

Subject: www:
IEC standards & bookstore................................iec.ch/home
ISA standards & bookstore................................isa.org
Exida engineering guides...................................exida.com
TUV functional safety services...........................tuv-global.com
UK Health & Safety Executive............................hse.gov.uk
Institution of Chemical Engineers...................... icheme.org
IHS/Global engineering documents...................global.ihs.com
Factory Mutual process safety...........................fm global.com
OSHA process safety standards........................osha.gov
Center for Chemical Process Safety..................aiche.org
 CORPORATE HEADQUARTERS
5300 Belmont Road • Downers Grove, Illinois 60515-4499 USA
Phone: 630-969-4000 • Fax: 630-969-9489
magnetrol.com • info@magnetrol.com
EUROPEAN HEADQUARTERS
Heikensstraat 6 • 9240 Zele, Belgium
Phone: 052 45.11.11 • Fax: 052 45.09.93

BRAZIL: Av. Luis Stamatis • 620-Jacana • Sao Paulo CEP 02260-001

CANADA: 145 Jardin Drive, Units 1 & 2 • Concord, Ontario L4K 1X7
CHINA: Room #8008 • Overseas Chinese Mansion • 129 Yan An Road (W) • Shanghai 200040
DEUTSCHLAND: Alte Ziegelei 2–4 • D-51491 Overath
DUBAI: Suite 1F1 Hamarain Centre • Abu Baker Al Siddique Road • P. O. Box-10984 • Dubai, United Arab Emirates
FRANCE: 40 – 42, rue Gabriel Péri • 95130 Le Plessis Bouchard
INDIA: E-22, Anand Niketan • New Delhi 110 021
ITALIA: Via Arese, 12 • 20159 Milano
SINGAPORE: 23 Woodlands Industrial Park E1 #04-01 • Singapore 757741
UNITED KINGDOM: Regent Business Centre • Jubilee Road • Burgess Hill, West Sussex RH15 9TL

Echotel®, Eclipse®, Modulevel®, Thermatel® and Pulsar™ are trademarks of Magnetrol International.
Aurora® and Jupiter™ are trademarks of Orion Instruments, a subsidiary of Magnetrol International.

Copyright © 2006 Magnetrol International. All rights reserved. Printed in the USA.
Bulletin: 41-299.0 • Effective: July 2006