SIL

Safety Integrity Level

Tools & references

An independent professional Community with a unique focus: Functional Safety

 Preamble

This advertorial has been prepared by Safety Users Group (S.U.G.) upon users requests for methods
of calculating the safety-related system failure measures. These calculated failure measures can be
checked against the SIL target failure measures to determine if they meet the required Safety
Integrity Level (SIL).

Disclaimer

This document is not intended to be a complete and exhaustive information resource on the topic. Its
preparation was conditioned by the access and availability of information sources and the
permissions granted for including the references in this document. It is S.U.G.’s policy to publish
authorized references and links only.

S.U.G. has no opinion or judgment in the quality, results, degree of relevance, adequacy and
consequences in the use of any utility, package, product, system and service listed in this document.

S.U.G. does not take any responsibilities for any consequences in the use of any utility, package,
product, system and service listed in this document, nor in the information accuracy and in the links
in particular. However, S.U.G. verified all links prior to the release of this document.

S.U.G. trusts that the information will help professionals to find useful resources and methods to fit
their needs for supporting their business.

Update

This document is the first release. It will be updated as new resources are available on the market
place and/or permissions granted. You may have your references, tools and methodologies included
in the next release of this document, simply contact Safety Users Group. As an independent
professional community this offer is provided to all parties as a complimentary service.

All legal terms and conditions related to the use of the S.U.G. portal are applicable for this document.
There are no copyrights and you may use this document as is, or acknowledge the source.

®
Safety Users Group , Inc. – California, USA, 2007
14938 Camden ave, suite 117
San Jose – CA 95124
USA
[email protected]
www.safetyusersgroup.com

Page 2
August 2007
AD070002 rev1
Table of content
Functional safety
Safety Integrity Level (SIL)
1. Introduction
2. ABB,TRAC – Trip Requirement and Availability Calculator
3. ACM Facility Safety, SilCoreTM
4. AIM-Asset Integrity Management, SILSuiteTM
5. Exida, exSILentiaTM SILeverTM
6. Hima, SILenceTM
7. Isograph, FaultTree+, Reliability Workbench, AvSim+, Hazop+
8. Iso Ingénierie, EvoluSIL®
9. Relex, Relex reliability studio 2007

Page 3
August 2007
AD070002 rev1
Functional Safety
Safety Integrity Level – SIL

Introduction
Based upon the increasing use of electrical, electronic and programmable electronic systems to
perform safety functions, the IEC (International Electrotechnical Commission) decided to
develop a safety standard that provides guidance on the development of safety applications. In
1998 the IEC issued an international standard, IEC 61508 titled “Functional safety of
electrical/electronic/programmable electronic safety-related systems”. This international
standard covers those aspects to be considered when electrical/electronic /programmable
electronic systems (E/E/PESs) are used to carry out safety functions.

IEC 61508 is a basic safety standard and it can be used to develop application sector
international standards. The standard can also be used in sectors where application standards
do not exist. The IEC has developed the IEC 61511 application sector standard for the process
industries.

The IEC 61508 and IEC 61511 standards use safety integrity levels for specifying the target
level of safety integrity for the safety functions to be implemented by the E/E/PE safety-related
systems. Safety integrity is the probability of a safety-related system satisfactorily performing
the required safety functions under all the stated conditions within a stated period of time. The
standard defines four levels of safety integrity. The higher the level of safety integrity, the lower
the probability that the safety-related system will fail to carry out the required safety functions.
The IEC 61508 and IEC 61511 standards define two target failure measures:
1) the average probability of failure to perform the design function on demand, PFDavg (for a
low demand mode of operation) and
2) the probability of a dangerous failure per hour, λD (for a high demand or continuous mode of
operation).

Part 5 of the IEC 61508 standard provides examples of methods that can be used to determine
the safety integrity levels. Annex A of IEC 61508-5 provides information on the concepts of risk
and the relationship of risk to safety integrity. Annexes B through E of IEC 61508-5 describe
different methodologies that can be used to determine the required safety integrity level for the
safety application.

Once the safety integrity level is defined for the safety application being implemented, the target
failure measure and the range of the target failure measure are defined using Tables 2 and 3 in
the IEC 61508-1 standard. For example: if SIL 3 is required for a safety–related system
operating in low demand mode of operation, the target failure measure is PFDavg and PFDavg
should be in the range of 10-4 to < 10-3.

Part 6 of the IEC 61508 provides example techniques for the evaluation of probabilities of
hardware failures. It is important to note that the total probability of failure must include the
probability of failure of the sensors, logic subsystem and the final elements. The probability of
failure for the logic subsystem is normally provided by the supplier of the logic subsystem. The
integrator of the safety system must determine the probability of failure of the sensors and final
elements to determine the total probability of failure of the overall system.

Annex C in part 6 of the IEC 61508 provides examples for determining the dangerous failure
rates required to calculate the failure measures. Since many safety systems will require
redundant subsystems, common cause failures must be considered.

Page 4
August 2007
AD070002 rev1
Annex D in part 6 of the 61508 provides a methodology for quantifying the effect of hardware-
related common cause failures.

The subsystems must also meet the minimum hardware fault tolerance requirements defined in
IEC 61508 or IEC 61511 (IEC 61511 applies to applications in the process industry sector).
Tables 2 and 3 in part 3 of the IEC 61508 apply for subsystems developed using 61508.
Tables 5 and 6 in part 1 of the IEC 61511 apply for subsystems developed for applications in
the process industry sector.

The developer of a safety-related system must also ensure that all the activities outlined in the
IEC 61508 (or IEC 61511 if appropriate) safety lifecycle have been performed. The
management of the development of the safety-related systems is extremely important and both
standards provide guidance in this area. The software is also extremely important and great
care should be taken to ensure the software performs the required safety functions. Where
possible limited variability application oriented software should be used to develop the safety
software. IEC 61511 defines some of the limited variability languages appropriate for safety
applications.

Verification of the software must be thoroughly performed to ensure the software has properly
implemented the safety functions. In general, persons independent of the design and
development of the software should also be used to verify the software.

Other Documents

The resources referenced by the following sections of this document, provide the user
with tools that cover various aspects of the development of a safety-related system.
Many of the tools allow the user to calculate the probability of failure of the safety-
related system and hence determine the SIL that can be achieved by the system.

Page 5
August 2007
AD070002 rev1
Company ABB

Product - Package TRACK – Trip Requirement and Availability Calculator

Features brief TRAC is a PC based software tool used to assist safety,

project and maintenance engineers in determining the optimum
design configuration and periodic test intervals for
Instrumented Protective Systems.
It provides the engineers with a systematic and consistent
approach to calculating required Integrity Level (IL) and trip
test interval for services relating to safety, environmental or
asset loss.

Reliability and IEC Risk Graph methodologies underpin

quantitative and qualitative techniques to calculate optimum
values for trip testing interval set against the projected
annualised cost. It has been designed with the remit to provide
a means for optimisation of trip testing intervals, relative cost,
and in accord with HSE (Health and Safety Executive)
regulatory framework.

Link(s) http://www02.abb.com/GLOBAL/SE
ITP/SEITP161.NSF/viewunid/0568
181EC213FB7C80256CB000534E
85/$file/TRAC.pdf

Website(s) www.abb.com

Contact(s) Offices
Billingham, Cleveland, UK
Daresbury, Warrington, UK +1 44 (0)1925 74111

Paul Lucas
[email protected]

Stuart Nunns
Tel +44 (0)1642 372 134
[email protected]

Page 6
August 2007
AD070002 rev1
Company ACM Facility Safety
A Division of ACM Automation Inc.

Product-Package name SilCoreTM

Features brief First launched in 2003, SilCore™ is a field proven, IEC

61511 compliant Safety Integrity Level (SIL) Lifecycle tool
that gives high integrity and critical control systems
designers, engineers, operators and maintainers the
information and power to conduct SIL Determination,
Validation and Optimization exercises.

SilCore™ accommodates LOPA, Risk Graph and Safety

Layer Matrix methods of SIL Determination. It provides the
ability to integrate all aspects of the SIL Lifecycle – from
importing Risk Assessment (i.e. HAZOP) data through to
enabling facility operators to manage the integrity of their
installed safety and critical control systems.

Users can print SIL Determination and SIL Validation

worksheets, LOPA summary tables, SIL Recommendations
and Maintenance reports in Word, Excel and PDF.

Licenses are available in stand alone, network and

corporate versions. Full featured demo versions are
available for download.

Link(s) www.acm.ab.ca/toolsSilCoreFeatures.cfm

Website(s) www.acm.ab.ca

Contact(s) Offices
Calgary, Alberta, Canada +1 403 264 9637
St. John's, Newfoundland, Canada +1709 726 3313

www.acm.ab.ca/CONTACTOffices.cfm

Or, visit Safety Users Group Directory.

Page 7
August 2007
AD070002 rev1
Company AIM - Asset Integrity Management

Product - Package SILSuiteTM

Features brief AIM SILSuite™ is a full set of IEC 61508/61511 life cycle
software applications with data exchange capabilities. Each
application can be used independently, but the integrated
data exchange allows users to expand their application set
as they develop their Safety Instrumented Systems
management requirements.

Link(s) www.assetintegrity.co.uk/proda_suite.html

Web site(s) www.assetintegrity.co.uk

Contact(s) Main offices

Aberdeen, UK +44 (0)1224 733364
Vancouver, Canada +1 604 781 9601
Somerset Wet, South Africa + 27 21 851 4899

www.assetintegrity.co.uk/contact.html

Or, visit Safety Users Group Directory.

Page 8
August 2007
AD070002 rev1
Company Exida

Product - Package exSILentiaTM SILverTM

Features brief Integration of the SIL selection, Safety Requirements

Specification, and SIL verification Lifecycle tasks allow for a
clear overview when it comes to functional safety standards
compliance.

The exSILentiaTM tool allows for the specification of one

project, consisting of multiple Safety Instrumented
Functions, each having its specific SILect, SI, SRS and
SILver records. The automated documentation generation in
exSILentiaTM allows for easy complete reports for
compliance with functional safety standards like ANSI/ISA
84.00.01:2004, IEC 61508 and 61511 that require these
Safety Users Group Lifecycle activities.

The exSILentiaTM SILverTM calculations and development

process have been independently verified and certified by
TÜV Nord. The tool can be used for safety Instrumented
Functions up to SIL4.

Link(s) www.exsilentia.com

Web site(s) www.exida.com

Contact(s) Main offices

Munich, Germany +49 89 49 00 05 47
Sellersville, PA, USA +1215 453 1720

www.exida.com/company/contactus.asp

Or, visit Safety Users Group Directory.

Page 9
August 2007
AD070002 rev1
Company Hima

Product - Package SILenceTM

Features brief SILenceTM supports probability of failures calculations and

SIL values definitions for your safety loops.

TÜV-confirmed IEC 61508-compliant SIL calculation tool.

Link(s) www.hima.com/Kundenwelt/Process_Applications/Product_o
verview/_Software/SILence.asp

Website(s) www.hima.com

Contact(s) Main offices

Brühl, Germany +49 6202 709 255

www.hima.com/Kundenwelt/Contact/Contact.asp

Or, visit Safety Users Group Directory.

Page 10
August 2007
AD070002 rev1
Company Isograph

Product - Package FaultTree+, Reliability Workbench, AvSim+, Hazop+

Features brief
• FaultTree+ provides a visual fault tree builder and a
comprehensive analysis capabilities.
• Reliability Workbench is an integrated visual
environment in which failure rate prediction, FMECA,
Reliability Block Diagram, Fault Tree, Event Tree and
Markov analysis are combined.
• AvSim+ a Monte Carlo based simulation package for
analyzing systems availability and reliability problems
using fault trees or reliability block diagrams.
• Hazop+ provides a familiar visual environment in which to
design and use the study and action forms that are the
basis for entering Hazop information.

Link(s) www.isograph-software.com/prodsumm.htm

Website(s) www.isograph-software.com
www.isograph-software.it

Contact(s) Headquarters - The Malt Building, Wilderspool Park

Greenalls Avenue, Warrington, WA4 6HL, United Kingdom

Tel +44 1925 43 7001

[email protected]
___________________
8001 Irvine Center Drive, Suite 1430
Irvine, CA 92618, USA

Tel +1 949 502 5689

[email protected]
___________________
STUDIO DM
Via Dalmine, 10/a,
24035 Curno (BG), Italy

Tel. + 39 035611942
[email protected]
___________________
Or, visit Safety Users Group Directory.

Page 11
August 2007
AD070002 rev1
Company ISO Ingénierie

Product - Package EvoluSIL®

Features brief EvoluSIL® is a dedicated tool for supporting projects with the
objective to improve the Safety Instrumented Functions (SIF)
and to evaluate the Safety Integrity Level (SIL).

• Define the required SIL for specific SIFs (HAZOP-LOPA,

Fault Tree Analysis, FMEA)
• Write the safety requirements specifications for SIFs
(Causes & Effects matrix…)
• Design or modify existing hardware and software
architectures (technologies, HFT, voting, qualitative
requirements…)
• Assess actual SIL achieved at the commissioning and
operation phases (including PFD calculation)
• Support SIF operation and maintenance tasks (proof test
frequency, MTTR…)

Link(s) -

Website(s) www.iso-ingenierie.com

Contact(s) 26 av. Duguay Trouin

78 960 Voisins le Bretonneux
FRANCE
Tel +33 (0)1 30 12 38 10
Fax +33 (0)1 30 12 38 15

[email protected]

Or, visit Safety Users Group Directory.

Page 12
August 2007
AD070002 rev1
Company Relex

Product - Relex reliability studio 2007

Fault /Event tree, FMEA/FMECA, Markov
Package
Features brief Relex offers a series of integrated analysis modules all
bundled in the Relex Reliability Studio.

• Fault / Event Tree fully-featured risk assessment tool for

Fault Tree and Event Tree methodology
• FMEA/FMECA comprehensive analysis tool for design,
process, and component FMEA
• HFRA Human factors risk analysis
• Reliability Prediction Reliability prediction methodology
supporting all current prediction standards
• RBD Graphical reliability block diagram evaluator
• OpSim System optimization and simulation
• Weibull Weibull statistical analysis
• Markov Visual state and network diagram analysis
• FRACAS Failure reporting, analysis and corrective action
system

Link(s) www.relex.com/products/index.asp
Demonstration upon request at
http://www.relex.com/products/testdrive.asp

Website(s) www.relex.com

Contact(s) Headquarters offices

Greensburg, PA, USA
Tel +1 724 836 8800
Fax +1 724 836 8844

[email protected]
www.relex.com/about/contactinfo.asp
Or, visit Safety Users Group Directory.

Page 13
August 2007
AD070002 rev1