What you don't ask about products claiming to meet specified SIL requirements could hurt you.

Dave Harrold, CONTROL ENGINEERING -- Control Engineering, 10/1/2000

The good news is the emergence and subsequent publicity surrounding the safety standards ANSI/ISA S84.01 issued in 1996 and IEC 61508 issued in 2000 has greatly raised user awareness of the need to address safety system requirements head-on.

The bad news is there is a lot of misunderstanding associated with the terminology, requirements, and certifications associated with these standards and the products used to meet their compliance.

IEC 61508, 'Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems,' is an international standard. ANSI/ISA S84.01-1996, 'Application of Safety Instrumented Systems for the Process Industries,' is currently used in the U.S. but may soon be superceded by IEC 61511, an emerging international standard more specific to the process industry.

An important commonality among these standards is the concept of establishing safety integrity levels (SILs) to indicate increasing levels of safety performance. S84.01 defines SIL 1 through SIL 3, while IEC 61511 defines SIL 1 through SIL 4.

The purpose of SILs is to establish acceptable probability of failure on demand (PFD) values. The higher the SIL number the greater the impact of a failure and therefore the lower the acceptable PFD rate. For example, a SIL 4 system, the highest level, often protects against catastrophic impact, and thus the entire safety system must be designed, installed, tested, and maintained to achieve a very low probability of failure on demand (between 1 in 10,000 and 1 in 100,000). ( and )

The safety standards clearly state that a SIL is allocated to a safety instrumented function and not to the individual products or devices making up the safety instrumented function. That means, products such as safety PLCs (programmable logic controllers), sensors, accessories, and valves cannot be certified to meet a given SIL value.

Certification isn't enough
Many manufacturers are emphasizing their products are certified to a certain SIL by one of the third party approval agencies. What manufacturers should be saying is, 'Certified as fit to use in a SIL # safety application.' But just knowing a device is certified as fit for use in a SIL 3 safety application, for example, is not enough. Besides training and experience in the design, installation, testing, and maintenance of a safety application, users require information on how products were tested and certified before they can determine how best to apply those products to achieve the required risk reduction (SIL).

It's really no different than what we've come to expect in our everyday lives. For example, new automobiles are equipped with safety air bags, but specific instructions (conditions/restrictions/guidelines) are provided to ensure small children are not harmed by safety air bag deployments. The same sort of information is required in applying safety-related products in the workplace.

Two key organizations currently certifying safety system products for use in meeting IEC and ANSI/ISA safety standards are Factory Mutual Research (Norwood, Mass.) and TÜV Rheinland (Cologne, Germany). Following a successful product test by either organization, a certification is issued along with a report explaining how the product was tested and what conditions must be fulfilled for the product to meet the certification. In other words, the product has been certified fit for use in a specified SIL safety application so long as certain conditions are met. Obtaining a copy of the certification is usually no problem, but the certificate can not stand on its own. A fundamental part of the certification is the approval report. Without the report, users are simply guessing at how products contribute in meeting the required risk reduction (SIL) level.

Key information in a Certification's Approvals report includes:

• A clear description of the certified product;
• Applicable conditions (restrictions) for use of the product;
• Evaluation results of the manufacturer's safety life-cycle and quality management systems;
• Average probability to fail (PFD) on demand;
• Testing intervals needed to achieve the average PFD conditions;
• Diagnostic coverage and safe failure fraction (See 'Safe failure fraction explained' sidebar);
• Results of operating software compliance as defined in IEC 61508, Part 3;
• Common cause factors based on the IEC 61508 recommended technique;
• Diagnostics cycle time for the product (necessary to determine if the product is suitable for a specific safety application);
• Results of the fault insertion tests to verify diagnostics and performance of the sub-system(s); and
• Review and comments related to environmental testing and compliance to other relevant national and international standards.

As matters stand, it is up to the user to request the full approval report for a particular product and if the response you get back is, 'The approval report contains proprietary information and thus isn't available to customers,' or some similar lame excuse, find another supplier! Only a full reading, understanding, and use of the information contained in the Approval report can ensure the safety system you are designing, installing, testing, and maintaining meets the required risk reduction (SIL) of the safety instrumented function.

ps：实际上很多人对SIL都有误解，单纯追求SIL X的产品本身就是一种错误的方向。转引Peter B. Ladkin教授的话－－"SIL 4" is not a property of an encapsulated system, but a requirement for the operational safety of a specific safety-critical system in a specific application.