POSITION PAPER OF

THE SIL PLATFORM

THE APPLICATION OF
SIL
Pg1
1.TheApplicationofSIL:PositionPaperoftheSILPlatform
WhatistheSILPlatform? TheSILPlatformisanindependentgroupofexperiencedusersor
adoptersoftheSILphilosophy,accordingtotheIECstandards
61508:2010and61511:2003,intheDutchprocessindustry.TheSIL
PlatformislinkedtotheRoyalDutchnationalstandardizationcommittee
NEC65thatfollowstheinternationalworkofIEC/TC65,industrial
measurement,controlandautomation.Atthetimeofreleaseofthis
document,40people,representingendusers,engineeringcompanies,
suppliers,manufacturersandconsultancyfirms,areamemberoftheSIL
Platform.
WhyissueaSILstatement? ItistheintentionoftheSILPlatformtoissueaSILrelateddocument.The
objectiveofthisdocumentistoinformthemarketandcreateawareness
aboutspecificissueswiththeapplicationofSILintheprocessindustry.
Thedocumentprovidesbasicinformationabouttheimplementationof
SIL,therelevantterminology,andfocusesspecificallyontheSIL
verificationprocesstoestablishanadequateintegrityofSILloops.
WhatarethebasicsofSIL
implementation?
Itiscommonpracticetooperateprocessplantsatmaximum
performance,optimumcapacityandminimumrisklevels.Key
PerformanceIndicatorsareusedtomeasureandcontrolrealistictargets
andobjectives.Ameansofquantifyingriskhasbeenintroduceda
decadeagoandisexpressedasSIL(SafetyIntegrityLevel).SILcan
basicallybeseenasanumeralindication,scaledfromSIL1toSIL4,ofthe
magnitudeoftherisklevel.Relativetothis,italsocorrespondstothe
integritylevelofasafetysystemthatreducestherisk.Duringahazard
andoperabilitystudy(HAZOP),potentialrisksperprocessnodeare
identifiedandwillhavetobeverifiedascorrectandcomplete.HAZOPis
astructuredandsystematicexaminationofaplannedorexistingprocess
oroperation,soastobeabletoidentifyandevaluateanyhazards.The
nextstepconsistsofariskassessment,alsoknownasaSILClassification
that,duetoverificationrequirements,needstobeseparatefromthe
HAZOPactivity.Inthisclassification,activity,company,processtype,risk
graphsorriskmatricesareusedasareference.Nofurtheractionis
requiredwhenrisksareclassifiedasacceptable.Whenariskisnot
acceptable,themagnitudeinfactorsoftenisestablished.SIL1means
thattheriskofthatprocessnodeisafactortentoohigh.AtSIL2,the
risklevelisafactor100toohigh,andsoon.
TheconsequenceoftheSILclassificationisthatwhenahazardnodehas
arisklevelofSIL2,youareobligedtoreducethatriskbyafactorofat
least100forittobecomeacceptable.Thisfactoriscalledtherisk
reductionfactor(RRF).SILrelatedriskreductionis,bydefinition,
achievedwithelectric,electronicorprogrammableelectronic(E/E/PE)
safetysystems.Theprocessismonitoredbythesocalledsensing
element,usuallyameasuringtransmitter.Whentheprocessexceedsa
specificsafetyvalue,anoutputelementwouldhavetoinfluenceitin
suchawaythattheprocessatriskisbroughtbacktoasafestate.Alogic
solverisprogrammedtochangeanoutputstatetoavalveorrelays
contact(finalelement),whenaninputexceedsapresetvalue.The
connectedsensingelement,logicsolverandfinalelementarecalledthe
safetyloopandperformthesafetyinstrumentedfunction(SIF).These
componentscollectivelyformthesafetyinstrumentedsystem,orSIS.By
definition,theSafetyIntegrityLevel,SIL,isrelatedtotheSafety
InstrumentedFunctionSIF,andnottotheindividualcomponents.
Continuedonnextpage
Pg2
1.TheApplicationofSIL:PositionPaperoftheSILPlatformcontinued
HowdoIestablishan
adequateSIL
implementation?
DuringtheSILClassificationprocess,SILlevelsarelinkedtospecific
processhazards,whichinturnsetthedemandsfortheintegrityofthe
safetyinstrumentedfunction(SIF)andtherelatedequipment.Itshould
beclearthatHAZOP,SILClassificationandSILVerificationwouldhaveto
betreatedwithequalhighlevelimportanceandquality.Inthefollowing
chaptersofthisdocument,wewillfocusonthevalueandsourcesof
failureratedata,instrumentcertification,statisticalcalculations,test
principles,interpretationofdiagnosticdata,i.e.theloopdesign,failure
analysisandnumbercrunchingthatleadstotheproofofthesafety
loopsintegrity.
Whichsubjectsaredealt
withinthisposition
paper?
Thispositionpaperdealswiththefollowingsubjects:
2. Systematicdesignapproach,page3
3. Instrumentfailuredata,page5
4. UseofDiagnosticCoverage(DC)factorandSafeFailureFraction
(SFF),page6
5. Hardwaresafetyintegrityarchitecturalconstraints,page9
6. ProoftestsofSafetyInstrumentedSystems,page11
7. SafetyLifeCycleManagement,page14

Pg3
2.Systematicdesignapproach
Whatisasystematicdesign
approach?
Asystematicdesignapproachisaimedateliminatingtheoccurrenceof
systematicfailures.Systematicfailuresdeterministicallyrelatetoa
certaincause,whichcanonlybeeliminatedbyamodificationofthe
design,orthemanufacturingprocess,operationalproceduresorother
relevantfactors.
Whyisasystematicdesign
approachimportant?
Studiesshowthatthemajorityofcontrolsystemfailuresleadingto
incidentsarecausedbyfailuresthatcouldhavebeenpreventedifa
systematicriskbaseddesignapproachhadbeenusedthroughoutthe
lifecycleofthesystem.SeeOutofControl,publishedbyHSE,for
details.
Whatarethepitfallsin
establishingasystematic
designapproach?
Incompletespecifications
Engineersaretrainedtoprovidesolutions.However,thismayleadtoa
drivetoproceedtothedesignphasebeforeacompletesetof
specificationshasbeenobtained.Thestudiesmentionedaboveindicate
that44%ofincidentscanbeattributedtoinadequaciesinthe
specificationofthecontrolsystem.Themostfrequentlyoccurringshort
comingsare:
Apoorhazardanalysisoftheequipmentundercontrol
Aninadequateassessmentoftheimpactoffailuremodesofthe
controlsystemonthespecification

Toomuchfocusoncalculations
Reliabilityengineeringisbasedonstatistics.CalculatingthePFDinvolves
valuesforcertainfactors,e.g.thediagnosticcoverageandthecommon
causefailure,thataresubjectedtocertainconditions.Thecalculationof
thePFDwillonlyresultinavalidresultiftheseconditionsaremetThe
validityoftheseassumedconditionsshouldbeverifiedcarefully,in
relationtotheactualconditionsunderwhichthesystemwilloperate.
HowdoIestablisha
systematicdesign
approach?
Managementinvolvement
Managementinvolvementiscriticalinestablishingasystematicdesign
approachandmustoccurineachphaseinthesafetylifecycle.
Managementisresponsiblefor:
Definingthepolicyandstrategyforachievingsafety
Evaluatingtheachievementofsafety
Organizingcommunicationwithintheorganization
Introducingasafetymanagementsystemtoensurethatwherever
safetyinstrumentedsystemsareused,peoplehavetheabilityto
placeand/ormaintaintheprocessinasafestate
Trainingthepeopleinvolvedinsafetylifecycleactivities,inorderto
ensuretheircompetence
Implementingproceduresfordesign,validationandassessment
activities
Continuedonnextpage

Pg4
2.Systematicdesignapproachcontinued
Adequatespecifications
AnimportantandnormativerequirementistheSafetyRequirement
Specification,calledSRS.TheSRSisaveryimportantdocument,asall
relevantdataconcerningeachparticularSIF,includingdetaileddataof
eachelementandadiagramoftheSafetyLoop,havetobecollectedand
mentioned.
ThisSafetyRequirementSpecificationsshouldbe:
Clear
Precise
Verifiable
Maintainable
Feasible

Thespecificationsshouldbewrittensothattheyareeasilyunderstood
byanyoneusingthem.Thespecificationsshouldcoverallphasesofthe
safetylifecycle.

Thesafetyrequirements(SRS:615111,10.3.1)shall,forexample,
include:
Adescriptionofthesafetyinstrumentedfunction
Adefinitionofthesafestateoftheprocess
Theresponsetimeforasafetyinstrumentedfunctionforbringing
theprocesstoasafestate
Themodeofoperation(demand/continuous)
Deenergize(orinspecificcases,energize)totrip
TherequirementsforresettingtheSISafterashutdown
Thesoftwarerequirements
The environmental conditions (temperature, EMC, Shock, vibration,
electrostaticdischarge,etc.)
Commoncause(betafactor)data
Prooftesttime
Meantimetorepair(MTTR)

Pg5
3.Instrumentfailuredata
Whatisinstrumentfailure
data?
Instrumentfailuredataisinformationonexpectedreliabilityand
integrityofeachelementinaSIFloopprovidedbythemanufacturer.It
consistsoffourdifferentparameters:dangerousdetectedand
undetectedfailuresaswellassafedetectedandundetectedfailures
(resp.
dd
,
du
,
sd
,
su
).Itisexpressedinnumberoffailuresintime,in
whichtimecanbeexpressedinhoursoryears.
Whyisinstrumentfailure
dataimportant?
Instrumentfailuredataisusedwhencalculatingthesafetyintegrityof
safetyinstrumentedfunctions.
Whatarethepitfallsin
usinginstrumentfailure
data?
Thebiggestpitfallinusinginstrumentfailuredataisapplyingthe
numbersasexactparameters.Usinginstrumentfailuredatarequiresan
assessmentofthevalidityoftheprovideddataundertheactual
operationalconditions.Thefollowingaspectsinfluencethevalidityofthe
provideddata.

Limitedsources
Inpractice,manufacturersdetermineinstrumentfailuredatabyusing
informationfromvarioussources.Onesuchsourceisreturned
instrumentsordevices.However,onlyasmallportionoffailed
instrumentsisreturnedtothemanufacturer.Thisleadstounrealistic
instrumentfailuredata.

Operatingconditions
Instrumentfailuredataaredeterminedundercertainoperating
conditions.Whentheactualoperatingconditions(e.g.thepresenceof
chemicalagents,ortheoccurrenceofextremetemperatures)differfrom
theoperatingconditionsunderwhichthefailuredataisdetermined,
thenthefailuredatawillnotreflectreality.

Misfitwithactualuseofinstrumentordevice
Instrumentfailuredatamightexpressotherinformationthanwhatis
relevantfortheparticularusageoftheinstrumentordevice.For
instance,adevicethatisclaimedtobeabletoswitchover10
7
timesin
itslifecyclemightonlyneedtobedeenergizedaftermorethan5years
ofoperation.Itmayverywelloccurthatthedeviceremainsinits
energizedpositionduetoremnantmagneticenergy.Clearly,forthis
application,theinstrumentfailuredatadoesnotprovidetherelevant
information.
Continuedonnextpage

Pg6
3.Instrumentfailuredatacontinued
HowdoIcorrectlyapply
instrumentfailuredata?
Instrumentfailuredatashouldnotbeusedasexactparameters,but
shouldbeusedalongwithallrelevantoperationalconditions.One
shouldalwaysconsidertowhatextenttheprovidedinstrumentfailure
dataisvalidundertheoperationalconditionsunderwhichthe
instrumentordevicewillbeused.
Instrumentfailuredatashouldbeconsideredrelativetothesystematic
failuresandsystematiccapability(SC).SystematicFailuresarefailures
that,relatedinadeterministicwaytoacertaincause,canonlybe
eliminatedbyamodificationofthedesignormanufacturingprocess,
operationalprocedures,documentationorotherrelevantfactors.SCis
definedasameasure,expressedonascalefromSIL1to4(SC1to4),the
confidenceofthesystematicsafetyintegrityofanelementmeetingthe
requirementsofthespecifiedtargetSIL,withregardtothespecified
elementsafetyfunction(whentheelement/deviceisappliedin
accordancewiththeinstructionsspecifiedintherelevantSafetyManual
fortheelement/device).TheSafetyManual,providedbythe
manufacturer,containsallrequiredinformation,onaSafetyRelated
elementandhowtouseitinaparticularprocessapplicationwithinthe
mentionedspecificationsaswellasallinformationaboutcalculations
andanassessmentoftheSystematicCapabilityandFSM(Functional
SafetyManagement).

EverySIFneedstocomplywithfourmainrequirementsasstatedinthe
standards:
1. RandomHardwarefailures.Inthetotalsafetyloopexpressedinthe
PFDfigureandindicatingtheachievedSIL.
2. Systematicfailures.(Software/Production/Testing/Modifications
etc.)ExpressedintheSystematicCapability(SC14).
3. Architecturalconstraints.Anormativequalityfactorconcerningthe
hardwarefailuredata.
4. FunctionalSafetyManagement(FSM)systemimplementedinthe
manufacturersproductionfacilitiesoftheelementsusedinthe
safetyloops.Itispracticalthatmanufactureshaveasiteassessment
reportwithanISO9001/2/3certificate,completewithextensive
ModificationandProducttestprocedures.

Pg7
4.UseofDiagnosticCoverage(DC)factorandSafeFailureFraction(SFF)
WhataretheDCandthe
SFF?
TheDiagnosticCoveragefactorisdefinedbyIEC615111(section3.2.15)
astheratioofthedetectedfailureratetothetotalfailurerateofthe
component,orsubsystem,asdetectedbydiagnostictests.The
diagnosticcoveragedoesnotincludeanyfaultsdetectedbyprooftests.
TheformulaforDCis:
DC=(
sd
+
dd
)/(
sd
+
dd
+
su
+
du
)

Where:

sd
=safedetectedfailurerate

su
=safeundetectedfailurerate

dd
=dangerousdetectedfailurerate

du
=dangerousundetectedfailurerate

Thefollowingdistinctioncanbemadeforsafetyapplications:
DC
s
=
sd
/(
sd
+
su
).
DC
d
=
dd
/(
dd
+
du
).

TheSafeFailureFraction(SFF)isdefinedbyIEC615111(section
3.2.65.1)asthefractionoftheoverallrandomhardwarefailurerateofa
devicethatresultsineitherasafefailureoradetecteddangerous
failure.TheSFFissimilarlydefinedbyIEC615084(section3.6.15)asa
propertyofasafetyrelatedelement,whichisdefinedbytheratioofthe
averagefailureratesofsafeplusdangerousdetectedandsafeplus
dangerousfailures.TheSFFcanthereforebeseenasakindofquality
factorofthederivedfailurefigures.TheformulaforSFFis:
SFF=(
sd
+
su
+
dd
)/(
sd
+
dd
+
su
+
du
).

Please note that the only difference between DC and SFF is de

component
su
. For mechanical devices, DC = 0 by definition, and SFF =

su
/(
su
+
du
);inthiscase,ahighSFFwillimplyarelativelyhighspurious
triprate!
WhyaretheDCandtheSFF
important?
TheDCfactorisusedtosplittheoverallfailureratecomponentsinto
detectedandundetectedcomponents.AvendormaypublishtheDC(or
DC
s
andDC
d
)andtheoverallsafeanddangerousfailurerates,orhemay
publishtheindividualfailurerates(
sd
,
dd
,
su
,
du
).Thelatterisfavored.

TheSFFisusedtodefinetheHardwareFaultTolerance,i.e.therequired
hardwareredundancy.AvendormaypublishtheSFFandtheoverallsafe
anddangerousfailurerates,buttheindividualfailureratesshouldalways
bepublished.

TheindividualfailureratesandthefactorsDCandSFFareusedto
calculatetheaveragevalueoftheProbabilityofFailureonDemand
(PFDavg).Thisvaluedemonstratestheintegrityofthesafetyloopthat
performstheSafetyInstrumentedFunction(SIF).Componentfailuresof
aSIFmayresultinasafeprocesscondition(i.e.aspuriousshutdown)or
adangerousprocesscondition.ComponentfailuresofaSIFmaybe
detected(ornot)bytheSIFbeforeaprocessdemandoccurs.
Continuedonnextpage
Pg8
4.UseofDiagnosticCoverage(DC)factorandSafeFailureFraction(SFF)continued
Whatarethepitfallsof
usingtheDCandSFF?
Detectedfailures
WhentheSFFisusedinSILverificationcalculations,theassumptionis
thatdangerousdetectedfailuresmaybeconsideredassafefailures(i.e.
theprocessisforcedintothesafecondition,ortheoperatoristaking
alternativeaction).Thisisinpracticenotalwaysthecase.Anexampleis
atransmitter,whichautomaticallydetectsaninternalfailure(usually
calledBAD_PV).ThequestioniswhattheSafetyInstrumentedSystem
shoulddowhenaBAD_PVisdetected?Willitalarmorwillittrip?
Trippingissafe,butthesespurioustripsreduceplantavailability.
Alarmingmaybesafeundercertainconditions:whentheoperatorhas
thetimeandmeansavailabletoadequatelyrespondtothesecritical
alarmswithintheprocesstime.Ifthisisnotthecase,atripshallfollow,
astheSFFisusedwiththatassumptioninthecalculations.

Accuracyoffailureratedata
Thefailureratedata,theDCfactor(s)andSFFareusuallydeterminedby
theinstrumentvendoror,upontherequestoftheinstrumentvendor,by
independentorganizationslikeTVorExida,basedonlaboratorytests
or(mathematical)FailureModes,Effects&DiagnosticsAnalysis
(FMEDA).Laboratorytestscannotaccuratelydeterminethefailurerate
parameters,whilethereallifeconditionofaSIFcannotbeaccurately
simulatedinalaboratorytest.Inreallife,aSIFistypicallyactivatedonly
onceper10years(lowdemandoperation)orduringProofTestingat
regularintervals.

FMEDA
TheFMEDAisamathematicalapproachbasedontheinstrumentdesign
withstandardcomponentsandonextensivecomponentfailure
databases.Theimpactofprocessconditions(e.g.vibration,temperature
changes)isusuallynotincluded,however,failureeffectsofcomponents
arebasedonpracticalexperiencewithinvendorspecifiedoperating
conditions.SometimesthesocalledNoeffectfailuresorNopart
failureswerealsoincludedassafefailures(eitherdetectedor
undetected).IEC61508(2010)explicitlyrequiresthatthesefailures
shouldnotplayanypartinthecalculationofthediagnosticcoverageor
safefailurefraction(IEC615082(2010),AnnexC).Itistherefore
requiredtoverifythattheFMEDAisbasedonthelatestedition.

Proveninuse
Alternativelyendusersmaycollectfailureratedatafrompractical
experience,orusecommercialdatabasesbasedonpracticalexperience
(e.g.OREDA)andderivetheDCfactorandSFFfromthatdata.
Unfortunatelythatisonlypossibleforinstrumentsthathavebeenin
operationforabout10yearsormore,forobviousreasons.
Continuedonnextpage

Pg9
4.UseofDiagnosticCoverage(DC)factorandSafeFailureFraction(SFF)continued
HowdoIcorrectlyusethe
DCandSFF?
WhenestimatingDC,creditmayonlybetakenfordiagnostictests
whichareexecutedat,orabove,therequiredfrequencies(IEC
615082,sections7.4.4.1.4and5).
Bydefinition,theDCformechanicalequipmentwillbe0,andtheSFF
willbe
su
/totalfailurerate;inotherwords:ahighSFFwillimplya
relativelyhighspurioustriprate.
IftheSFFisusedinyourcalculations,investigateifdangerous
detectedfailuresmayindeedbetreatedassafefailures.
TheSFFandDCshouldbebasedonIEC61508Edition2.0(2010),
becauseitexcludestheNopartandNoeffectfailures.
Otherwise,theSFFandDCmayhaveatoooptimisticnumber.

Pg10
5.Hardwaresafetyintegrityarchitecturalconstraints
Whatarehardwaresafety
integrityarchitectural
constraints?
Edition2010oftheIEC61508defines2routestoestablishtherequired
HardwareFaultTolerance(HFT).Route1Hisapplicableforelectronic
systems,whereasRoute2Hcanbeusedforbothelectronicand
mechanicalequipment.
Whyarehardwaresafety
integrityarchitectural
constraintsimportant?
NexttotheProbabilityofFailureonDemand(PFD)calculationtoassure
thatthePFDoftheloopisinlinewiththerequiredSIL,thearchitectural
constraintsasdefinedintheIECstandarddefinethenumberofelements
intheloop.
Whatarethepitfallsin
establishinghardware
safetyintegrity
architecturalconstraints?
InRoute1H(IEC615082section7.4.4.2),theSafeFailureFraction(SFF)
ofthesystemisusedtodefinetherequiredHFT.Asindicatedabove,the
SFFisnotreallyapplicabletomechanicaldevices,whichareusuallyseen
asafinalelement.Thenewdefinitionofthediagnostictestintervalis
specificallyforelectronicequipment,anddoesnotapplyformechanical
devices.

Inthelowdemandmode,thediagnosticstestintervalshouldbeshorter
thantheMeanTimeToRestore(MTTR)usedinthecalculation,minus
thetimetorepairthedetectedfailure.WhiletheMTTRisoftenassumed
as824hours,thisisdifficulttoachievefornonelectronicequipment.

Route1HdefinestheHFTbasedon2tables,onefortypeAequipment
andtheotherfortypeBequipment.WithreferencetoIEC61082
(sections7.4.4.1.2and7.4.4.1.3),thedefinitionoftypeAortypeBis
basedonthecomplexityoftheelement.Elementswithmicroprocessors
andsoftwareareBtypes.Mechanicalequipmentandelectronic
equipmentwithoutmicroprocessorsandSWarebasicallyAtypes.For
mechanicalequipment,thisselectionmayalsodependonyour
application,whichwillbecarefullyconsidered.Forinstance,alargesize
valve/actuatorwillusuallycloseindozensofseconds,andisconsidered
astypeAequipment.However,whenthesameequipmentneedsto
closewithinacoupleofseconds,therearenodependablefailuredata.
TheapplicationnowrequirestheequipmenttobeclassifiedastypeB
equipment.

OnceboththeSFFandtypeAorBaredefined,therequiredHFTofthe
devicecanbefoundinthetable.
Continuedonnextpage

Pg11
5.Hardwaresafetyintegrityarchitecturalconstraintscontinued
HowdoIcorrectlyestablish
hardwaresafetyintegrity
architecturalconstraints?
Priorusedata
Thenewroute2H(IEC615082section7.4.4.3)isbasedontheprioruse
/proveninuse,asalsodescribedinIEC61511version2003.In
applicationsrequiringaSIL3(eitherinhighorlowdemandmode)orSIL2
inthehighdemandmodeonly,ahardwarefaulttoleranceof1andthus
an1oo2configurationisrequired(whentheelementisproveninuse).

Althoughthetermproveninuseisquiteclear,theIECsetsspecific
requirements(IEC615082,section7.4.10).Toprovetheuse,statistical
datamustbeavailableforthesameapplication,thesametypeof
process,orapplicationprofile,andallaspectsoftheapplicationand
safetymissionmustbeverified.E.g.incasefailuredataareavailable
basedonregularoperationorregularswitchingandnowtheapplication
requirestheelementtoremaininthesamepositionforalongtime,then
thetermproveninusecannolongerbeapplied.
Thelatterpartalsoappliesforroute1H,wheredependablefailuredata
arerequired(IEC615082,section7.4.9.35),dependablemeaningthat
theremustbeenoughconfidenceintheequipmentbeingsuitablefor
theapplication.

Pg12
6.ProoftestsofSafetyInstrumentedSystems
Whatareprooftestsof
SafetyInstrumented
Systems?
Proof tests are periodic tests, used for detecting dangerous hidden
failuresinasafetysystem.
Whyareprooftestsof
SafetyInstrumented
Systemsimportant?
Prooftestswillrevealundetectedfaultsinasafetyinstrumentedsystem
(ifany)sothat,ifnecessary,thesystemcanberestored(asquicklyas
possible)toitsinitialdesignedfunctionality.
Whatarethepitfallsof
performingprooftestsof
SafetyInstrumented
Systems?
Usingsoftwarecalculationtools
SomeadvancedPFDcalculationsoftwareprogramscancalculatethe
consequencesofaProofTestCoveragefactor(abbr.PTC)<100%,the
PTCshouldbeentered,aswellastheSIFslifetime.
Themathematicalmodelmay,however,notfullyrepresentthereal
situation,becauseapoorPFDduetobadtestinginthemathematic
modelcanbecompensatedforbymorefrequent(poor)prooftests.
HowdoIcorrectlyperform
adequateprooftestsof
SafetyInstrumented
Systems?
Testinterval
TheprooftestintervalisrelatedtotheaveragePFDoftheSIF.Inorder
tomeettherequirementsofthedeterminedtargetSILofaSIF,theproof
testintervalmaynotexceedthetestperiodusedinthecalculations
(usually1,2,3or4years).

Tests
Acomplete,functionalProofTest(PTCof100%,anentireprocessto
processtest)shouldalwaysbethetarget.

Sensorsmustbetested,ifpossible,byvaryingtheprocessvalue.
Ifseparatedchannelsareused,separatetestsshouldbecarriedoutfor
eachchannel.

Ifvalveleakageleadstothedangerousscenario,thevalvetightnessmust
alsobeprooftested.

Incasetheprocesssafetytimeiscritical,theSIFresponsetimemustalso
betested.
Continuedonnextpage

Pg13
6.ProoftestofSafetyInstrumentedSystemscontinued
HowdoIcorrectlyestablish
prooftestsofSafety
InstrumentedSystems?
SafetyRequirementsSpecification(SRS)
TheSafetyRequirementsSpecificationmust,besidesstandarddesign
considerations,alsocontaintherequirements,constraints,functionsand
facilitiesofeachSIF,inordertoenabletheperiodicalprooftestingof
eachSIF.
Theprooftestintervalmustbedefined(basedonmaintenance
proceduresandPFDcalculation).
Especiallywhenonlineprooftestingisrequired,testfacilitiesmustbe
anintegralpartoftheSIFdesign,soastobeabletotestforundetected
failures.Whentestand/orbypassfacilitiesareincludedintheSIF,they
mustcomplywiththefollowing:
TheSIFmustbedesignedinaccordancewiththemaintenance
andtestingrequirementsdefinedinthesafetyrequirement
specifications.
Theoperatormustbealertedaboutanybypassthatispartof
theSIFviaanalarmand/oroperatingprocedure.Theuseof
bypassesshouldbeavoidedasmuchaspossible.

Maintenanceproceduresandprooftestprocedures
Prooftestsmustbedocumentedinthemaintenanceprocedures
coveringthefollowing:
Whenprooftestsshouldbeperformed.
TheactionsthatneedtobecarriedoutforaSIFsprooftest.
Writtenprooftestproceduresmustbedevelopedindetailfor
everySIF,soastobeabletorevealanydangerousfailures.These
writtentestproceduresmustdescribeeverystepthatistobe
performed,andmustincludethecorrectoperationofeach
sensorandfinalelement,logicactionandalarmsandindications.
Thedevelopmentoftheprooftestproceduresisavery
importanttailormademultidisciplinaryactivity,andmustbe
conductedpriortoinitialstartup.
Theactionsandconstraintsnecessarytopreventanunsafestate
and/orreducetheconsequencesofahazardouseventduring
maintenanceoroperation(forexample,whenasystemneedsto
bebypassedfortestingormaintenance,whatadditional
mitigationstepsneedtobeimplemented).
Calibrationofsensors.
Testequipmentusedduringnormalmaintenanceactivitiesis
properlycalibratedandmaintained.
Continuedonnextpage

Pg14
6.ProoftestofSafetyInstrumentedSystemscontinued
HowdoIcorrectlyperform
adequateprooftestsof
SafetyInstrumented
Systems?
Prooftesting
Periodicprooftestsshallbeconductedbymeansofwrittenand
approvedprooftestprocedures.TheentireSIFwillbetested,including
thesensor(s),thelogicsolverandthefinalelement(s).Differentpartsof
theSIFmayrequiredifferenttestintervals,forexample,thelogicsolver
mayrequireadifferenttestintervalthanthesensorsorfinalelements.
Anydeficienciesfoundduringtheprooftestingmustberepairedina
safeandtimelymanner.

Any change to application logic requires full proof testing. Exceptions to

thisaretoleratedwhenappropriatereviewandpartialtestingofchanges
are carried out to ensure that the changes have been correctly
implemented.

Duringprooftesting,theSIFwillalsobevisuallyinspected,toensurethat
thereisnounauthorizedmodificationandnoobservabledeterioration
(forexample,missingboltsorinstrumentcovers,rustedbrackets,open
wires,brokenconduits,brokenheattracingandmissinginsulation).

Prooftestdocumentation
Theresultsofeachprooftestmustberecorded,inordertoprovethat
prooftestsandinspectionswerecompletedasrequired.Theserecords
mustincludeatleastthefollowinginformation:
a) Descriptionofthetestsandinspectionsperformed
b) Datesofthetestsandinspections
c) Nameoftheperson(s)whoperformedthetests,verifications
andinspections
d) Serialnumber,orotheruniqueidentifierofthesystemunder
test(forexample,loopnumber,tagnumber,equipmentnumber,
andSIFnumber)
e) Resultsofthetestsandinspection(forexample,asfoundand
asleftconditions)
f) Correctiveactions,ifany
g) Signedbypassdocument,withdateandtime,bypassesare
addedandremoved

Pg15
7.SafetyLifeCycleManagement
Whatissafetylifecycle
management?
Thesafetylifecycle,bydefinitionofthestandard,coverstheperiodthat
startswith theconceptual design tothemomentthatthesafetysystem
istakenoutofservice.
Whyissafetylifecycle
managementimportant?
Integrityofasafetysystemisinitiallyestablishedduringthedesign
phase.Thisintegritymightbecompromisedduringanyotherphaseof
thelifecycleofthesystem,forinstance,theoperationalphase.Safetylife
cyclemanagementensuresthattheintegrityofasafetysystemis
maintainedthroughoutallphasesofthelifecycleofthesystemor
installation.
Whatarethepitfallsin
establishingsafetylifecycle
management?
Toolittleattentionforsafetyintegrityduringlaterphasesinthelifecycle
WhenmanagementdecidestoadopttheSILphilosophy,mosteffortis
spentonthedesignandduringtheinstallationphase.
Aftercommissioningandstartupbeginsthelongestperiodwith
importantSILfocus,theoperationalphase.Thesafetyloopisoftennot
inspected,testedandmaintainedaswellasitwasduringthedesign
phase.

Exceedingtestintervals
TestingisperformedtoprovetheSIFsadequatefunctioning.Thetest
intervalisdirectlyrelatedtothePFDvaluesofthesafetyloop.
Postponingthetestbeyondtheoriginaltestintervalimmediatelycreates
anonacceptableriskinthatloop.
HowdoIcorrectlyestablish
safetylifecycle
management?
Faultanalysis
Whenthetestsshowafailure,itisimportanttofindoutwhenthefailure
originallyoccurred,andwhatcausedit.Adetailedanalysisisrequired.
Arethereanyotherdevicesintheinstallationthatmighthavethesame
problem?

Repairs
Theprooftestisaperiodictestperformedtodetectdangeroushidden
failuresinasafetysystem.Repairisrequiredtorestorethesafetysystem
backintoafullyfunctionalcondition.Beawarethattheeffectivenessof
theprooftestwilldependonbothfailurecoverageandrepair
effectiveness.Inpractice,detecting100%ofthehiddendangerous
failuresisnoteasilyachieved.Thetargetshouldbethatallsafety
functionsarecheckedaccordingtotheE/E/PEsystemsafety
requirementsspecification.

Companypolicy
ItisimportanttohavecompanyproceduresforembeddingSILproof
testsasstandardpracticeswithintherelevantdepartments.Finally,we
wishtostatethattheapplicationofSILrequiresacontinuousACTIVITY
throughouttheentirelifecycleofaprocessinstallation.

AUTHORS
Willem van der Bijl CH 01 & 07 Safety Consultant & M.D. PRODUCA Consultancy BV
Henrie Verwey CH 02 Sr. Safety Consultant Verwey Safety Services
Hans van Dongen CH 03 SIS & Alarm Management Guardian Du Pont de Nemours
Andr Fijan CH 04 Process Control & Safety Engineer Fluor BV
Rens Wolters CH 05 Application Specialist SIL/HIPPS Mokveld Valves BV
Herman Jansen CH 06 Process Safety Consultant Consiltant BV
SAFETY
NONSTOP
The Application of SIL.indd 16 29-04-13 13:23