While reading the 2006 Buncefield investigation report I came across this interesting statement.
“Such sensors are in widespread use and a number are available that have been certified for use in SIL2/3 applications in accordance with BS EN 61511 (1) .”
The problem with this statement is that it’s simply a nonsense. Safety integrity levels (2) are allocated to the safety functions performed by that system not to individual elements of the system (3). Specific safety requirements for individual elements are subsequently derived in the context of the system architecture.
A safety integrity level (SIL) is not a property of a system, subsystem, element or component. The correct interpretation of the phrase “SIL n safety-related system” (where n is 1, 2, 3 or 4) is that the system is potentially capable of supporting safety functions with a safety integrity level up to n.
IEC 61508.4 Clause 3.5.8, Note 3.
Unfortunately despite even the IEC’s 61508 standardisation group (amongst others) emphasising this difference we see this error of equating SIL levels to some form of element ‘pseudo-reliability’ value occurring more and more in the literature of equipment suppliers.
In reality the system designer or integrator must establish that the context of any such an ‘a priori’ certification was consistent with the intended operational context, or that any inconsistencies do not have an effect. So such certifications are effectively meaningless (4)(5).
Unfortunately this meme has now become so prevalent that we find it here repeated in a significant UK government report. The reason for the spread of this idea in that it hides what is in reality the messy and complex task of engineering a system behind a simplistic veneer of being able to assemble it from components which have an ‘out of the box’ integrity level (6).
Seductively simple but wrong.
1. BS EN 61511 is the process industries version of IEC 61508.
2. Clause 220.127.116.11 of ISO 61508 states, “The second objective of the requirement of this sub-clause is to allocate a target failure measure and an associated safety integrity level to each safety function to be carried out by an E/E/PE safety related system.”
3. Subsystems are defined by 61508 as any entity of the top-level architectural design of a safety-related system where a dangerous failure according to of the subsystem results in dangerous failure of a safety function. A subsystem may be considered to comprise a single element or any group of elements (for example groups of sensors, logic solvers or actuators), while an element is defined as part of a subsystem comprising a single component or any group of components that performs one or more element safety functions. A typical element is a sensor, programmable controller or final element (61508.4).
4. An example that can be derived from the standard itself is where a subsystem is developed for a low demand rate application (Table 2 of 61508) for a SIL 2 safety function and is intended for reuse in a high or continuous demand mode (table 3 of 61508) of operation safety function with a safety integrity requirement of SIL 2.
5. Another example of contextual issues drawn from the standard is the systems architecture where the fault tolerance and safe failure fraction for a subsystem may constrain the maximum SIL rating that is claimable on that subsystem (Clause 18.104.22.168 of 61508.2).
6. See Safety Myths and SILs for a fuller discussion of this.