The IEC 61508 standard provides a new approach for considering the reliability of electrical, electronic, and programmable electronic (E/E/PE) safety-related systems. It creates a safety integrity level for programmable systems using a statistical approach by measuring the probability of dangerous failures per hour, denoted as the PFHd.
The SIL is defined as the probability of a safety system to perform its functions under all stated conditions within a stated period of time. The higher the SIL level, the lower the probability that the safety system will fail to carry out its mission. IEC 61508 outlines the tools and formulas to calculate probability that safety functions will fail and then provides a system of SIL levels to categorize these systems.
The four SIL levels identified by IEC 61508 correspond to the PFHd in high-demand or continuous-operation mode. IEC 62061 dictates how the statistical results obtained in IEC 61508 are applied to machinery. While IEC 62061 does look at both high and low-demand listings, it does not consider lowdemand relevant for safety applications on machinery.
Similar to an electromechanical- risk assessment for safety categories, a SIL-level assessment also considers the consequences of an accident, the frequency and duration of exposure to a hazard, the possibility of avoiding the hazard, and the probability of an unwanted occurrence. So both assessments have similarities in how they look at machine safety.
SIL, however, defines the result of an accident differently. It expands into four subclasses identified as minor injury; serious permanent injury to one or more people, or death to one person; death to several people; and death to many people.
Unlike an electromechanical risk assessment for safety, a SIL-risk assessment includes an additional analysis criterion: The statistical probability of an unwanted occurrence or failure. This criterion is further divided into several subcategories: a slight probability that the unwanted occurrences will come to pass and a only a few unwanted occurrences are likely; a slight probability that the unwanted occurrences will come to pass and a few unwanted occurrences are likely; and a relatively high probability that unwanted occurrences will come to pass and frequent unwanted occurrences are likely.
EN/IEC 62061 states that SIL 4 is not considered relevant to risk-reduction requirements normally associated with industrial machinery. While not specifically stated in any of the standards, it is highly unlikely that industrial machinery would combine a possibility of many people killed with a relatively high probability that the unwanted occurrences will come to pass, plus a likelihood of frequent unwanted occurrences.
Electromechanical Devices Verses Solid State
While electromechanical systems are fairly simple to monitor and it is easy to detect failures, solid-state systems must be designed for redundancy and self-checking. Standard PLCs are typically not designed for safety and won’t qualify for a SIL rating. Safety PLCs have redundant, highly reliable processors and redundant circuitry to verify system integrity. The redundant circuitry continually checks the processors, internal components, inputs, and outputs to ensure everything is working properly.
Another new standard to recently emerge, EN/ISO 13849-1, will eventually replace EN 954-1. The new standard updates EN954-1 with a new way to categorize the risk level of a machine using performance levels. These performance levels use the same criteria as safety categories, but the results are arranged differently and are assigned letter designators A through E. The performance levels also are assigned values for their related mean time to dangerous failure (MTTFd), allowing for a statistical look at electromechanical safety and safety categories. The standard thus allows comparisons between safety categories, performance levels, and SIL ratings. For example, category 4 is the same performance level as SIL 3, and vice-versa.
Determining a Machine’s SIL Level
EN/IEC 62061 provides tables and a worksheet to identify a machine’s SIL-level requirements. There are numerical values for different levels of the criteria discussed previously: C (consequences), F (frequency), P (probability), and W (unwanted occurrences). The numerical values for each criteria are summed, and the SIL level determined from a chart on the worksheet. Each of the levels are more defined than the safety categories, making it simpler and a bit less subjective to determine severity.
As machines become more complicated, so do their safety systems. The growing complexity makes programmable safety systems more attractive and economical. Programmable safety devices easily integrate into control systems while adding new function and diagnostics.
