9th International Symposium

Functional Safety in Industrial Application

Ten good reasons to go for SIL 3 certification for Fire & Gas applications

Dr. Bert Knegtering Honeywell Safety Solutions The Netherlands

Honeywell - NL Dr. Bert Knegtering

Whats the problem? Process installations Aging Legislation Complexity Performance Cost Maintenance Testing Production capacity Society / community Insurance

Honeywell - NL Dr. Bert Knegtering

Reason # 1 State of the art all major manufacturers of safety-PLC systems today offer SIL 3 certified solutions. That is state of the art so to say. As these systems are responsible for safety of numerous people and protection of the facility, one should not debate the application of degraded equipment for such a critical and central control unit (if something goes wrong, can you square this with your own conscience?)

Honeywell - NL Dr. Bert Knegtering

Reason # 2 Reducing spurious trips In order to achieve a high integrity level (SIL 3), often a combination of fault-tolerance with automatic self-testing (diagnostics) is implemented. This is not only improving (lowering) the probability of failure on demand, but also reducing the probability of having spurious trips.

Honeywell - NL Dr. Bert Knegtering

Reason # 3 Increasing risks due to aging As these systems are expected to run for decades, it is difficult to judge today what the situation will be e.g. after 10 or 20 years of operation, with installations and equipment getting older. This may lead to higher risks, which require higher safety integrity protection

Honeywell - NL Dr. Bert Knegtering

Reason # 4 Additional SIFs in future Considering the number of changes that are implemented over time, it may happen that today SIL 2 matches the requirements, whereas in future additional safety functions might be implemented which do have to meet SIL 3. As such, anticipating on such changes it is logical to take this into account by implementing a logic solver which is having some margin in this respect, i.e. which is able to comply with SIL 3 .
Temperature transmitter Temperature transmitter

SAFETY INSTRUMENTED FUNCTION

Solenoid Shut-off valve

Level switch

Logic Solver
(PLC)

MCC

Flow transmitter

Solenoid

Globe valve

Honeywell - NL Dr. Bert Knegtering

Reason # 5 Reducing other risk reduction measures As it often happens that in addition to the SIS, also other risk reduction measures are defined, it sometimes may happen that with a SIL 3 certified system, the need for these other measures is reduced or even not needed anymore at all.
Residual Residual risk risk Tolerablerisk risk Tolerable EUCrisk risk EUC

Necessary risk reduction

Partial risk covered by other technology safety-related systems Risk covered by E/E/PE safety-related systems Partial risk covered by external risk reduction facilities

Increasing risk

Honeywell - NL Dr. Bert Knegtering

Reason # 6 Anticipating on long term trends wrt. acceptable safety levels Over time, authorities and inspection bodies tend to strengthen their vision on safety of people but also protection of the environment. This is being observed for the last 30 to 40 years. Anticipating on these long term trends help by specifying SIL 3 for the safety-PLC.

Honeywell - NL Dr. Bert Knegtering

Reason # 7 Price / performance ratio A SIL 3 certified system in general offers a 10 times higher performance compared to SIL 2, whereas price wise, on average around one-fifth higher system prices apply .

Honeywell - NL Dr. Bert Knegtering

Reason # 8 Small PFDavg consumption ~ more space for field devices With a SIL 3 compliant safety-PLC, an accompanying much lower Probability of Failure on Demand (PFD), is achieved. This gives additional room for all implemented SIF when it comes to the allowed PFD for the attached field devices. In general it is observed that 10 to 15% additional margin is created with a SIL 3 selected logic solver.
1 PFD(t)

Average PFD
time t 0 TI (Test Interval)
Honeywell - NL Dr. Bert Knegtering
10

Reason # 9 Less systematic problems The difference between SIL 2 and SIL3 means much more than PFD. Particularly, when potential systematic failures are considered, it is clearly the point that the probability of having such failures in case of a SIL 3 compliant system is significantly less than for SIL 2.

Honeywell - NL Dr. Bert Knegtering

11

Reason # 10 less need for off-line proof-testing Due to a high level of Diagnostic Coverage as required for SIL 3, less need for off-line proof-testing is required. In fact, some safety PLC systems do not have to be tested off-line at all. These systems might be in operation for over 20 years without any need for additional testing .

Honeywell - NL Dr. Bert Knegtering

12

Conclusion CapEx SIL 2 perhaps cheaper State of the art SIL 3 !!

CapEx + OpEx

SIL 3 certified Safety Logic Solver

Honeywell - NL Dr. Bert Knegtering

13