Getting the safety integrity level right for automated systems

Sitting on the tube during a commute few of us would think about the importance of safety redundancy in automation systems unless it is specified as part of a project we are working on. Automated Safety Instrumented Systems (SISs) however are becoming increasingly prevalent, as they can be used to prevent or mitigate hazardous events in a range of different situations. By taking a process to a safe state when given conditions are breached SISs can offer different levels of protection, thus it is important to know what Safety Integrity Level (SIL) your intended application needs to meet.Barry Weller, Product Manager at Mitsubishi Electric, looks at what SILs are and how to determine your application safety requirements.

SILs are measures of performance or dependability for systems featuring safety functions. According to the IEC (or EN) 61508 standards on “Functional safety of electrical / electronic / programmable electronic safety-related systems”, there are four SIL bands. The higher the SIL number, the higher the required protection is.

The SIL requirements of a given application can be determined in different ways. IEC 61508 describes both quantitative and qualitative methods to define which SIL is required. Common approaches include risk graphs or matrices, fault tree analysis or layers of protection analysis.

As the SIL level increases, system costs as well as the overall system complexity tend to increase. Therefore, choosing to implement high SIL 3 and SIL 4 solutions is not always necessary and the lowest appropriate SIL for the application should be given consideration.

It should be remembered that the SIL level will ultimately be applied and refer to the total system configuration. The design of the overall system architecture and redundancy at the device level are all factors that affect the SIL rating. It is often the case that a large majority of systems that require a SIL level to be applied rarely need certification above SIL 2. This of course will depend on the application and risk.

SISs need to be fault tolerant
The most important aspect that SIL 2 SISs need to address is the uninterrupted control and regulation of relevant machinery, known as “equipment under control”, by a safety controller. This helps to avoid any risky downtime. As a result, control systems must feature redundant CPUs and power supplies, redundant network communications infrastructures and processing units. In this way, in the case of equipment failure, the system can maintain its availability and continue to operate safely.

For example, tunnel ventilation, as used in road or rail tunnels must operate when called upon during static traffic conditions or in emergency situations. Redundant control systems provide high availability and instant switchover essential to ensure continuous and safe operations. This can be achieved by means of a proprietary SIL compliant PLC platform coupled with a fast and reliable redundant communications network.

Mitsubishi Electric’s latest SIL 2-certified solution, MELSEC iQ-R PLC series for example, is characterised by a modular structure. Therefore, it can be easily paired with additional CPUs and power supply modules to ensure system redundancy. In addition, redundant Ethernet communications can be set up providing a single IP address for both control and standby systems.

By choosing Mitsubishi Electric’s PLCs for SIL 2 applications, users can also benefit from optimum system responsiveness, thanks to the high-speed CPUs. Performance across the network can also be enhanced by using CC-Link IE network technology, which features network redundancy and 1 Gbit/s network speeds.

Optimal operational performance is also fundamental. Therefore, solutions that combine process control and process safety, such as the MELSEC iQ-R for SIL 2, are becoming increasingly popular. These SISs regulate the proper running of Equipment Under Control (EUC) by collecting and processing relevant data in both normal and emergency conditions. Based on the results obtained, the process and safety controllers communicate with EUC to obtain pre-set safe conditions.

Furthermore, by selecting Mitsubishi Electric’s solutions, end users can slash their total cost of ownership (TCO). The iQ-R PLC series Process Automation Controller (PAC) offers the same level of reliability and functionality typically offered by more costly Distributed Control Systems (DCS). This is a clear example of how the world of equipment safety is continuously advancing, providing more reliable, available and flexible solutions, so staying up-to-date is essential to futureproof automation system integration practices.