Sign In
Using Alarm Annunciators in IEC61508 SIL rated Safety Systems
In modern processing plants the issues of functional safety are steadily gaining importance. The introduction of IEC61508 standard introduced a very broad but systematic framework, which allows plant engineers to apply the functional safety concepts systematically to all modern control equipment.
WHAT IS SIL? Safety Integrity Level (SIL)- Defines the probability level of the safety loop operating as intended during operation
Safety Integrity Level Safety Availability Required
SIL 4 >99.99%
SIL 3 99.9 - 99.99%
SIL 2 99 - 99.9%
SIL 1 90 - 99%
The purpose of the Annunciator is to initiate human intervention to a plant condition.
Alarm annunciators are an integral part of safety planning, especially in processing plants where alarm conditions can be numerous. An alarm, or combination of several alarm conditions, will require a reaction of an operator in order to either investigate the cause of alarms or take the steps required by safety procedures in order to eliminate the condition.
Alarm annunciators today are seldom included as an integral part of true safety-related shutdown systems, as reliability of the human operator is generally considered insufficient to meet the high reliability requirements. The IEC61508 standard does not exclude the possibility of a person being part of a safety-related system but human factor requirements are not considered in detail in the standard. The reliability associated with a human operator is most often considered to have an associated PFD (Probability of Failure on Demand) of 1E-01 (90% probability that the operator will successfully respond to the alarm). This would make even a SIL1 system impossible to design where a human operator is involved (1E-01 to 1E-02 is required for a SIL1 safety-related system). However, with a high level of training and clear procedures in place, it can be accepted that the operator PFD can be as good as 1E-02, in which case using an alarm annunciator in a SIL1 safety loop is possible. When applying IEC61508 to assess safety-related systems it therefore becomes clear that alarm annunciators, which involve the human operator in safety functions, can only be targeted at SIL1 level at best.
It is possible for alarm annunciators to include a secondary relay output that complies with the requirements of the IEC61508 standard in a true PES (Programmable-Electronic System), where the relay output is used to implement an automatic safety function, which can then be reliably assessed without including the operator reliability. The practice of mixing the automatic safety-related system with functions that are part of the Layer of Protection (such as an Alarm Annunciator) is considered problematic at best, as the complexity of the alarm annunciator is to the detriment of the safety loop and creates a higher chance for common-mode failures that affect the PFD of the Safety Loop. The preferred engineering practice is therefore always to separate the safety functions from the alarm annunciator as an independent Layer of Protection. The Purpose of a shut down system is to detect dangerous conditions and automatically safely shut the plant saving lives and equipment. The Purpose of the Annunciator is to initiate human intervention to a process condition.
Sellafield Ltd substantiates first SMART Annunciator in compliance with requirements of the UK NII.
The Omniflex Omni series alarm annunciator range is the first SMART annunciator to have been assessed as part of the EMPHASIS project to satisfy the NII (Nuclear Industry Inspectorate) for the product to be used in SIL1 applications and is now used extensively throughout the UK's Nuclear industry. It has also been independently assessed for use in SIL1 applications both by TUV and Ev
For more information on Using Alarm Annunciators in IEC61508 SIL Safety Systems talk to Omniflex UK Limited
Enquire Now
List your company on FindTheNeedle.