1. 主页

  2. 解决方案

  3. 行业解决方案

  4. 过程行业

  5. 化工行业

  6. 功能安全 - SIL

过程行业中的 SIL

功能安全在所有过程工厂中都起着关键作用,化工行业在对人和环境的保护方面有着特别高的要求。如何设计一个符合标准的安全回路至关重要。要实现这一点,最佳的方法是采用谨慎的设计原则和可用于计算的可靠 SIL 数据。我们很乐意在风险评估过程中为您提供指导,并通过我们久经考验的元件和冗余系统来支持您的安全方案实施。

安全整体性等级 (SIL)

为确保系统在紧急情况下不会对人和环境的安全构成威胁,您必须针对系统的功能安全进行系统设计。因此,SIL 规范是工厂工程和建设的关键安全标准,尤其是在化工过程行业。

SIL 表示安全整体性等级。它是一种用于对系统的功能安全进行分类的国际度量标准。SIL 分为 SIL1 到 SIL4 四个等级,第四个等级涵盖的风险是最高级别的,因此需要最严格的措施。这意味着,您可以利用元件的故障概率 来准确评估风险, 采取措施 最小化剩余风险,选择 合适设备 最终通过重复测试确保 SIL 功能合规性。

SIL 安全标准

SIL 分类基于两个国际标准:IEC 61508 和 IEC 61511。

IEC 61508(“电气/电子/可编程电子安全系统的功能安全”)为基本标准。它描述了如何评估风险以及要设计合适的安全功能所需的措施。因此,它还包括对安全回路各个元件的要求。这些元件包括传感器(如压力传感器、温度传感器和液位计)或电子信号值比较和输出单元以及自动过程阀。

IEC 61511(“过程行业安全仪表系统的功能安全”)专门适用于过程自动化。它主要针对要求较低的低需求应用场合,即为标准实践。其中,IEC 61511 包含传感器和驱动器的选择标准,例如以操作可靠性为考量点。

SIL 流程分为四个步骤

如果您是工厂的安装人员或操作员,且您的工厂存在危及员工、居民或环境安全的可能性,那么您必须尽可能降低风险。IEC 61508 和 61511 标准为此规定了四个关键步骤:

1. 风险定义和评估:首先要确定传感器、控制器和驱动器等所有元件在工厂整个使用寿命中出现故障的概率。

2. 措施的定义和实施:定义并实施适当的措施来最小化剩余风险。

3. 使用合适的设备:工厂能成功进行 SIL 回路测试的先决条件是元件和元件组均适合各自的等级,必要时需经过认证。

4. 重复测试:操作员以规定的时间间隔监控安全功能的合规性。

1. 风险定义和评估

我的工厂存在哪些潜在危险?化工行业中过程工厂的每个工程师都必须思考这个问题。一张风险图可以帮助您解答这个问题,它依据 IEC 61508 和 61511 标准结合四个定义的参数形成了一个决策树:

1. 损害的严重程度 (S):可预见的后果有多严重?

2. 频率和接触时间 (F):人员多久一次进入危险区?人员会在危险区停留多久?

3. 避免/缓释危险 (P):我能预防或控制事件吗?

4. 发生的可能性 (W):预计多久会出现一次事故?

实践经验表明,与安全相关的风险通常存在于细节中,并且通常只有在运行过程中才会暴露出来。系统分析已经可以在规划过程中识别出这些弱点。在 Festo,我们将根据您的需求提供符合规定的风险评估和功能安全解决方案,无论是完整的系统解决方案、精心规划的自动化技术还是单个元件。在此阶段,请随时咨询我们。

2. 措施的定义和实施

通过对工厂的系统风险评估还可以揭示推动 SIL 要求上升的因素。其中有一些是既定因素,例如生产地点。其他的是可以调整的因素。

首先要考虑的是出现故障的概率。容错元件和采取冗余设计的系统的首要作用是可让您显著提高系统可用性和可靠性。根据过程的不同,即使是在运行过程中可以测试和更换单个元件的解决方案也能起到一些作用。

结构安全措施(例如泄压系统)取决于每种情况下的实际生产。原则上,可以考虑如何尽可能降低过程的风险。结构措施和预防措施也属于此类,例如通风、漫灌预防(例如,在使用酸罐的情况下)或混凝土外壳(在存在爆炸危险的情况下)。

还建议选择性能可靠的设备和元件,以确保工厂的使用寿命长且可靠。这包括耐温、耐酸和防腐蚀的材料。此外,针对已在化学和电化工行业证明其价值的绝大部分单一过程,我们开发了符合标准的解决方案,包括集成了关断功能的阀岛和高度可靠的 2oo3 驱动器等。

3. 合适的设备

确定安全整体性等级时,所有单个元件中的 SIL 回路设计也必须达到该等级。这意味着,作为一名工程师,您所使用的设备和元件需要符合必需的 SIL 等级。需要提供证明材料:

  • 制造商声明:制造商将自己的设备评定为 SIL2。独立个人进行 SIL1 技术评估,SIL2 分类由独立部门进行。
  • 证书:安全回路中使用的所有 SIL3 以上等级设备必须由独立机构根据 IEC 61508 进行认证。

通过在搜索栏和“下载和媒体”下的产品详情页面中输入产品类型或订货号,您可以查找到我们产品的所有 SIL 证书和制造商声明。

4. Recurring tests and inspections

The safety functions of your system must be checked at regular intervals. This is required by the statutory provisions of the German Ordinance on Industrial Health and Safety or accident prevention regulations. Under certain circumstances, local legal requirements also apply. The primary purpose of the recurring SIL tests is to prevent personal injury, damage to property and the environment, but it is also intended to ensure system reliability by preventing unplanned downtime and, last but not least, to ensure that the engineers have legal security. In the event of damage, these tests can prove that the malfunction was not caused by device or design defects.

The test intervals are set by the operator. The risk assessment is based on the safety characteristics of the individual SIL components, as well as other factors. From a design perspective, it can be very beneficial to have durable solutions that, if necessary, can be exchanged without interrupting operations. We would be happy to provide you with recommendations for our products.

SIL FAQ: Questions and answers

What do the codes on the SIL certificate mean?

Product datasheets, certificates and model calculations for functional safety use a series of reference data and terms. Here are the most important ones for the SIL calculation:

  • λ (failure rate ), the following classifications apply: S for the overall rate of safe failures; SD for the rate of safe, detected failures; SU for the rate of safe, undetected failures; D for the overall rate of dangerous failures; DD for the rate of dangerous, detected failures; and DU for the rate of dangerous, undetected failures.

  • Device types: A is the code for a device for which the failure behaviour of all components used and the failure characteristics are adequately determined, e.g. through operational reliability. Device type B, on the other hand, means that the failure behaviour of at least one component used and the behaviour in the event of a failure are not adequately determined.

  • HFT (hardware failure tolerance): the ability to continue to execute the required function in the event of faults and deviations. With HFT0, a single fault can result in the loss of the safety function (e.g. in 1oo1 circuits). With HFT1, a safety loss only occurs if at least two faults occur simultaneously (e.g. in 1oo2 circuits). With HFT2, at least three faults must occur simultaneously (e.g. 1oo3 circuits).

  • High demand: operating mode with a high frequency of demands or continuous demands to activate the safety system. It operates continuously or its activation is demanded more than once a year.

  • Low demand: operating mode with a low frequency of demands to activate the safety system. It must not be activated more than once a year.

  • MTBF (mean time between failures): the mean time between two successive failures.

  • PFD (Probability of failure on demand): the probability that a safety function will fail in low-demand mode (demands/year < 10) = low demand.

  • PFH (Probability of failure per hour): the probability that a safety function will fail during continuous use (demands/year > 10) = high demand.

  • SFF (safe failure fraction): the proportion of safe failures out of the total number of failures.

What does a safety system consist of?


A SIL circuit generally consists of three segments:

  • Sensors (e.g. pressure sensors, temperature sensors and level gauges)
  • Evaluation and output unit (e.g. safety PLC)
  • Automated process valve unit comprising solenoid valve, actuator and process valve

What is the PFD/PFH distribution for the subsystems?

The distribution of the failure probabilities to the subsystems of a safety function is as follows for single-channel systems: the greatest weight is given to the SD failure rate of the actuators.

SIL: safety integrated system

Where can I find the values for the SIL calculation?

All failure probabilities required for the SIL calculation can be found in the manufacturer’s declarations or certificates (highlighted in blue). You can use these to calculate the total probability of failure (the values ​​highlighted in grey) according to the SIL.

SIL calculation

When are certificates required?

The higher the required safety level of a system, the higher the level of independence that the standard requires for the body assessing the functional safety. According to IEC 61511, manufacturer’s declarations are perfectly adequate up to SIL2. For SIL3 and above, the certificate must be issued by an independent organisation such as TÜV or Exida.

Safety integrity level – assessing body

SIL1 – independent person

SIL2 – independent department

SIL3 – independent organisation

SIL4 – independent organisation

Where are the SIL certificates?

You can find all SIL certificates and SIL manufacturer’s declarations for Festo products on the relevant product detail page in the "Certificates" category of the "Product Support" section.

How can I control actuators redundantly?

SIL

What SIL redundancy solutions does Festo have?

SIL: redundant valve block

Festo can offer you the right redundant control for every safety requirement:

Redundant NAMUR block (1oo2, 2oo2): the NAMUR block enables two solenoid valves with a NAMUR connection pattern to be installed, which are wired redundantly via the NAMUR interface. The blocks are available in fail-safe function (1oo2) or with increased availability (2oo2). You can mount the block directly on quarter turn actuators using the interface. Separate installation with suitable piping is also possible.

Redundant inline valves (1oo2, 2oo2): in these compact systems, Festo uses the tried-and-tested VOFD valve technology. The valve’s redundant circuit ensures a redundant fail-safe function (1oo2) or provides increased availability (2oo2) for automated process valves. Thanks to the Ematal coating, these valves meet the highest safety standards in process engineering and can withstand the toughest of ambient conditions.

Combined valve block (2oo3): the 2oo3 system combines both technologies, therefore providing the highest level of safety and availability. This valve block is an in-line variant that is integrated into your system. The installed standard valves are defined and mounted on the block via the NAMUR interface in accordance with VDI/VDE 3845. This means that the block is installed once; only the valves are replaced via the interface according to a service life/safety lifecycle plan. With this system, you can also bypass the functions of the four valves so that maintenance can be performed during operation. The pressure indicators mounted directly on the valve block always give a reliable and swift indication if a valve is pressurised.

Who else should know about this?

Why not discuss this with your specialists before deciding on Festo? Just share our recommended solutions and application examples using this link.