Systems Control – Safety Integrity Level
Posted on January 20, 2022 Instrumentation & Equipment Design
This post was originally published in two parts which have been combined below.
Part 1
Safety Integrity Level (SIL), as per IEC standard 61508, defines the minimum reliability and greatest allowable dangerous failure fraction of electric, electronic and programmable electronic safety systems. Each SIL level corresponds to a ten-fold decrease in dangerous failures. Coanda has designed and implemented systems up to SIL-3, including that required to operate our most powerful x-ray system.
In this post we’ll begin by examining the failure modes of a simple interlock system. In the interlock pictured, the x-ray should only operate when the interlock switch is closed. If the switch opens power is cut to the contactor, which also opens, disconnecting power from the x-ray. A simple interlock is inadequate for some applications.
This system has multiple failure modes. The contactor could get stuck in the closed position, through failure of the return spring or the contacts spot-welding due to arcing. If the cable gets crushed such that the two conductors are shorted together, the switch is bypassed, and the interlock is defeated.
In the next post we’ll show how a SIL-3 architecture addresses these failure modes.
Part 2
Last post, we examined some failure modes of a simple interlock system; here we illustrate one option to overcome them. Requirements for SIL-3 compliance include redundancy with component monitoring, such that if one element fails, the whole system will not turn on again until it’s repaired.
Now we have a two-pole switch and a safety relay to power the contactors. Each pole is connected to the safety relay using individually coded loops. A fault is registered if both circuits fail to act in unison, from a short between inputs, or a short to ground. The system is robust against cable-crushing, cable-severing, or one of the switch’s poles sticking.
Additionally, we now have redundant contactors. These are constructed with a monitoring contact that will only close if all the power contacts are physically open (termed “force guided”). The safety relay has a feedback circuit for these; it won’t start again if any contactor fails to operate.
With such an architecture, and a SIL-3 rating on all components, SIL-3 can be achieved. Coanda’s x-ray interlock monitors many inputs including e-stops, redundant door switches, keyswitch position, and current draw of the hazard indicators.