Introduction: SIL 3 Selection - The "Lifeline" Decision for Safety Systems
In high-risk such as petrochemicals, rail transit, nuclear power, and pharmaceuticals, functional safety directly relates to personal life, equipment property, and environmental safety. SIL (S Integrity Level) 3, as a core requirement for medium to high-risk scenarios (corresponding to a probability of dangerous failure per hour of 10⁻⁴~1⁻³), the selection of safety-type PLCs is far from a simple addition of "ordinary PLC safety functions." It requires stringent validation from multiple dimensions including standard compliance, hardware architecture, software design, and manufacturer qualifications.
Selecting the wrong SIL 3 safety-type PLC could lead to the failure of safety (such as failed emergency shutdown, malfunctioning overload protection), triggering major safety accidents. This article will break down the full selection process to help you avoid pitfalls and a "compliant, reliable, and suitable" core of safety control.
1. Selection Prerequisites: First, clarify 3 core safety requirements
Before, it is necessary to anchor specific safety goals to avoid blindly pursuing "high configurations" or overlooking key details:
1. Define safety functions and risk levels
List required safety functions: such as emergency shutdown (ESD), safety gate monitoring, overload protection, fire linkage, etc.;
Confirm the specific basis for SIL3: determine that the safety function needs to reach SIL 3 through HAZOP (Hazard and Operability Analysis), LOPA (Layer of Protection Analysis, rather than simply selecting based on experience;
Example: The emergency cooling function of the temperature over-limit of a chemical reactor, which, after risk assessment, needs to SIL 3, with an average failure probability (PFDavg) ≤ 10⁻³.
2. Define operational and environmental boundaries
Operating: working temperature (-40℃~70℃?), vibration grade (IEC 60068-2-6), range of power fluctuation (±0%?);
Environmental constraints: whether there are explosion-proof (Ex certification), dust and water resistance (IP rating) requirements;
Lifecycle: equipment usually requires a service life of 15~20 years, and it is necessary to confirm the PLC's product cycle and spare parts support.
3. Determine system integration requirements
Communication protocol: whether it is necessary to be compatible with safety communication protocols such as PROFINET Safety, EtherNet/IP Safety MODBUS Safety, etc.;
I/O expansion: number and type of safety I/O modules (digital / analog / high-speed), whether remote distributed/O is supported;
Compatibility with existing systems: whether it is necessary to interact with non-safety PLCs (such as S7-150, Modicon M340), SCADA systems.
2. Core technical requirements for SIL 3 safety PLC (based on IEC 6108)
IEC 61508 is the basic standard for functional safety, and SIL 3 safety PLCs must meet the following core requirements, are the "hard thresholds" for selection:
1. Hardware safety: Redundant design fault detection capability
Redundant architecture:
Core logic:IL 3 must meet "safety failure fraction (SFF) ≥90%", typically adopting 1oo2 (two-out-of-one) 2oo3 (three-out-of-two), or hot standby redundancy architecture;
Redundancy of key components: CPU, power supply, and modules must be redundant to avoid single point of failure causing system failure;
Example: Siemens S7-1500F adopts "dual CPU synchronous operation cross-checking", and Rockwell GuardLogix 5580 supports 1oo2 hot standby redundancy.
Self-diagnosis of faults
Equipped with real-time detection of hardware faults (such as CPU computing errors, I/O channel short circuits, power loss), diagnosis coverage ≥99
Fault response: After a fault is detected, it is necessary to trigger a safe action (such as shutdown, alarm) within a safe time (such as ≤00ms), and the fault status cannot be masked.
Reliability indicators:
Mean time between dangerous failures (MTBFd) ≥10⁶ hours;
Mean time to repair (MTTR) ≤2 hours (matching the manufacturer's maintenance capability is required).
2. Software safety: Error- design verifiability
Safe programming environment:
It is necessary to support the safe programming language (such as function block diagram FBD, ladder diagram LD,.) conforming to IEC 61131-3 standard, and it must have mandatory syntax checking and logic verification functions;
Unauthorized modification is prohibited: The programming software needs to have user permission hierarchy (engineer / operator / administrator), and security logic modification must be recorded in an audit log.
Security function library
Built-in certified safety function blocks (such as safety door monitoring, two-hand control, safety speed monitoring), no need for custom development (to avoid programming);
Logical error prevention: Support fault-oriented safety (Failsafe) design, such as outputting the default "safe state" (such as relay disconnection when the PLC loses power.
Verification and testing tools:
Provide logical consistency check, SIL compliance calculation tools (such as automatic calculation of PFD);
Support third-party independent testing and verification (the manufacturer needs to provide test reports).
3. Compliance certification: Must have authoritative organization certification
Core: IEC 61508 SIL 3 certification certificate issued by authoritative organizations such as TÜV Rheinland, TÜV SÜD, SGS (must cover the full series of CPU, power supply, and I/O modules);
Industry-specific certifications: such as EN 5016/50128/50129 certifications for rail transit, and ATEX/IECEx certifications for explosion-proof scenarios;
Note The certification certificate must be within the validity period, and the certification scope must be completely consistent with the selected model (to avoid "series certification" replacing "specific model certification".
III. Five key dimensions for selection (with selection table)
Combining technical requirements and practical applications, evaluate comprehensively the following 5 dimensions to avoid "selecting based on a single dimension":
Selection Dimension
Core Evaluation Points
Qualified Standard Example
Comiance
Certification coverage, standard version
Equipped with TÜV SIL 3 certification (IEC 61508:2010, covering CPU power supply safety I/O
Hardware Reliability
Redundant architecture, fault diagnosis rate, MTBFd
1oo2, fault diagnosis rate ≥ 99.5%, MTBFd ≥ 1.5 × 10⁶ hours
Software Security
Secure, function library, mistake-proof design
Support IEC 61131-3 secure programming, built-in SIL 3 certified function blocks, logic audit
Integration Compatibility
Communication protocol, I/O expansion, system linkage
Support PROFINET Safety, expandable to 18 safety I/O points, compatible with existing S7-1500 PLC
Manufacturer Support
Technical documentation, maintenance, spare parts guaranteeProvide SIL validation report, fault troubleshooting guide, maintenance response ≤ 4 hours, spare parts supply ≥ 15 years
Mainstream SIL safety PLC comparison (selection reference)
Brand Model
Redundant Architecture
Certification Status
Core Advantages
Applicable Scenarios
Siemens S7-1500F
1oo2 / Hot Standby
IEC 61508 SIL 3Seamless integration with ordinary S7-1500, TIA Portal unified programming
General industry, rail transit
Rockwell GuardLogix 550
1oo2/2oo3
IEC 61508 SIL 3
Support EtherNet/IP Safety, integrated motion safety control
Automobile manufacturing, packaging machinery
Schneider Modicon M580 Safety
Hot standby redundancy
IEC 6150 SIL 3
Built-in secure communication, compatible with Process Expert software
Petrochemical, water treatment
Omron NJ501-RS3
1oo2 redundancy
IEC 61508 SIL 3
Small size design, high cost performance
Pharmaceutical food processing
Four, Type Selection Pitfall Avoidance: 4 Common Misconceptions and Solutions
Mist 1: "Ordinary PLC Safety Module = SIL 3 Safety PLC"
Risk: Ordinary PLC lacks hardware redundancy and fault diagnosis capability even with the addition of a safety module, it cannot meet the SIL 3 SFF≥90% requirement;
Solution: It is necessary to choose "full certified" safety PLC (CPU power supply I/O all have SIL 3 certification), rather than "mixed" ordinary components.
Mistake : Only looking at certifications, ignoring compatibility in actual applications
Risk: A certain brand of PLC has SIL 3 certification, but does not support the PRINET Safety protocol required by the project, resulting in integration failure;
Solution: Conduct compatibility tests before selection, confirm communication protocols, I/O module types, software, and match existing systems.
Mistake 3: Ignoring the technical support capability of the manufacturer
Risk: When debugging the project, safety logic problems encountered, and the manufacturer is unable to provide professional support, resulting in delayed construction period;
Solution: Give priority to manufacturers with technical service centers in the country, who can SIL validation consultation and quick response to faults.
Mistake 4: Excessive pursuit of "high redundancy", increasing cost and complexity
Risk Blindly choosing 2oo3 architecture in non-high-risk scenarios, resulting in a 30% increase in hardware costs and an increase in debugging and maintenance difficulty;
Solution: According to the LOPA analysis results, 1oo2 architecture can already meet the SIL 3 requirements in the scenario, and there is no need for redundancy.
Case Analysis: SIL 3 PLC Type Selection Practice of a Certain Petrochemical ESD System
Project Background
Application scenario: Emergency system (ESD) for petrochemical cracking furnace, which needs to achieve 6 safety functions including temperature over-limit, pressure over-standard, gas leakage, etc. all requiring SIL 3;
Core requirements: Redundant design, support PROFINET Safety, explosion-proof certification (Ex d IIB T4) and adapt to high-temperature environment (-20℃~60℃).
Type selection process
Demand screening: Exclude brands without explosion-proof certification do not support PROFINET Safety, preliminarily locking Siemens S7-1500F and Schneider Modicon M580 Safety;
Te evaluation:
S7-1500F: 1oo2 redundancy, TÜV SIL 3 certification, convenient for existing S7-150 PLC to work together, but explosion-proof certification requires additional configuration of explosion-proof housing;
Modicon M580 Safety: Built-in Ex d certification hot standby redundancy, Process Expert software supports integrated design of safety logic and process control;
Comprehensive decision: Choose Modicon M580 Safety, reason: explosion-proof certification (reduce installation cost), integrated software (reduce debugging workload), and the manufacturer provides full support for SIL validation.
Implementation results
The measured PFDavg of the safety function ≤5×10⁻⁴, which meets the SIL 3 requirement;
The system has been running stably for3 years, no safety faults, and maintenance costs have been reduced by 40%.
VI. Selection Closed Loop: Verification and Maintenance Must Not Be Overlooked
Selection is not the end, and the steps must be taken to ensure the continuous effectiveness of safety functions:
SIL Compliance Verification: It is required to provide a third-party test report from the manufacturer, to the actual PFDavg, SFF, etc., to confirm compliance with design requirements;
Commissioning and Testing: Safety logic testing (such as forced fault simulation, action response time testing) is performed to ensure that the safety state can be correctly triggered in the event of a fault;
Regular Maintenance: Establish a safety PLC maintenance, including firmware upgrades, spare part replacements, logic audits (at least once a year);
Change Management: Safety logic modifications must be approved, tested, and documented to avoid changes leading to the failure of safety functions.
In conclusion: The core of selection is "compliance as the basis, and fitment as the key"
The selection SIL 3 safety PLCs, in essence, is a systematic engineering of "risk control" - it must strictly comply with the rigid requirements of standards such as IEC61508, and at the same time, it must fit the actual operation environment, integration needs, and cost budget of the project. Avoiding blindly following the and ignoring detail verification can select the truly "safe and reliable" control core.
In the future, with the advancement of Industry 4.0, safety PLCs will in the direction of "intelligent diagnosis", "remote operation and maintenance", and "integration with the Industrial Internet", but compliance and reliability will always be the first principle selection. For engineers, mastering the SIL 3 selection methodology not only guarantees project safety but also reflects the core competitiveness of the profession.
Contact Information
Contact us: Email sales6@amikon.cn | Phone +8618020776782
