You’ve probably heard people claiming, “My hoist is SIL3 – it’s safe”, or “My hoist is SIL3 because I use two encoders”, or even “I need all my new winches to be SIL3”. These are some common statements repeated in the industry, but did you know that most of them are irrelevant or just plain wrong? Sometimes, this occurs because these statements can be taken out of context, used as a marketing technique, or even become an oversimplification or a misunderstanding over what SIL3 actually means.
Let’s go through these common statements to see why they don’t always mean what one might think.
The Market and its commercial labels – “I need all my new winches to be SIL3”
Let’s face it, it’s difficult to follow all the ins and outs of technology in our fast-evolving world. When buying a product, it’s easier to look for keywords as signs of quality without necessarily understanding the exact meaning and context behind them.
When applied to machinery safety in the entertainment industry, SIL3 – for example – has a specific meaning and context but it is often misused.
For instance, one might say “I need all my new winches to be SIL3” as a proxy for quality. When in fact SIL3 only makes sense in a fail-safe, reliability context and has no inherent quality attributes. However, it is possible that a winch with SIL3 functions could stop repeatedly during a performance and be considered low quality.
The confusion on the use of SIL3 may come from the way safety PLC manufacturers use it. On devices, all inputs, outputs and logic can be SIL3 rated. Hence, they define their devices as SIL3. However, if one extrapolates this to machinery – which are far more complex than a safety PLC – it is technologically difficult for all inputs, outputs and controls to be SIL3 rated.
In the entertainment industry, SIL3 is too often used for promotional and marketing purposes to differentiate high-end machinery. Instead of saying “I need all my winches to be SIL3”, a more accurate statement would be “I need SIL3 E-STOPs for all of my winches”. Yet, an even better approach would be for a risk analysis to be drafted, as it is the only way to assess safety function requirements.
When SILs are taken out of context – “My hoist is SIL3 – it’s safe”
One might be surprised to know that SIL2 or SIL1 are as safe as SIL3. The safety integrity level, or SIL, is an indication of how reliable a safety function is. It is only one part of the multistep process used to assess machinery safety.
All machinery, and all real life scenarios can expose some risks – however small – to human life. The responsibility of the manufacturer or the end-user is to analyse each of these risks and reduce them to an acceptable level. At this point, one could say that the machine is safe to use according to the manufacturer or the end-user’s intended use.
An extreme example would be if a hoist was installed in an empty, closed room then it would always be safe to use since it could produce no harm. Thus, the same scenario applies to the statement, “My hoist is SIL3 – it’s safe”, and in the same way doesn’t make sense without knowing the intended use and the safety context and could be either overkill or insufficient.
Therefore, a SIL1 safety function could be as safe as a SIL3 if the resulting exposure to harm is within acceptable levels.
The overcomplication of SIL – “It’s SIL3, because I’ve added a SIL3 PLC”
The best way to think about machinery safety is to visualise it as the links of a chain. If there is a weaker link the chain might fail and the load will fall.
In the same way one element might be SIL3 rated, if another element doesn’t have the same safety level then the whole chain will be defined by its weakest link. Additionally, SIL3 elements must be connected according to their manufacturing instructions. Not following these instructions might compromise the integrity of their safety functions.
Similarly, when assembling mechanically linked machinery to perform a single lifting operation; the fact that each individual machine has a SIL3 function doesn’t necessarily mean that the same can be said for the whole system.
As an analogy, when rigging a hoist “motor down”, one must consider the self-weight of the hoist and its chain. Indeed, if the chain is long enough, the chain hoist will not be able to lift its own weight. In the context of machinery safety, a system integrator must sum up the probability of failure for each machine when mechanically linking them. This can result in SIL3 safety functions ultimately dropping to a lower safety level, such as SIL2.
Figure 1: Dual Encoder
SIL misunderstood – “My hoist is SIL3 because I use two contactors and two encoders”
Having two channels – also referred to as redundancy – is by no means a requirement nor necessarily enough for a safety function to achieve SIL3. It is only one of the three factors to take into consideration.
“My hoist is SIL3 because I use two contactors and two encoders” is a common misunderstanding. The SIL statement derives primarily from the failure rates of the elements that interact with a safety function.
It is also worth noting that adding more elements does not fundamentally increase the reliability of a safety function since the architecture of the safety function must also be considered. Simply increasing the number of elements could reduce the SIL level.
Lastly, the system ability to detect dangerous failures should also be considered. For example, the system should be able to detect and stop the machine when one of the contactors fails. Therefore, the contactor or encoder count is irrelevant in the SIL statement. For interested readers, the calculation functions and variables are defined in the standards EN 61508 and EN 62061.
Conclusion
In conclusion, a single wire connection might achieve a SIL3 rating and a dual channel system might not. The quality of the chosen components and the way they are being used are just as important as the safety function architecture.
In addition, one should not demand that SIL3 be a synonym for safety. Stone written statements are generalisations and they should always be taken with caution. When they are not it’s easy to fall for the old SIL3 trick.
