SIL-3 safety functions normally are very rare in the process industries. So, if you've identified that you have one or more high integrity SIF, maybe similar to the function illustrated in Figure 4, with a target SIL 3, this requires special attention.
The first question to ask is whether the target SIL is correct. While SIL 3 eventually may be found to be right, it's always worth considering whether the assessment included all relevant factors. Furthermore, you should check whether the methodology was suitable — RG and SLM aren't considered appropriate for SIL 3 and even LOPA normally is limited to SIL 2. Review of the assessment with a well-constructed fault tree with inclusion of relevant additional factors can result in a SIL-3 requirement for the SIF being reassigned a target PFDavg in the range for SIL 1. This reassignment may reduce both capital and operating costs.
If the review indicates that a SIL-3 SIF is necessary, then there's a need to look very carefully at hardware configuration and human interactions with the safety function. Achieving SIL-3 performance and maintaining it for the lifetime of the function isn't by any means a straightforward task.
SIL 3 impacts capital costs because it requires a high degree of duplication — more than one sensor and more than one means of output (see Figure 4 again) to ensure that the function will continue to perform if one or more failures occur between necessary periodic tests. This requirement for continued working in the face of one or more faults is described in international standards as "hardware fault tolerance." Achieving the necessary PFDavg in the range 0.001 to 0.0001 (Table 1) means the SIF must be managed so that it can respond successfully to a demand on it for all but a few hours (8.7 hours or less) per year — and this must include the time when the organization is unaware that the function isn't working.
SIL 3 incurs additional operating costs. Proof testing a SIL-3 function takes significantly longer than for a SIL-1 function because it has more elements to test and prove proper functioning and has greater complexity. Additionally, proof testing must be done more frequently — almost certainly at least once a year. Any safety programmable logic controller suitable for application at SIL 3 will rely very heavily on diagnostic features to detect internal faults that develop and yet the diagnostics normally can't be tested for full and correct functionality by the end user.
When calculating the PFDavg and demonstrating that SIL 3 is achieved, great care should be taken to ensure: (a) the failure rates used are direct field-failure ones that are applicable to the situation; (b) an appropriate assessment of dependency is included — otherwise, calculations will be grossly optimistic; and (c) the unavailability of the function during testing is accounted for. It's also important to consider the human interactions with the safety function. SIF require maintenance, calibration and testing. All of these involve people. Humans aren't 100% perfect in all they do. You can't just say to a technician, "when you work on this SIL-3 function please be 100 times more careful than you are on the SIL-1 functions." People try to take care in what they do all the time; it's impossible to do the same calibration task on a SIL-3 function with 100 times more care than the same task on a SIL-1 function. Nevertheless, it's important to consider likelihood of human failure and its impact on a SIL-3 safety function. The probability of human error (such as a probability of 0.003) that on a SIL-1 function may have relatively little effect on the PFDavg may make SIL 3 utterly unachievable. This means that design of the tasks and conditions under which they are planned to be carried out on a SIL-3 function must differ significantly from what would be reasonable for a SIL-1 function. Redesign of tasks and assessment of appropriate human-error probability and its inclusion in the PFDavg calculation, while vital at SIL 3, aren't easy and require specialist skills.