ISA Seminars on the Web

Live Experts on Hot Topics

Standards
Certification
Education and Training
Publishing
Conferences and Exhibits

CSE PE Exam Review:

Safety Systems
EN00W6 Version 1.4
2011
Standards
Certification
Education and Training
Publishing
Conferences and Exhibits

2011, ISA
EN00W6 (1.4)

Seminar Logistics
Seminar materials

Downloadable presentation
Question and Answer session (audio and email)
Survey
Earn 1 Professional Development Hour (PDH)

Seminar length
60 minute presentation
Three 10-minute question and answer sessions

Audio Instructions
As a participant, you are in a listen-only mode.
You may ask questions via the internet, using your
keyboard, at any time during the presentation. However, the
presenter may decide to wait to answer your question until
the next Q&A Session.
If you have audio difficulties, press *0.

2011, ISA
EN00W6 (1.4)

Audio Instructions for Q&A Sessions

Questions may be asked via your telephone line.
Press the *1 key on your telephone key-pad.
If there are no other callers on the line, the operator will
announce your name and affiliation to the audience and then
ask for your question.
If other participants are asking questions, you will be placed into
a queue until you are first in line.
While in the queue, you will be in a listen-only mode until the
operator indicates that your phone has been activated. The
operator will announce your name and affiliation and then ask
for your question.

Introduction of Presenter

2011, ISA
EN00W6 (1.4)

Gerald Wilbanks, P.E. Vice President of

Documentation and Engineering Services in
Birmingham, Alabama has over 40 years of
experience in engineering, management,
consulting, and design in heavy industry. He is a
registered professional engineer in 4 states, a
member of NSPE, ASQ, and an International
Former President (1995) of ISA. Gerald is a
graduate of Mississippi State University with a
Bachelors Degree in Electrical Engineering and
was recognized as the Engineer of the Year in
1991 by the Engineering Council of Birmingham.
He is a Distinguished Engineering Fellow of
Mississippi State University and is a Life Fellow
member of ISA. He has served as an instructor in
many courses, seminars, and other educational
sessions for ISA and in his own business.

Key Benefits of Seminar

Identify areas of focus for more effective studying to assist with
passing the PE examination
Explain the basics of safety instrumented systems
Discuss Safety Integrity Level
Review meaning and use of Reliability
Calculate Probability of Failure on Demand
Definition of Risk Reduction Factor
Safety Systems (Domain V) represents about 12 questions or
15% of the CSE PE exam

Typical Control Loop

Manipulated
Variable

Final Control
Element
Signal Based on
Error or Deviation
and Effects of
Control Modes

2011, ISA
EN00W6 (1.4)

Process

Controlled
Variable

Sensor

Set Point
Transmitted
Signal
Controller

Transmitter

Section 1: Safety Systems Basics

Description of safety instrumented systems

Risk and sources
Design Documentation
Safety Layers and standards

Safety Instrumented System (SIS)

A system composed of sensors, logic solvers, and final control
elements for the purpose of taking the process to a safe state
when pre-determined conditions are violated.
Safety Instrumented
System (SIS)
Inputs

Outputs

Basic Process Control

System (BPCS)
Inputs

Outputs

PT
1B

PT
1A

S
FT
1

T-1

LV
1

SDV
1

2011, ISA
EN00W6 (1.4)

Incident Occurrence By Phase

Changes After
Commissioning
20%
Incorrect &
Incomplete
Specification
44%

Operations &
Maintenance
15%
Installation &
Commissioning
6%

Design &
Implementation
15%

From Out Of Control

(A compilation of incidents involving control systems)
by the United Kingdom Health and Safety Executive (UK HSE)

SIS Design Documents

UK HSE: PES Programmable Electronic
Systems for Use in Safety Related Applications,
1987
American Institute of Chemical Engineers, Center
for Chemical Process Safety (AIChE, CCPS):
Guidelines for Safe Automation of Chemical
Processes, 1993
ANSI/ISA 84 2004 (IEC 61511): Functional
safety: Safety Instrumented Systems for the
process industry sector, 2004
International Electrotechnical Commission (IEC)
61508 - Functional Safety - Safety Related
Systems, 2000

2011, ISA
EN00W6 (1.4)

What is at Risk?
SISs are used to protect:
Personnel

Safety system are installed to reduce

risk

Safety Layers
Community Emergency Response
Plant Emergency Response
Physical Protection (Dikes)
Physical Protection (Relief Devices)
Safety Instrumented System
Alarms, Operator Intervention
Basic Process Control
Process

Defense in depth, or, dont put all your eggs in one basket.

2011, ISA
EN00W6 (1.4)

Risk Reduction
Residual
Risk Level
Tolerable
Risk Level
Other

Risk inherent
in the process

Mech.

SIS

Alarms

BPCS

Process

Risk
Doing more in one box doesnt make it perform better

Scope of Standards
Covers specification, design, installation,
operation and maintenance
Specifies requirements, but not who is
responsible for implementing them
Applies to a wide variety of industries
within the process sector:
Chemicals, oil refining, oil and gas production,
pulp and paper, non-nuclear power generation
Certain industries may have additional
requirements
(ISA84, Section 1)

2011, ISA
EN00W6 (1.4)

Management of Functional Safety

Policy and strategy for achieving safety
Persons/departments shall be identified
and responsibilities assigned
Persons shall be competent
Engineering knowledge, training & experience
(with the process, logic system technology, field
devices, regulations, leadership skills, etc.)

Assessments / audits
To make a judgment on the functional safety
achieved by the system
At least one assessment carried out prior to
hazards being present
(ISA84, Section 5)

Review of Key Points

A safety instrumented system (SIS) is a separate and distinct
layer of controls from the Basic Process Control System (BPCS)
Safety Instrument Systems are for the protection of human life,
equipment, environment, and the public
Industrial incidents are the failure of several different elements
Risk mitigation is documented by various standards
Risk reduction can be accomplished in various levels of
instrumentation
Risk is reduced by following proven methodologies

2011, ISA
EN00W6 (1.4)

Live Question and Answer Session

During Q&A, questions may be asked via your telephone line.
Press the *1 key on your telephone key-pad.
If there are no other callers on the line, the operator will
announce your name and affiliation to the audience and then
ask for your question.
If other participants are asking questions, you will be placed into
a queue until you are first in line.
While in the queue, you will be in a listen-only mode until the
operator indicates that your phone has been activated. The
operator will announce your name and affiliation and then ask
for your question.

Section 2: Safety Systems Design

Overall safety system life cycle
Risk analysis and types
Safety systems levels and classifications
Failure Modes
Risk Reduction Factor (RRF)

2011, ISA
EN00W6 (1.4)

10

Safety Design Life Cycle

No detailed
requirements given
Detailed
requirements given

Hazard & Risk

Analysis
(8)

Installation,
Commissioning
& Validation
(14 & 15)

Allocation of
Safety Layers
(9)

Other Means of
Risk Reduction
(9)

Operations &
Maintenance
(16)

Develop Safety
Reqs Spec
(10 & 12)

Steps
performed
throughout
Management,
Assessment,
Auditing
(5)
Verification
(7)

Modification
(17)

Design &
Engineering
(11 & 12)

Decommission
(18)
(ISA84, Section 6)

Risk Analysis
Risk is a function of frequency
(probability, likelihood) and
severity (consequences)
How often, and how bad

The process industry was not the

first group that needed to
assess risk
Military, nuclear

2011, ISA
EN00W6 (1.4)

11

Overall Risk
High risk:
Unacceptable design
Change required

Medium
Risk

High
Risk

Medium risk:
Questionable design
Change desirable

Low risk:
Acceptable design
No change required

Low
Risk

Allocation of Safety Functions to Layers

Allocation of safety functions to
protection layers
Determine the required safety
instrumented functions
Determine the SIL for each SIF
SIL is a discrete number (1-4) specifying
the performance of the SIF
High risk does not necessarily lead to
high SIL. There are other factors to
consider (e.g., # of independent
protection layers).

(ISA84, Section 9)

2011, ISA
EN00W6 (1.4)

12

Safety Integrity Levels

Safety
Integrity
Level

Probability of Failure
on Demand (PFD)

Risk Reduction Factor

(1/PFD)

Safety
Availability
(1-PFD)

.00001 to < .0001

> 10,000 to 100,000

> 99.99 to 99.999

.0001 to < .001

> 1,000 to 10,000

> 99.9 to 99.99

.001 to < .01

> 100 to 1,000

> 99 to 99.9

.01 to < .1

> 10 to 100

> 90 to 99

Control (N/A)

For Demand Mode of operation

Failure Modes
With a safety system, the concern shouldnt so much be with
how the system operates, but rather how the system fails.
Safety systems can fail in two ways:
Safe failures

Dangerous failures

Initiating
Overt
Spurious
Costly downtime

Inhibiting
Covert
Potentially dangerous
Must find by testing

DxU=

2011, ISA
EN00W6 (1.4)

13

SIS Safety Requirements

Develop the safety requirements
specifications
Definition of safe state of process
Common cause failures
Process inputs to SIS and trip points
Process outputs from SIS and action required
Functionally logic required
Response time requirements
Manual shutdown
Response action to a logic failure
Human machine interface (HMI) requirements
Reset functions
ISA84 Section 10

SIS Safety Requirements

(contd)

Determined safety integrity

requirements:
The SIL of each function
Reliability considerations if spurious trips
may be hazardous

ISA84 Section 10

2011, ISA
EN00W6 (1.4)

14

Shutdown Systems
Also called:
Interlocks, protective systems, safety systems, safety interlock systems
(SIS), emergency shutdown systems (ESD)

When should systems be separate? When they protect or

ensure:

Human life
Equipment damage
Environmental damage
Product quality
Equipment protection
Insurability

Down Time vs. Repair Time

Down time
Realization

Access

Diagnosis

Spares

Replace

Repair time

In some cases MDT and MTTR are the same

In others they are very different
The realization time may be the largest factor

2011, ISA
EN00W6 (1.4)

15

Check

Integrated SD System

Segregated SD System

2011, ISA
EN00W6 (1.4)

16

SIS Definitions
All stuff fails.
Some stuff fails and you know it right away like a blowout like a
blown fuse.
Some stuff fails while in service, like a car battery. You learn
about it when you ask for it to be used once again.
In the SIS world, we characterize the statistics of the first type
of failure with LAMBDAs for the safe failure rate.
The second type of failure is covert and dangerous, since you
have no warning that it has occurred. Here we use LAMBDAd
for the dangerous failure rate.

SIS Definitions

2011, ISA
EN00W6 (1.4)

RRF Risk Reduction Factor

SIS Safety Instrumented System an active independent layer of protection
created by instrumentation
SIF Safety Instrumented Function example on HIHI temperature shuts
down the feeds and applies cooling
SIL Safety Integrity Level
A SIL I design has an RRF characterized by 10<= RRF < 100.
A SIL II design has an RRF characterized by 100<= RRF < 1000.
A SIL III design has an RRF characterized by 1000<= RRF < 10000.
A SIL IV design has an RRF characterized by 10000 < = RRF < 100000

17

Safety Instrumented Systems

For the SIS, there are two kinds of failures, those that fail
dangerously and those that fail safe.
Bad news, those that fail safe shutdown your plant.
Those that fail dangerous, may not shutdown your plant and like a
failed car battery that started a running engine, you cant tell that they
happened.

The SIS is there to protect you. We are after computing, PFD,

Probability of Failure on Demand which is associated with
LAMBDAd, the undetected unsafe failure of a device.

LAMBDAd came out of Aero-Space and MIL Spec efforts. These

tools have been used to evaluate design alternatives. They are well
understood and accepted. Now we will use them in the process
industry to design and maintain our SIS.

Bath Tub Curve

Time
Life

Failure rate = # of failures / unit of time

Constant failure rate assumed for normal life of device
MTTF = 1 / failure rate
MTTF and Life are not the same

2011, ISA
EN00W6 (1.4)

18

Where do Failure Rates come from?

Calculation techniques
(MIL HDBK 217)

... a reliability prediction should never be assumed

to represent the expected field reliability as
measured by the user... (MIL HDBK 217F,
Paragraph 3.3)

Predictions can then be made for:

Components

Modules

Complete System

Class Example 1 - Failure Rate & MTTF

100 switches are checked annually
10 are found to be not working
(i.e., suffered dangerous failures)
What is the failure rate and MTTF?
Failure rate = # of failures/total time
= 10 failures / 100 years
= 1 failure / 10 years

2011, ISA
EN00W6 (1.4)

19

Class Example 1 - Failure Rate & MTTF

(contd)

Failure rates, however, are normally

expressed as failures per hour, therefore:
since 1 year = 8,760 hours
1 failure / 87,600 hours, becomes
1.14 E-5 failures / hour

MTTF (which is normally expressed in years) =

10 years

Review of Key Points

Risk is the function of Frequency (Probability) and Severity
(Consequences)
Each Safety Instrument Function (SIF) should be classified by a
Safety Integrity Level (SIL)
Safety Systems can fail in two ways Safe and Dangerous
Undetected
There are several types of shutdown systems
Reliability is of prime concern (mean time to fail and mean time
to repair)
There are four Safety Integrity Levels with values for Probability
of Failure on Demand (PFD) and Risk Reduction Factor (RRF)

2011, ISA
EN00W6 (1.4)

20

Live Question and Answer Session

During Q&A, questions may be asked via your telephone line.
Press the *1 key on your telephone key-pad.
If there are no other callers on the line, the operator will
announce your name and affiliation to the audience and then
ask for your question.
If other participants are asking questions, you will be placed
into a queue until you are first in line.
While in the queue, you will be in a listen-only mode until the
operator indicates that your phone has been activated. The
operator will announce your name and affiliation and then ask
for your question.

Section 3: Safety System Implementation

Role of reliability in implementation
Safety logic and use of fault trees
Systems applied to logic solving
Safety Integrity Level (SIL)
Probability of Failure on Demand (PFD)

2011, ISA
EN00W6 (1.4)

21

Reliability Block Diagrams

A graphical way to represent system operation/ failure

C
C
A

EE

BB

GG
D

The system would fail if either A, B, or G individually failed, or if

the combination of either C & D, or E & F failed

Reliability
We are after a consistent way to model our systems so that we
measure how good is the design. In addition we wish to tie a
feedback loop around the actual performance to determine if
we have achieved what we set out to accomplish.

2011, ISA
EN00W6 (1.4)

Reliability/Availability
Mean time to failure MTTF
Mean time to repair MTTR
Mean time between failures MTBF
Failure modes

22

Hardware Availability
Availability = Uptime / Total Time
= Uptime / (Uptime + Downtime)
= MTTF / (MTTF + MDT)
where: MTTF = 1/
Many vendors substitute MTTR for MDT.
This is only valid for safe failures!
ASafe = MTTFs / (MTTFs + MTTR)
Notes:

This formula is only valid for simplex (non-redundant)
systems

Failure rates must be split between the two failure modes,
safe and dangerous.

Down Time vs. Repair Time

Down time
Realization

Access

Diagnosis

Spares

Replace

Repair time

In some cases MDT and MTTR are the same

In others they are very different
The realization time may be the largest factor

2011, ISA
EN00W6 (1.4)

23

Check

Hardware Safety Availability

For dangerous faults, downtime must include not only

the repair time, but the realization time - the time before
you are even aware that a problem exists
This can be represented by the test interval (TI)

ADang = MTTFd/(MTTFd + TI/2 + MTTR)

Notes:

This formula is only valid for simplex (non-redundant) systems

Failure rates must be split between the two failure modes

Reliability Block Diagram Math

The math associated with RBDs is simply adding or
multiplying probabilities

C
A

B
D

You add probabilities of

items in series

2011, ISA
EN00W6 (1.4)

You multiply probabilities of items

in parallel

24

Fault Trees
Reliability block diagrams

Fault tree
elements

AND

Parallel

OR
Series

Fault Tree Examples

Power
failure

2011, ISA
EN00W6 (1.4)

Fire water
deluge fails

Main
power supply

Standby
generator

Fire
detector

Fire
panel

Fire
pump

PSU

Standby

Detect

Panel

Pump

Circles represent basic events

Rectangular boxes serve as descriptions

25

Simplex System Performance

Probabilities

Safe

Dangerous

0.01

0.02

Dual System Performance

Probabilities
Safe

Dangerous

(1oo1)

0.01

0.02

1oo2

0.02

0.0004

0.0001

0.04

2oo2
B

2011, ISA
EN00W6 (1.4)

26

Triple System Performance

Probabilities

Majority Vote

Safe

Dangerous

(1oo1)

0.01

0.02

(1oo2)

0.02

0.0004

(2oo2)

0.0001

0.04

2oo3
Vote

0.0003

0.0012

Basic Reliability Formulas

Configuration MTTFsp

1oo1

1 / s

1oo2

1 / (2 s)

2oo2
2oo3

du

1 / (2( s) * MTTR)
( s2)

* (TI/2)

(( du)2 * (TI)2) / 3)

1 / (6

PFD

* MTTR)

du

* TI

( du)2 * (TI)2

Note: These formulas are

Where:
valid as long as << TI
= Failure rate
MTTR = Mean Time To Repair
TI = Test Interval
s = Safe failure
du = Dangerous undetected failure

2011, ISA
EN00W6 (1.4)

27

Summary: Reliability

Reliability/Availability
Mean time to failure MTTF
Mean time to repair MTTR
Mean time between failures MTBF
Failure modes

Probability Theory Applied to the SIS

We will break the SIS into its respective pieces.
Each independent of each other.
Our goal is to understand how improving the LAMDAd of a
major piece, either by adding better devices, more devices,
voting, etc. will improve the SIS performance.
Using this tool, we can say that one design is better that
another, by how much, and we can use the mathematics to
calculate an ROI on improvements to the RRF.

2011, ISA
EN00W6 (1.4)

28

SIS Block Diagram

SIS Block Diagram

These are the independent major pieces. Each has its own
LAMBDAd.
InputLAMBDAd

2011, ISA
EN00W6 (1.4)

LogicLAMBDAd

OutputLAMBDAd

29

Safety Integrity Levels (SIL)

Safety Integrity Levels are defined in ANSI/ISA-84.00.01 with
performance requirements.
There are four SILs defined with the corresponding Probability
of Failure on Demand (PFD).
The Risk Reduction Factor (RRF) is the reciprocal value of
PFD (1/PFD).
The Safety Integrity Level of a system is based on the
reliability data on all the components involved.

How to Calculate the PFD of an SIS

For our process systems the model uses the equation:

PFD = Probability of Failure on Demand

2011, ISA
EN00W6 (1.4)

30

SIL Performance Requirements

SIL 4- Safety Availability : 99.9 99.999%

PFD : .0001 - .00001
RRF : 10,000 to 100,000
SIL 3- Safety Availability : 99.9 99.99%
PFD : .001 - .0001
RRF : 1,000 10,000
SIL 2- Safety Availability : 99 99.9%
PFD : .01 - .001
RRF : 100 -1000
SIL 1- Safety Availability : 90 99%
PFD : .1 - .01
RRF : 10 - 100

Review of Key Points

Mean Time To Fail (MTTF) is the inverse of the Failure Rate,
Lambda ()
Instrument Availability is key to an operational safety system
The Test Interval (TI) must be used in the calculations for PFD
Reliability Block Diagrams (RBD) and Fault Trees may be used
to depict safety logic
The failure rates of the input device, logic solver, and output
device must be combined to determine the system failure rate
There are advantages an disadvantages of Simplex, Duplex,
and Triple function arrangements
Each circumstance and application will require a specific SIL

2011, ISA
EN00W6 (1.4)

31

Live Question and Answer Session

During Q&A, questions may be asked via your telephone
line.
Press the *1 key on your telephone key-pad.
If there are no other callers on the line, the operator will
announce your name and affiliation to the audience and then
ask for your question.
If other participants are asking questions, you will be placed
into a queue until you are first in line.
While in the queue, you will be in a listen-only mode until the
operator indicates that your phone has been activated. The
operator will announce your name and affiliation and then
ask for your question.

How Many People Are at Your Site?

Poll Slide
Click on the appropriate number indicating the number of
people that are at your site.

2011, ISA
EN00W6 (1.4)

32

Sample Exam Problem - #1

When considering a safety instrumented system, which of

the following configurations is the safest (i.e., the one most
likely to respond to a true demand)?
a.
b.
c.
d.

1 out of 1
1 out of 2
2 out of 2
2 out of 3

Sample Exam Problem - #2

Shutdown systems are known by many different names

and serve various functions in the plant operation. A
safety instrumented system protects against all the
situations below except _________.
a. Personnel safety
b. Environmental damage
c. Excessive alarms
d. Equipment distruction

2011, ISA
EN00W6 (1.4)

33

Sample Exam Problem - #3

There are many factors to consider in designing safety

systems for protection of personnel and equipment. The RISK
of the system is a function of which two factors listed below:
I. Probability of an event
II. Cost of the system event
III. Classification of the area of the event
IV. Severity of an event
a. I and II
b. III and IV
c. I and IV
d. II and III

Sample Exam Problem - #4

A SIL 3 interlock, RRF = 1250, is required to mitigate a
Category I hazard to Category III. If the covert failure rates
of the SIS loop components are as follows, recommend a
test frequency:
Inputs = 1.0 x10 5/hr
Logic solver = 7 x10 10/hr
Valves = 3.0 x10 5/hr
a.
b.
c.
d.

2011, ISA
EN00W6 (1.4)

Once every 40 hours

Once every 80 hours
Once every 336 hours
Once every 600 hours

34

Related Courses from ISA

Safety Instrumented Systems: Design, Analysis &
Justification (EC50)

All ISA courses are available any time as on-site training

For more information: www.isa.org/training or (919) 549-8411

Other Related Resources from ISA

Control Systems Engineering Study Guide, 5th Edition by
ISA Press
The ISA84.00.022002 (Parts 1-5) Safety Instrumented
Functions (SIF) and Safety Integrity Level (SIL) Evaluation
Techniques

2011, ISA
EN00W6 (1.4)

35

Other Related Resources from ISA

ISA Membership is just $100 per year, which includes free
membership in two Technical Divisions (a $20 value) - one
from each Department: Automation and Technology and
Industries and Sciences.
For more information: http://www.isa.org/membership/meminfo or
(919) 549-8411

ISA Certifications
Certified Automation Professionals (CAP )
www.isa.org/CAP

Certified Control Systems Technician (CCST)

www.isa.org/CCST

Please visit us online for more information on any of these

programs, or call (919) 549-8411.

2011, ISA
EN00W6 (1.4)

36

Please take our Web Seminar Survey

via Zoomerang
The seminar survey was sent to you via email during
the seminar. Please do not forget to complete the
Zoomerang survey.

2011, ISA
EN00W6 (1.4)

37