Safety Integrity Level (SIL)

A common way of ranking the dependability of a Safety Instrumented Function (SIF) is to use a simple
numerical scale from one to four, with four being extremely dependable and one being only moderately
dependable:

Safety Integrity Level (SIL)

The Required Safety Availability (RSA) value is synonymous with dependability: the probability (Note
1) that a Safety Instrumented Function will perform its duty when faced with a dangerous process
condition.

Conversely, the Probability of Failure on Demand (PFD) is synonymous with undependability:

the mathematical complement of RSA (PFD = 1 − RSA),

expressing the probability that the SIF will fail to perform as needed, when needed.

Note 1: Probability is a quantitative measure of a particular outcome’s likelihood. A probability value

of 1, or 100%, means the outcome in question is certain to happen. A probability value of 0 (0%)
means the outcome is impossible. A probability value of 0.3 (30%) means it will happen an average
of three times out of ten.

Conveniently, the SIL number matches the minimum number of “nines” in the Required Safety
Availability (RSA) value.

For instance, a safety instrumented function with a Probability of Failure on Demand (PFD) of 0.00073,
will have an RSA value of 99.927%, which equates to a SIL 3 rating.

It is important to understand what SIL is, and what SIL is not. The SIL rating refers to the reliability of
a safety function, not to individual components of a system nor to the entire process itself.

An over-pressure protection system on a chemical reactor process with a SIL rating of 2, for example,
has a Probability of Failure on Demand between 0.01 and 0.001 for the specific shutdown function as
a whole.
This PFD value incorporates failure probabilities of the sensor(s), logic solver, final control element(s),
and the process piping including the reactor vessel itself plus any relief valves and other auxiliary
equipment.

If there arises a need to improve the PFD of this reactor’s over-pressure protection, safety engineers
have a variety of options at their disposal for doing so.

The safety instruments themselves might be upgraded, a different redundancy strategy implemented,
preventive maintenance schedules increased in frequency, or even process equipment changed to
make an over-pressure event less likely.

SIL ratings do not apply to an entire process. It is quite possible that the chemical reactor mentioned
in the previous paragraph with an over-pressure protection system SIL rating of 3 might have an over-
temperature protection system SIL rating of only 2, due to differences in how the two different safety
systems function.

Adding to this confusion is the fact that many instrument manufacturers rate their products as approved
for use in certain SIL-rated applications.

It is easy to misunderstand these claims, thinking that a safety instrumented function will be rated at
some SIL value simply because instruments rated for that SIL value are used to implement it.

In reality, the SIL value of any safety function is a much more complex determination.

It is possible, for instance, to purchase and install a pressure transmitter rated for use in SIL 2
applications, and have the safety function as a whole be less than 99% reliable (PFD greater than
0.01, or a SIL level no greater than 1) due to the effect of Lusser’s Law (Note 2).

Note 2 : Lusser’s Law of Reliability states that the total reliability of a system dependent on the function
of several independent components is the mathematical product of those components’ individual
reliabilities.

Example :
A system with three essential components, each of those components having an individual reliability
value of 70%, will exhibit a reliability of only 34.3% because 0.7×0.7×0.7 = 0.343.

This is why a safety function may utilize a pressure transmitter rated for use in SIL-3 applications, but
exhibit a much lower total SIL rating due to the use of an ordinary final control element.

As with so many other complex calculations in instrumentation engineering, there exist software
packages with all the necessary formulae pre-programmed for engineers and technicians alike to use
for calculating SIL ratings of safety instrumented functions.

These software tools not only factor in the inherent reliability ratings of different system components,
but also correct for preventive maintenance schedules and proof testing intervals so the user may
determine the proper maintenance attention required to achieve a given SIL rating.
Functional Safety Questions & Answers : SIS as an “instrumented system used to implement one or
more safety instrumented functions.

What is PHA ?
Process Hazard Analysis: First step in an organized and systematic assessment of the potential
hazards associated with an industrial process.

What is LOPA ?
Layer of Protection Analysis : A PHA tool that starts with data developed in the Hazard and Operability
analysis and accounts for each hazard by documenting and initiating cause and protection layers that
prevent or mitigatre the hazard.

What is SIS ?
Safety Instrumented System: IEC61511 defines SIS as an “instrumented system used to implement
one or more safety instrumented functions.

Composed of any combination of sensors, logic solvers, and final elements.”

What is SIF ?
Safety Instrumented Function: Designed to respond to the conditions within a plant that may be
hazardous in themselves, or if no action is taken, could result in a hazardous event.

Each SIF is assigned a particular SIL.

What is SIL ?
Safety Integrity Level: The output of the Process Hazards Analysis effort is the operational definition
and the assignment of a SIL rating to each safety loop.

SIL 3 is the highest rating used in the process industries.

What is SFF ?
Safe Failure Fraction: To achieve a specific SIL, a DEVICE must have less than the specified SFF.

Probablilities are calculated using a FMEDA.

Also Read : IEC 61508 Standard

What is PFDavg ?
Probablity of failure on demand: To achieve a specific SIL, a DEVICE must have less than the specified
PFDavg.

Probablilities are calculated using a FMEDA.

What is FMEDA ?
Failure Modes, Effects, and Diagnostic Analysis.

Actual targets required for DEVICES vary depending on the likelihood of a demand, the complexity of
the devices, and the types of redundancy used.

Abbreviation of IEC ?
International Electrotechnical Commission

SIF vs SIL Relation

Based on the specific process application, a risk reduction factor (SIL rating) must be defined for each
safety loop (SIF).

The required SIL of a specific SIF is determined by taking into account the required risk reduction
factor provided by that function. SIL varies for SIFs that operate continuous vs demand mode.

What is IEC-61508 ?
SIS Hardware/Software Design Guidance: Targeted at suppliers of systems used for the reduction of
risk.

Defines standards for functional safety of electrical/electronic/programmable electronic (E/E/PE)

safety related systems.

What is Functional Safety ?

The overall program to ensure that the safety-related E/E/PE system brings about a safe state when
called upon to do so.

Also Read : Importance of Safety Integrity Level

Parts of IEC-61508 ?
1. General safety requirements,
2. specific system and software requirements, and
3. guidelines to applications.

IEC-61508 SIS Vendor Software Quality Plan ?

Part 3, Clause 7 includes software safety lifecycle requirements:

 7.1: General requirements

 7.2: Software safety requirements specification
 7.3: Software safety validation planning
 7.4: software design and development
 7.5: programmable electronics integration (hw and sw)
 7.6: software operation and modification procedures
 7.7: software safety validation
 7.8: software modification
 7.9: software verification

IEC61508-3 ANNEX A
provides a listing of “techniques and measures” used for software development where different
development techniques are chosen depending on SIL level of software.

IEC61508-3 ANNEX B
Nine detailed tables of design and coding standards as well as analysis and testing techniques that
are to be used in the safety-related software development, depending on the SIL of the software and
in some cases the choice of the development team.

IEC61511
SIS Design Guidance for the Process Industry Sector

2 parts of IEC61511
The safety lifecycle and safety integrity levels.

Safety Lifecycle
The engineering process that includes all of the steps necessary to achieve required functional safety.

Also Read : What is Emergency Shutdown System (ESD) ?

Basic philosophy behind the safety lify cycle

Develop and document a safety plan, execute that plan, document its execution (to show that the plan
has been met) and continue to follow that safety plan through decommissioning – with further
appropriate documentation being generated throughout the life of the system.

IEC61511-1
Framework, definitions, system, hardware and software requirements

IEC61511-2
Guidelines on the application of 61511-1

IEC61511-3
Guidance for the determination of the required safety integrity levels

IEC61511 vs ANSI/ISA-84.00.01-2004
Standards mirror each other with the exception of the “grandfather clause” in ISA-84. Each has 3 main
parts, but ISA-84 also includes a series of technical reports

Also Read : SIS Sensors

ISA-84 Grandfather Clause

“For existing SIS designated and constructed in accordance withcodes, standards and practices prior
to the issuance of ISA-84, the owner/operator shall determine that the equipment is designed,
maintained, inspected, tested, and operating in a safe manner” originated with OSHA 1910.119

Safety Lifecycle – Throughout the Lifecycle

 Management of functional safety and functional safety assessment and auditing
 Safety lifecycle structure and planning
 Verification

Safety Lifecycle – Analysis Phase

 Hazard and risk assessment
 Allocation of Safety Functions to protection layers
 Safety requirements specifications for the SIS

Also Read : Safety Instrumented Functions

SMS
Safety Management System: Ensures that functional safety objectives are met and appropriate
auditing processes are defined.

SRS
Safety Requirements Specification: document that ensures the safety requirements are adequately
specified prior to proceeding to detailed design.

Safety Lifecycle – Implementation Phase

 Design and Engineering of SIS
 Design and development of other means of risk
 Installation, commissioning, and validation

Safety Lifecycle – Operation Phase

 Operation and maintenance
 Modification
 Decommissioning

Common PHA Methods

 Checklist
 What if?
 What if/checklist
 HAZOP
 FMEA (Faliure mode effect analysis)
 Fault tree analysis
 Event tree analysis
 LOPA

Also Read : S84 / IEC 61511 Standard for Safety Instrumented Systems

Assignment of SIL
There are no regulations to assign a SIL to a particular process or hazard.

The SIL assignment is a company based decision based on risk management and risk tolerance
philosophy.

Does OSHA require an SIS?

NO, but . . . “ANSI/ISA S84.01-1996 does mandate that companies should design their safety
instrumented system to be consistent with similar operating process units within their own companies
and at other companies.

Likewise, in the US, ASHO PSM and EPA RPM require that industry standards and good engineering
practice be used in the design and operation of process facilities.

This means that the assignment of safety integrity levels must be carefully performed and thoroughly
documented.”

Common methods used to convert PHA data

into SIL?
 Modified HAZOP
 Consequence only
 Risk matrix

Modified HAZOP
SIL assignment method – Actually an extension of HAZOP and relies on SUBJECTIVE assignment
based on the team’s expertise.

Since it’s subjective, team memeber consistency from project to project needs to be addressed.

Consequence Only
SIL assignment method – Uses estimation of potential consequence of the incident and doesn’t take
into effect the frequency.Simplest to use, but most conservative.
Risk Matrix
SIL assignment method – provides correlation of risk severity and risk likelyhood to the SIL, based on
EVENT SEVERITY and EVENT LIKELIHOOD. Commonly used.

Risk Graph
SIL assignment method – provides correlation of:

 Consequence
 Frequency and exposure time
 Possibility of avoiding the hazardous event
 Probability of the unwanted occurrence

Quantitative Assessment (i.e. fault tree or

process demand)
SIL assignment method – determines the process demand or incident likelihood and requires an
extensive understanding of potential causes and probability of failure. MOST RIGOROUS
TECHNIQUE!

Company Mandated SIL

SIL assignment method – assumes that the greatest cost increase occurs when a SIL is greater than 1;
therefore, the company takes the approach that all SIFs shall be SIL3.

This assignment is the least time comsuming, reduces documentation of SIL selection and ensures
consistency.

Failure Rates of SIS Components

 50% – Final element (Valve, etc.)
 42% – Sensor (switch, transmitter, etc.)
 8% – Logic solver

Also Read : Process Safety and Instrumentation

Abbreviation of FMEA
Failure Modes and Effects Analysis
Common Cause Failure
Failure which is the result of one or more events, causing failures of two or more seperate channels
on a multiple channel system, leading to system failure.

Common Mode Failure

Failure of two or more channels in the same way, causing the same erroneous result

Dangerous Failure
Failure which has the potential to put the safety instrumented system in a hazardous or fail-to-function
state

External Risk Reduction Facilities

Measurs to reduce or mitigate the risks, which are seperate and distinct from the SIS

Final Element
Part of a safety instrumented system which implements the physical action necessary to achieve a
safe state.

Impact Analysis
Acitivity of determining the effect that a change to a function or component will have to other functions
or components in that system as well as to other systems

Mitigation
Action that reduces the consequences of a hazardous event

Protection Layer
Any independant mechanism that reduces risk by control, prevention or mitigation

Proven-In-Use
When a documented assessment has shown that there is appropriate evidence, based on the previous
use of a component, that the component is suitable for use in a safety instrumented system
Safety
Freedom from unacceptable risk

Systemic Failure
Failure related in a deterministic way to a certain cause, which can only be eliminated by a modification
of the design or the manufacturing process, operational procedures, documentation or other relevant
factors.

Also Read : Alarm and Trip Systems

IEC61131-3
Deals with programming languages and defines 2 graphical (LD=ladder and FBD = function block
diagram) and 2 textual (ST = structured text and SFC = sequential function chart)

IEC62061
Machine Safety Standard

Breakout of Safety I/O Type in Process Industry

 SIL1 – 51%
 SIL2 – 32%
 SIL3 – 8%
 SIL4 – 1%
 No SIL – 8%

Two types of Risk Analysis

 Quantitative Risk Analysis
 Qualitative Risk Analysis

Abbreviation of ALARP
As Low As Resonably Practicable
Abbreviation of RRF
Risk Reduction Factor

Abbreviation of CEM
Cause and Effect Matrices

Markov Analysis
Looks at a sequence of event and analyzes the tendency of one event to be followed by another.

The IEC 61511 standard lists goals for safety

planning. List three of the five goals of safety
planning\

According to IEC 61511, safety planning has five goals. They are:

 It ensure that the functional safety objectives and the safety integrity level objectives are achieved
for all relevant modes of the process
 Proper installation and commissioning of the safety instrumented system
 ensure the safety integrity of the safety instrumented functions after installation
 maintain the safety integrity during operation (e.g., proof testing, failure analysis, etc.)
 manage the process hazards during maintenance activities on the safety instrumented system
A SIS is engineered to perform “specific control functions” to failsafe or maintain safe operation of a
process when unacceptable or dangerous conditions occur.

Safety Instrumented Systems must be independent from all other control systems that control the
same equipment in order to ensure SIS functionality is not compromised.

SIS is composed of the same types of control elements (including sensors, logic solvers, actuators
and other control equipment) as a Basic Process Control System (BPCS).

However, all of the control elements in an SIS are dedicated solely to the proper functioning of the
SIS. Read the Safety Instrumented System Engineer Interview Questions.

Safety Instrumented System Engineer

Interview

SIS Questions & Answers

What are the standards that define the best rules for
installation of field equipment of a SIF/SIS, on site?
IEC 61511 or ISA-S84-2003 (which is really the same thing, plus a grandfather clause) are intended
for application in the process industry. They do the best job of defining what one needs to be concerned
with for field instruments.

The guidance may be considered somewhat minimal but the critical safety issues are there. Whatever
would make a good installation for the basic process control system (BPCS) is a good installation for the
SIS also. However, some different issues need to be recognized.
First, the instruments need to be reliable. One measurement, referred to as “proven in use” means
reliability data must be available for safety integrity level (SIL) calculations. If not then SIL-rated
instruments are an option.

Next one must consider fault tolerance requirements for the Safety Instrumented Function (SIF). This is
a function of the SIL level for each SIF in the SIS. There will of course always be the need to make
sure the instruments are calibrated routinely and tested per the proof test requirement. If this is online
then the engineer needs to make sure that those facilities plus the ability to do maintenance is
designed into the project.

Typically sensors need their own root valve and final control elements may need bypasses or means
for partial stroke testing.

The routing of the individual cables of transmitter that

is in a 2oo3 voting system–the same route, different
routes?
Some reliability engineers would want to try to convince you that a different route is required. While
everyone would like a diverse routing from a common mode point of view, (a fire, dropped crane load,
chemical spill could destroy all the cables in the same tray, etc.) it is many times impractical to route
differently.

One deciding factor is availability. If high availability is require diverse routine is a good idea, but again
not mandatory. Some companies may have internal standards on this subject.

The other factor is whether or not the SIS fails safe. If a loss of a cable, causes the System to have a
spurious safe trip the system is safe, but you have to deal with the cost of the spurious trip. If the SIF
is energized-to-trip, one needs to look at separate routing. Also, end of line monitoring etc.

Can I install the three field devices in battery or in

different places to avoid, common failure, e.g.,
vibration, risk of fire?
Field instruments are designed for the outdoor industrial environment. Utilize them correctly for their
application. If it is a bad installation for the BPCS it is bad for the SIS also.

While many SIS logic solvers have been industrially hardened to operate in a broad range of
environmental conditions with numerous successful applications, it just stands to reason that putting
them in environmentally controlled areas will improve potential reliability plus the ability to do
maintenance.

Yes one must always be careful with respect to common mode. Common mode can wiped out the
reliability gains of redundancy. That is why it is required to do SIL Calculations to verify that the
common mode effect is not so strong that it renders the SIF ineffective.
Must I use the normal practices of engineering or do
rules or recommendation exist for the installation of
field equipment for the SIF/SIS?
One has to ask whose normal practices?? If we mean industry best normal practices the answer is
yes again but one needs to follow the entire IEC-61511 Life Cycle to determine what that really means
for each project.

What is an acceptable solution for one plant may not work for another. The questions you ask really
points out that to safely design a plant, the project needs to execute the IEC61511 Safety Life Cycle.
Hazards are identified early in the project and solutions are designed around those hazards.

The questions you asked should all be covered in the Safety Requirements Specification (SRS). There
are 27 questions that cover the topics you have asked and more, much more. Inexperienced engineers
may not be aware of this list of questions that define an IEC61511 SRS. This is why you should work
with experienced organizations.

A study done by the Health and Safety Executive in the UK has shown that the majority of problems
with SIS systems today are actually specified into the project. (Or shall we say not specified into the
project, one does not know what one does not know.) Failure to execute the life cycle activities early
and properly can have serious safety, schedule and cost implications on a project.

Installation Guidelines:
Sensor –

To reduce common mode each sensor should have a separate process connection. There have been
some good arguments made with regards to using different technologies in order to reduce common
mode but one must look at practicality vs. benefits and risk reduction.

Also, although the use of diverse technologies can reduce common cause it will not eliminate it
completely.

Transmitters –

For sensors integrated (or separate) with the transmitter, the geographical locations of the voted
transmitters should be away from each other to the extent possible (so that in the event of a fire–all
transmitters are not affected–as an example!)

Junction Boxes –

Separate JBs for each transmitter / 2 core cable is preferred.

Multicore Cables –

If separate JBs not possible, run each transmitter pair in separate multicore cables to the control room.
Cable Trays –

Run the multicore cables in separate trays which have separate routes to the control room when
practical. Availability would be the determining factor.

Safety Logic Solver –

Each transmitter signal could be connected to separate SLS, on separate carriers. This would slightly
compromise on the PFD value however and could also make the SIF configuration more complicated,
but reduces common cause.

SLS installed in two different cabinets in different control rooms would be even better! However
common sense needs to be used and practicality. Same logic could be used for the output signals.

The extent to which one would go in segregating will depend on ALARP – As low as reasonably
practicable (here ‘low’ refers to the risks involved). The Risk Reduction Factor (RRF) of the SIF and
how much of the risk is the engineer / company ready to absorb, will dictate the decision. The common
cause calculator (based on such segregation) is given in IEC 61508-6, Table D.5.

When is a Safety Integrity Level Rating of a

Valve Required?
Basic Process Control System (BPCS)

A system which responds to input signals from the process, its associated equipment, other
programmable systems and/or an operator and generates output signals causing the process and its
associated equipment to operate in the desired manner but which does not perform any safety
instrumented functions with a claimed SIL = 1.

This definition leads us to conclude that a BPCS is any system that has a SIL<1. Therefore, SIS
systems employing Safety Instrumented Functions with a specified safety integrity level, which is
necessary to achieve safety function, need to have a SIL rating equal to or above 1.

Based on this definition,

Why are control valves that are used in a BPCS
required to be SIL certified?
As per IEC definition, a SIL rating is not required but it is possible that reliability data for a valve may
be required. Industry or end user may require failure rate data of equipment or in loose term MTBF
(Mean Time Between Failure).

Essentially MTTF (mean time to fail) is the right term to define product reliability. It is usually furnished
in units of hours. This is more common for electronic components, but trends are seen even for
mechanical items.
How can MTTF provide useful data for the calculation
of PFDavg (probability of failure upon demand)?
MTTF can be simplified to 1/(sum of all failure rates) or equal to 1/λ

MTTFs calculations provide plant availability, which is a very important measurement of process plant
up-time capability. A spurious trip that is considered a safe but unplanned trip may be too strenuous
for piping and other equipment. Not only are production and quality affected, profits may be as well.

Also, it is important to consider the higher risk associated with plant start up. IEC 61508 stresses more
on “safety event”, in case of demands, which relates to dangerous undetected failures and are used
to compute PFDavg.As such, mechanical equipment like valve bodies and actuators do not have any
diagnostics capabilities.

According to IEC 61508 part 2, table 2, with a hardware fault tolerance (HFT) of zero, with a single
valve without additional diagnostics, only SIL 1 is achievable per IEC 61508.

A digital valve controller mounted on a “Final Control Element” improves the diagnostic coverage factor,
which in turn improves the SFF number, allowing the possible use of higher SIL rated applications
(Per IEC 61508 part 2, table 3) by use of the Partial Stroke Test.If control valve is designated to carry
out a safety function then it should meet the SIL level of the Safety Instrumented Function loop.

In this case, failure rate numbers will be required to compute the total PFDavg of the loop. The end
user may possibly ask for third party certification to comply with IEC 61508 requirements to meet
certain SIL suitability.

What is SIL?
A Safety Integrity Level (SIL) is a measure of safety for a given protective function. Specifically, the
extent to which the end user can expect the protective function to perform, and in the case of a failure,
fail in a safe manner? This protective function is known as the Safety Instrumented Function (SIF).

A Safety Instrumented System (SIS) is a collection of components (field devices and logic server) that
execute one or more SIFs. In order to define the required SIL value, the SIF’s must be well defined
and have undergone a Safety Analysis. Note that the SIL belongs to a specific SIF, not the whole SIS.

SIF verification can be optimized by the selection of components certified for use at the desired SIL
value. For example, assume there is a SIF with a desired SIL value of 2.

By using components that are SIL 2 certified, this goal may be achieved. However, it is important to
note that simply combining components certified for a given SIL level does not guarantee the process
will achieve the specified SIL.

The SIF SIL value must still be verified by an appropriate method such as Simplified Calculations,
Fault Tree Analysis, or Markov Analysis.

How is SIL different than reliability?

While the main focus of the SIL number is the determination of process safety, an important byproduct
of the statistics used in calculating SIL ratings is the statement of a product’s reliability.

In order to determine if a product can be used in a given SIF, the product must be shown to “BE
AVAILABLE” to perform its designated task. In other words, how likely is it that the device in question
will be up and functioning when needed to perform its assigned task?

Considerations taken into account when determining “AVAILABILITY” include: Mean Time Between
Failures (MTBF), Mean Time To Repair (MTTR), and Probability to Fail on Demand (PFD). These
considerations, along with variations based upon system architecture (i.e. 2oo2 versus 2oo3, or TMR
installation), determine the reliability of the product.

Subsequently, this reliability data, combined with statistical measurements of the likelihood of the
product to fail in a safe manner, known as Safe Failure Fraction (SFF), determine the maximum SIL
environment in which the device(s) can be used.

SIL ratings can be equated to the Probability to Fail on Demand (PFD) of the device in question. The
reciprocal of the PFD is known as the Risk Reduction Factor (RRF).

When does a Fire & Gas system become a SIS?

When an RRF greater than 10 is required

How does SIL relate to individual components?

It should be noted that a SIL number applies to a complete function (SIF), i.e. the field sensor, the
logic solver and the final element. It is therefore incorrect to refer to any individual item or equipment
having a safety integrity level.

An individual component can be certified for use in a particular SIL application, but such a certificate
constitutes only part of the verification effort, since the target SIL must be verified for the complete
SIF.

Why would a customer want SIL certified products?

Products certified in accordance with the requirements of IEC 61508 have been assessed by a third
party (TÜV) for use up to a specified SIL. This assessment includes not only the FMEDA, but also
software.

A third-party SIL certified product offers several benefits to the customer. The most obvious benefit is
the product has already had its’ reliability calculations performed and reliability statistics determined.

The results are available for the SIS designer to derive the SIF SIL number. This can significantly cut
lead times in the implementation of a SIS.

Another benefit is the reliability statistics have been validated by a third party with expertise in SIL
certification and reliability engineering.
Probably the most important benefit to using a SIL certified product is the certification report. Each
certified product carries with it a report from the certifying body.

This report contains important information ranging from restrictions of use, to diagnostics coverage
within the certified device, to reliability statistics. Additionally, ongoing testing requirements of the
device are clearly outlined

There are 1oo1, 1oo2, 2oo2, 2oo3 etc voting logic in the safety instrumented system architecture.

The voting logic architecture usually used in the field instrument and or final control elements to
reach certain Safety Integrity Level (SIL) or to reach certain cost reduction due to platform shutdown.
In general when we must use 1oo1, 1oo2, 2oo2, or 2oo3 voting logic architecture?

Voting Logic
As mentioned above, there are two purposes why certain voting logic architecture were chosen, first is
to reach certain SIL and secondly to reach certain cost reduction due to spurious platform shutdown.

In order to determine a certain SIL requirement, a risk or process hazard analysis is used to identify
all process, safety and environmental hazards, estimate their risks, and decide if that risk is tolerable.
Where risk reduction is required an appropriate SIL is assigned.

The individual components (sensor , logic solver , final elements, etc.) that are working together to
implement the individual safety loops must comply with the constraints of the required SIL.

In essence, this means that all components within that loop must meet a certain Probability of Failure
on Demand (PFD), Safe Failure Fraction (SFF) and Hardware Fault Tolerance (HFT) requirement for
the intended SIL.

Readers are encouraged to see further detail regarding this PFDavg, SFF, and HFT in the IEC 61508
& IEC 61511.

As general rule, first of all the SIL requirement for any particular condition or application will be
determined using a risk or process analysis.

After the SIL was determined then the architecture of the sensor, logic solver, and final control element
is studied to investigate which architecture will fulfill the SIL requirement.

For example, if the SIL requirement for a high pressure incoming pipe line is SIL 3, then the
architecture of the pressure sensor and final element will be investigated.

If 1oo1 sensor, 1oo1 logic solver, and 1oo1 shutdown valve can fulfill the SIL 3 requirement, then this
architecture is chosen. If not, then any other voting logic architecture is investigated.

Let’s say after several investigations the voting logic 1oo2 sensor, 1oo2 logic solver, and 1oo2
shutdown valve can fulfill the requirement of SIL 3, then this voting logic is chosen. If the cost reduction
study need to minimize spurious trip due to one of the sensor failed, then may be the sensor voting
logic architecture must be upgraded to become 2oo3 architecture.

This architecture may be chosen since if one sensor failed, then the overall architecture is still fulfilling
SIL 3 requirement with 1oo2 sensor configuration. Thus it doesn’t need to have a platform shutdown
when one sensor failed

Read the following Safety Instrumented System Interview Questions and Answers useful for
interview preparation.

Safety Instrumented Systems must be independent from all other control systems that control the
same equipment in order to ensure SIS functionality is not compromised.
Safety Instrumented System Interview
Questions

SIS Questions and Answers

1. What is a SIS?
A SIS is a Safety Instrumented System. It is designed to prevent or mitigate hazardous events by taking
the process to a safe state when predetermined conditions are violated.

A SIS is composed of a combination of logic solver(s), sensor(s), and final element(s). Other common
terms for SISs are safety interlock systems, emergency shutdown systems (ESD), and safety
shutdown systems (SSD).

A SIS can be one or more Safety Instrumented Functions (SIF).

2. What is a SIF?
SIF stands for Safety Instrumented Function. A SIF is designed to prevent or mitigate a hazardous event
by taking a process to a tolerable risk level. A SIF is composed of a combination of logic solver(s),
sensor(s), and final element(s).

A SIF has an assigned SIL level depending on the amount of risk that needs to be reduced. One or
more SIFs comprise a SIS.

3. What is SIL?
SIL stands for Safety Integrity Level. A SIL is a measure of safety system performance, or probability
of failure on demand (PFD) for a SIF or SIS. There are four discrete integrity levels associated with
SIL.
The higher the SIL level, the lower the probability of failure on demand for the safety system and the
better the system performance. It is important to also note that as the SIL level increases, typically the
cost and complexity of the system also increase.

A SIL level applies to an entire system. Individual products or components do not have SIL ratings.
SIL levels are used when implementing a SIF that must reduce an existing intolerable process risk
level to a tolerable risk range.

4. What does functional safety mean?

Functional safety is a term used to describe the safety system that is dependent on the correct
functioning of the logic solver, sensors, and final elements to achieve the desired risk reduction level.

Functional safety is achieved when every SIF is successfully carried out and the process risk is
reduced to the desired level.

5. Why were the ANSI/ISA 84, IEC 61508, and IEC 61511
standards developed?
The standards were a natural evolution for the need to reduce process risk and improve safety through
a more formalized and quantifiable methodology.

Additionally, and specifically for IEC 61508, as the application and usage of software has evolved and
proliferated, there was an increased need to develop a standard to guide system / product designers
and developers in what they needed to do to ensure and “claim” that their systems / products were
acceptably safe for their intended uses.

6. When do I need a SIF or a SIS?

The philosophy of the standards suggests that a SIS or SIF should be implemented only if there is no
other non-instrumented way of adequately eliminating or mitigating process risk.

Specifically, the ANSI/ISA-84.00.01-2004 (IEC 61511 Mod) recommends a multi-disciplined team

approach that follows the Safety Lifecycle, conducts a process hazard analysis, designs a variety of
layers of protection (i.e., LOPA), and finally implements a SIS when a hazardous event cannot be
prevented or mitigated with something other than instrumentation.

7. What is a proof-test interval?

Proof testing is a requirement of safety instrumented systems to ensure that everything is working and
performing as expected.

Testing must include the verification of the entire system, logic solver, sensors, and final elements.
The interval is the period of time that the testing occurs.

The testing frequency varies for each SIS and is dependent on the technology, system architecture,
and target SIL level.
The proof-test interval is an important component of the probability of failure on demand calculation
for the system.

8. What is a Process Hazard Analysis (PHA) and who

conducts this?
A PHA is an OSHA directive that identifies safety problems and risks within a process, develops
corrective actions to respond to safety issues, and preplans alternative emergency actions if safety
systems fail.

The PHA must be conducted by a diverse team that has specific expertise in the process being
analyzed. There are many consulting and engineering firms that also provide PHA services. PHA
methodologies can include a What-If Analysis, Hazard and Operability Study (HAZOP), Failure Mode
and Effects Analysis (FEMA), and a Fault Tree Analysis.

9. What voting configurations are required for each SIL

level?
Obtaining a desired SIL level is dependent on a multitude of factors. The type of technology employed,
the number of system components, the probability of failure on demand (PFD) numbers for each
component, the system architecture (e.g., redundancy, voting), and the proof testing intervals all play
a significant role in the determination of a SIL level.

There is not a standard answer for what voting configurations are required for each SIL level. The
voting architecture must be analyzed in the context of all the factors noted above.

10. Will a SIL rated system require increased

maintenance?
SIL solutions are certainly not always the most cost-effective solutions for decreasing process risk.

Many times, implementing a SIL solution will require increased equipment, which inevitably will require
increased maintenance.

Additionally, it is likely that the higher the SIL level, the more frequent the proof testing interval will be,
which may ultimately increase the amount of system maintenance that is required. This is why the
standards recommend a SIL based solution only when process risk cannot be reduced by other
methods, as determined by LOPA.

11. Can a F&G system be a SIF or SIS?

A Fire and Gas (F&G) system that automatically initiates process actions to prevent or mitigate a
hazardous event and subsequently takes the process to a safe state can be considered a Safety
Instrumented Function / Safety Instrumented System.
However, it is absolutely critical in a F&G system to ensure optimal sensor placement. If there is
incorrect placement of the gas / flame detectors and hazardous gases and flames are not adequately
detected, then the SIF / SIS will not be effective.

Correct sensor placement is more important than deciding whether a F&G SIF / SIS should be SIL 2
or SIL 3.

12. What is SIL 4?

SIL 4 is the highest level of risk reduction that can be obtained through a Safety Instrumented System.

However, in the process industry this is not a realistic level and currently there are few, if any, products
/ systems that support this safety integrity level.

SIL 4 systems are typically so complex and costly that they are not economically beneficial to
implement.

Additionally, if a process includes so much risk that a SIL 4 system is required to bring it to a safe
state, then fundamentally there is a problem in the process design which needs to be addressed by a
process change or other non-instrumented method.

13. Can an individual product be SIL rated?

No. Individual products are only suitable for use in a SIL environment.

A SIL level applies to a Safety Instrumented Function / Safety Instrumented System.

14. What type of communication buses or protocols are

applicable for SIL 2 or SIL 3 systems?
The type of communication protocol that is suitable for a SIL 2 or SIL 3 system is really dependent on
the type of platform that is being used. Options include, but are not limited to: 4-20 mA output signal,
ControlNet (Allen Bradley), DeviceNet Safety (Allen Bradley), SafetyNet (MTL), and PROFIsafe.

Currently, the ISA SP84 committee is working on developing guidelines for a safety bus, to make sure
that the foundations comply with IEC 61508, and IEC 61511 standards.

The first devices with a safety bus should be available by 2008. The Fieldbus Foundation is actively
involved in the committee and working on establishing Foundation Fieldbus Safety Instrumented
Systems (FFSIS) project to work with vendors and end users to develop safety bus specifications.

15. For General Monitors, how can I access the PFD and
MTBF data for the products?
The General Monitors SIL certificates have the PFD, SFF, and SIL numbers that correspond to each
product.
MTBF data can be provided by request.

16. Can a manufacturer state their products are “SIL X

certified” rather than “suitable for use in a SIL X
system”?
Individual products are only suitable for use in a SIL environment. A SIL level applies to a Safety
Instrumented Function / Safety Instrumented System.

Product certificates are issued either by the manufacturer (self-certification), or other independent
agency to show that the appropriate process is followed, calculations have been performed, and
analysis has been completed on the individual products to indicate that they are compatible for use
within a system of a given SIL level.

Full IEC 61508 certification can apply to a manufacturer’s processes. Full certification implies that a
manufacturer’s product development process meets the standards set forth in the appropriate parts of
sections 2 – 3 of IEC 61508 (including hardware / system and software).

Receiving full certification from an accredited notifying body gives the end user confidence that the
manufacturer’s engineering process has been reviewed and its product’s electrical content, firmware
and logic have been assessed and conform to the guidelines set forth in the standard.

There are very few nationally accredited bodies that can issue nationally accredited certifications.
Other consulting firms issue certificates that indicate that the product and / or process has been
reviewed by an independent third party.

17. Can a manufacturer state their products meet all

parts of the requirements of IEC 61508 parts 1 to 7?
IEC 61508 consists of the following parts, under the general title Functional Safety of
electrical/electronic/programmable electronic safety-related systems:

 Part 1: General requirements

 Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
 Part 3: Software requirements
 Part 4: Definitions and abbreviations
 Part 5: Examples of methods for the determination of safety integrity levels
 Part 6: Guidelines on the application of parts 2 and 3
 Part 7: Overview of techniques and measures

To be in compliance with the standard, it is necessary to conform to Parts 1 – 3. Parts 4 – 8 are

informative only and can be useful in understanding and applying the standard, but do not have
requirements for conformance.
Manufacturers of products generally meet Section 2 requirements to determine through a FMEDA
analysis that their products are suitable for use within a given SIL level.

Companies choosing to certify their engineering processes and receive full IEC 61508 certification will
also comply with Section 3 as it relates to software development.

18. What does SIL X suitable mean, is this a valid

statement as per the standard IEC 61508 or can any
other wording be used?
SIL stands for Safety Integrity Level. A SIL is a measure of safety system performance, or probability
of failure on demand (PFD) for a SIF or SIS. There are four discrete integrity levels associated with
SIL. The higher the SIL level, the lower the probability of failure on demand for the safety system and
the better the system performance. It is important to also note that as the SIL level increases, typically
the cost and complexity of the system also increase.

A SIL level applies to an entire system if it reduces the risk in the amount corresponding to an
appropriate SIL level. Individual products or components do not have SIL ratings. SIL levels are used
when implementing a SIF that must reduce an existing intolerable process risk level to a tolerable risk
range.

Only the end user can ensure that the safety system is implemented to be compliant with the
standards. It is up to the user to ensure that procedures have been followed properly, the proof testing
is conducted correctly, and suitable documentation of the design, process, and procedures exists.

The equipment or system must be used in the manner in which it was intended in order to successfully
obtain the desired risk reduction level. Just buying SIL 2 or SIL 3 suitable components does not ensure
a SIL 2 or SIL 3 system.

19. Using a SIL 3 logic solver means that I have a SIL 3

system.
No. When using a SIL 3 logic solver, it is critical that the entire system is designed to conform to SIL 3
requirements.

The PFD for the entire system is important. If a user installs a SIL 3 logic solver but does not employ
appropriate redundancy or does not incorporate components into the system with correct PFD
calculations, then the entire system may not comply with a SIL 3 level. “A chain is only as strong as
its weakest link.”

20. SIL 3 suitable products are better than SIL 1 or SIL

2 suitable products.
This is not necessarily true. While a higher SIL level corresponds to a lower probability of failure on
demand, a SIL 2 suitable product may be perfectly acceptable for use in a SIL 3 environment if, for
example, the proof testing interval is increased or if redundancy is used.
It is very important for an end-user to understand the operating requirements of the products within a
given SIL environment to ensure that once installed, the products maintain their SIL suitability levels.
Incorrect installation, proof testing, or configuration of the products could make the SIL suitability level
inaccurate.

21. There are many agencies that are capable of issuing

SIL certifications.
There are very few nationally accredited bodies that can issue nationally accredited certifications,
including FM, TUV, and Sira.

Many unaccredited consulting firms issue certificates that indicate they have reviewed the product and
/ or process for conformance to certain parts of the IEC 61508 standard.

The standard does not mandate that certain companies or agencies are able to certify products and
systems. Rather, it is suggested that analysis is either conducted or validated by an independent third
party.

22. A vendor can determine whether a system meets

the requirements of IEC 61511.
No. Only the end user can ensure that the safety system is implemented to be compliant with the
standards. It is up to the user to ensure that procedures have been followed properly, the proof testing
is conducted correctly, and suitable documentation of the design, process, and procedures exists.

The equipment or system must be used in the manner in which it was intended in order to successfully
obtain the desired risk reduction level. Just buying SIL 2 or SIL 3 suitable components does not ensure
a SIL 2 or SIL 3 system.

23. A customer must purchase a complete SIL based

solution, even if some functions do not require a SIL
level.
For most applications there will only be a few SIF functions being handled by the system, and the vast
majority of the circuits may not need to be SIL rated at all.

If the customer specifies SIL 2 or SIL 3 for the entire system he may add considerable cost with little
or no benefit or improvement in safety.

24. “Safety” and “Reliability” are the same thing.

No. Safety and reliability are often linked but are not the same thing. Safety is defined in the IEC 61508
standards as “freedom from unacceptable risk.”
A safe system should protect from hazards whether it is performing reliably or not. Safety engineering
assures that a safety system performs as needed, even when pieces fail. In fact, safety engineers
assume that systems will fail, and design accordingly.

Reliability is a measure of how well the system does exactly what it is intended to do when operated
in a specific manner. A reliable system may not always be a safe system. The challenge in functional
safety is to ensure that a system is both reliable and safe.

25. Explain SIL and SIS and how they relate?

Safety Instrumented System (SIS) :

Instrumented system used to implement one or more safety instrumented functions. An SIS is
composed of any combination of sensors, logic solvers, and final elements.

This can include safety instrumented control functions, safety instrumented protection functions, or
both. In many industrial processes, especially those in the chemical or oil & gas industries, involve
inherent risk due to the presence of dangerous chemicals or gases.

SIS are specifically designed to protect personnel, equipment, and the environment by reducing the
likelihood or the impact severity of an identified emergency event.

Safety Integrity Level (SIL) :

SIL is a quantifiable measurement of risk used as a way to establish safety performance targets for
SIS systems.

IEC standards specify four possible Safety Integrity Levels (SIL1, SIL2, SIL3, SIL4); however, ISA
S84.01 only recognizes up to SIL3 levels.

Additional terms in the Safety Design area:

Safety Instrumented Function (SIF): Safety function with a specified safety integrity level, which is
necessary to achieve functional safety. A safety instrumented function can be either a safety
instrumented protection function (define SIPF) or a safety instrumented control function (define SICF).

Safe Failure Fraction (SFF): is a relatively new term resulting from the IEC 61508 and IEC 61511
committees’ work to quantify fault tolerance and establish the minimum level of redundancy required
in a safety instrumented function.

Per IEC, “Safe failure fraction is the ratio of the (total safe failure rate of a subsystem plus the
dangerous detected failure rate of the subsystem) to the total failure rate of the subsystem.” (In IEC
terms, subsystem refers to individual devices).

There are four types of random hardware failures:

 Safe undetected (SU);

 Safe detected (SD);
 Dangerous detected (DU);
 Dangerous undetected (DD).

Determining the SFF requires dividing the sum of the first three by the sum of all four.

The assumption is that the operator is expected to take action based on the dangerous detected faults,
therefore even if a device has a large fraction of dangerous failures, if enough can be detected and
safe action taken, then the device is still considered a safe device.

Understanding Safety Integrity Level IEC

61511
IEC standard 61511 is a technical standard which sets out practices in the engineering of systems that
ensure the safety of an industrial process through the use of instrumentation. Such systems are
referred to as Safety Instrumented Systems. The title of the standard is “Functional safety – Safety
instrumented systems for the process industry sector”.

Safety integrity level (SIL) is defined as a relative level of risk-reduction provided by a safety function,
or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance
required for a safety instrumented function (SIF).

The requirements for a given SIL are not consistent among all of the functional safety standards. In
the functional safety standards based on the IEC 61508 standard, four SILs are defined, with SIL 4
the most dependable and SIL 1 the least.

A SIL is determined based on a number of quantitative factors in combination with qualitative factors
such as development process and safety life cycle management.

Understanding Safety Integrity Level IEC 61511

Assignment of SIL is an exercise in risk analysis where the risk associated with a specific hazard, that
is intended to be protected against by a SIF, is calculated without the beneficial risk reduction effect
of the SIF. That unmitigated risk is then compared against a tolerable risk target.

The difference between the unmitigated risk and the tolerable risk, if the unmitigated risk is higher than
tolerable, must be addressed through risk reduction of the SIF. This amount of required risk reduction
is correlated with the SIL target. In essence, each order of magnitude of risk reduction that is required
correlates with an increase in one of the required SIL numbers.

There are several methods used to assign a SIL. These are normally used in combination, and may
include:
 Risk matrices
 Risk graphs
 Layers of protection analysis (LOPA)

Of the methods presented above, LOPA is by far the most commonly used by large industrial facilities.

The assignment may be tested using both pragmatic and controllability approaches, applying guidance
on SIL assignment. SIL assignment processes that use the HSE guidance to ratify assignments
developed from Risk Matrices have been certified to meet IEC EN 61508 1
Perhaps the simplest form of sensor providing process information for a safety instrumented function
is a process switch.

Examples of process switches include temperature switches, pressure switches, level switches, and
flow switches.

SIS sensors must be properly calibrated and configured to indicate the presence of a dangerous
condition. They must be separate and distinct from the sensors used for regulatory control, in order to
ensure a level of safety protection beyond that of the basic process control system.

Referring to the clothes dryer and domestic water heater over-temperature shutdown switches, these
high-temperature shutdown sensors are distinctly separate from the regulatory (temperature
controlling) sensors used to maintain the appliance’s temperature at setpoint.

As such, they should only ever spring into action in the event of a high-temperature failure of the basic
control system.

That is, the over-temperature safety switch on a clothes dryer or a water heater should only ever reach
its high-temperature limit if the normal temperature control system of the appliance fails to do its job
of regulating temperature to normal levels.

SIS Sensors
Industrial Safety Instrumented Systems (SIS) always use dedicated transmitters and/or process switches
to detect abnormal process conditions.

As a rule, one should always use independent sensors for safety shutdown, and never rely on the
regulatory control sensor(s) for safety functions. In the electric power industry we see this same
segregation of functions: separate instrument transformers (PTs and CTs) are used to sense line
voltage and line current for metering and control (regulatory) versus for protective relay (safety
shutdown) equipment. It would be foolish to depend on one sensor for both functions.

We see this general rule applied even in home appliances such as electric water heaters: the safety
shutdown temperature switch is a separate component from the thermostat switch used to regulate
water temperature. This way, a failure in the regulatory sensor does not compromise the integrity of
the safety function.

A modern trend in safety instrumented systems is to use continuous process transmitters rather than
discrete process switches to detect dangerous process conditions.

Any process transmitter – analog or digital – may be used as a safety shutdown sensor if its signal is
compared against a “trip” limit value by a comparator relay or function block. This comparator function
provides an on-or-off (discrete) output based on the transmitter’s signal value relative to the trip point.

A simplified example of a continuous transmitter used as a discrete alarm and trip device is shown
here, where analog comparators generate discrete “trip” and “alarm” signals based on the measured
value of liquid in a vessel.

Note the necessity of two level switches on the other side of the vessel to perform the same dual alarm
and trip functions:

Benefits to using a continuous transmitter instead of discrete switches include the ability to easily
change the alarm or trip value, and better diagnostic capability.
The latter point is not as obvious as the former, and deserves more explanation. A transmitter
continuously measuring liquid level will produce an output signal that varies over time with the
measured process variable.

A “healthy” transmitter should therefore exhibit a continuously changing output signal, proportional to
the degree of change in the process.

Discrete process switches, in contrast to transmitters, provide no indication of “healthy” operation. The
only time a process switch should ever change states is when its trip limit is reached, which in the
case of a safety shutdown sensor indicates a dangerous (rare) condition.

A process switch showing a “normal” process variable may indeed be functional and indicating
properly, but it might also be failed and incapable of registering a dangerous condition should one
arise – there is no way to tell by monitoring its un-changing status. The continuously varying output of
a process transmitter therefore serves as an indicator (Note 1) of proper function.

Note 1 : Of course, the presence of some variation in a transmitter’s output over time is no guarantee
of proper operation. Some failures may cause a transmitter to output a randomly “walking” signal when
in fact it is not registering the process at all. However, being able to measure the continuous output of
a process transmitter provides the instrument technician with far more data than is available with a
discrete process switch.

A safety transmitter’s output signal may be correlated against the output signal of another transmitter
measuring the same process variable, perhaps even the transmitter used in the regulatory control
loop.

If two transmitters measuring the same process variable agree closely with one another over time,
chances are extremely good are both functioning properly.

In applications where Safety Instrumented Function (SIF) reliability is paramount, redundant transmitters
may be installed to yield additional reliability.

The following photograph shows triple redundant transmitters measuring liquid flow by sensing
differential pressure dropped across an orifice plate:
A single orifice plate develops the pressure drop, with the three differential pressure transmitters “tubed”
in parallel with each other, all the “high” side ports connected together through common (Note 2)
impulse tubing and all the “low” side ports connected together through common impulse tubing.
These particular transmitters happen to be FOUNDATION Fieldbus rather than 4-20 mA analog
electronic. The yellow instrument tray cable (ITC) used to connect each transmitter to a segment
coupling device may be clearly seen in this photograph.

Note 2 : It should be noted that the use of a single orifice plate and of common (parallel-connected)
impulse lines represents a point of common-cause failure. A blockage at one or more of the orifice
plate ports, or a closure of a manual block valve, would disable all three transmitters. As such, this
might not be the best method of achieving high flow- measurement reliability.

The “trick” to using redundant transmitters is to have the system self-determine what the actual
process value is in the event one or more of the redundant transmitters disagree with each other.

Voting is the name given to this important function, and it often takes the form of signal selector
functions:

Multiple selection criteria are typically offered by “voting” modules, including high, low, average, and
median.

A “high” select voter would be suitable for applications where the dangerous condition is a large
measured value, the voting module selecting the highest-valued transmitter signal in an effort to err
on the side of safety.

This would represent a 1oo3 safety redundancy (since only one transmitter out of the three would have
to register beyond the high trip level in order to initiate the shutdown).

A “low” select voter would, of course, be suitable for any application where the dangerous condition is
a small measured value (once again providing a 1oo3 safety redundancy).
The “average” selection function merely calculates and outputs the mathematical average of all
transmitter signals – a strategy prone to problems if one of the redundant transmitters happens to fail
in the “safe” direction (thus skewing the average value away from the “dangerous” direction and
thereby possibly causing the system to respond to an actual dangerous condition later than it should).

The median select criterion is very useful in safety systems because it effectively ignores any
measurements deviating substantially from the others.

Median selector functions may be constructed of high- and low-select function blocks in either of the
following (Note 3) manners:

Note 3: The best way to prove to yourself the median-selecting abilities of both function block networks
is to perform a series of “thought experiments” where you declare three arbitrary transmitter signal
values, then follow through the selection functions until you reach the output.

For any three signal values you might choose, the result should always be the same: the median signal
value is the one chosen by the voter.
Three transmitters filtered through a median select function effectively provide a 2oo3 safety
redundancy, since just a single transmitter registering a value beyond the safety trip point would be
ignored by the voting function.

Two or more transmitters would have to register values past the trip point in order to initiate a shutdown.

It should be stressed that redundant transmitter strategies are only effective if the transmitters all sense
the exact same process variable, and if their failure modes are independent (i.e. no common cause
failure modes exist).

If, for example, a set of redundant transmitters are attached to the process at different points such that
they may legitimately sense different measurement values, the effectiveness of their redundancy will
be compromised.

Similarly, if a set of redundant transmitters are susceptible to failure from a shared condition (e.g.
multiple liquid level transmitters that may be fooled by changes in process fluid density), then reliability
will suffer
SIS Final Control Elements
When a dangerous condition in a volatile process is sensed by process transmitters (or process
switches), triggering a shutdown response from the logic solver, the final control elements must
move with decisive and swift action.

Such positive response may be obtained from a standard regulatory control valve (such as a globe-
type throttling valve), but for more critical applications a rotary ball or plug valve may be more suitable.

If the valve in question is used for safety shutdown purposes only and not regulation, it is often referred
to as a chopper valve for its ability to “chop” (shut off quickly and securely) the process fluid flow. A
more formal term for this is an Emergency Isolation Valve, or EIV.

Some process applications may tolerate the over-loading of both control and safety functions in a
single valve, using the valve to regulate fluid flow during normal operation and fully stroke (either open
or closed depending on the application) during a shutdown condition.

SIS Final Control Elements

A common method of achieving this dual functionality is to install a solenoid valve in-line with the
actuating air pressure line, such that the valve’s normal pneumatic signal may be interrupted at any
moment, immediately driving the valve to a fail-safe position at the command of a discrete “trip” signal.

Such a “trip” solenoid (sometimes referred to as a dump solenoid, because it “dumps” all air pressure
stored in the actuating mechanism) is shown here, connected to a fail-closed (air-to-open) control
valve:
Compressed air passes through the solenoid valve from the I/P transducer to the valve’s pneumatic
diaphragm actuator when energized, the letter “E” and arrow showing this path in the diagram.

When de-energized, the solenoid valve blocks air pressure coming from the I/P and vents all air
pressure from the valve’s actuating diaphragm as shown by the letter “D” and arrow. Venting all
actuating air pressure from a fail-closed valve will cause the valve to fail closed, obviously.

If we wished to have the valve fail open on demand, we could use the exact same solenoid and
instrument air plumbing, but swap the fail-closed control valve for a fail-open control valve.

When energized (regular operation), the solenoid would pass variable air pressure from the I/P
transducer to the valve actuator so it could serve its regulating purpose.

When de-energized, the solenoid would force the valve to the fully-open position by “dumping” all air
pressure from the actuator.

For applications where it is safer to lock the control valve in its last position than to have it fail either
fully closed or fully open, we might elect to use a solenoid valve in a different manner:

Here, de-energization of the solenoid valve causes the I/P transducer’s air pressure output to vent,
while trapping and holding all air pressure inside the actuator at the trip time.

Regardless of the valve’s “natural” fail-safe state, this system forces the valve to lock position (Note
1) until the solenoid is re-energized.

Note 1: This is assuming, of course, that there are no air leaks anywhere in the actuator, tubing, or
solenoid which would cause the trapped pressure to decrease over time.

An example of a trip solenoid installed on a control valve appears in the following photograph.
This valve also happens to have a hand jack wheel installed in the actuating mechanism, allowing a
human operator to manually override the valve position by forcing it closed (or open) when the hand
wheel is turned sufficiently:

Of all the components of a Safety Instrumented System (SIS), the final control elements (valves) are
generally the least reliable, contributing most towards the system’s probability of failure on demand
(PFD).
Sensors generally come in at second place in their contribution toward unreliability, and logic solvers
a distant third place. Redundancy may be applied to control elements by creating valve networks
where the failure of a single valve does not cause the system as a whole to fail.

Unfortunately, this approach is extremely expensive, as valves have both high capital and high
maintenance costs compared to SIS sensors and logic solvers.

A less expensive approach than redundancy to increasing safety valve reliability is to perform regular
proof tests of their operation.

This is commonly referred to in the industry as partial stroke testing. Rather than proof-test each safety
valve to its full travel, which would interrupt normal process operations, the valve is commanded to
move only part of its full travel.

If the valve responds well to this “partial stroke” test, there is a high probability that it is able to move
all the way, thus fulfilling the basic requirements of a proof test without actually shutting the process
down (Note 2).

Note 2: Of course, if there is opportunity to fully stroke the safety valve to the point of process shutdown
without undue interruption to production, this is the superior way of performing valve proof tests. Such
“test-to-shutdown” proof testing may be scheduled at a time convenient to operations personnel, such
as at the beginning of a planned process shutdown.

A shutdown valve (also referred to as SDV or Emergency Shutdown Valve, ESV, ESD, or ESDV) is an
actuated valve designed to stop the flow of a hazardous fluid upon the detection of a dangerous event.

Shutdown Valve
 Image Courtesy : Wikipedia

This provides protection against possible harm to people, equipment or the environment. Shutdown
valves form part of a Safety Instrumented System. The process of providing automated safety protection
upon the detection of a hazardous event is called Functional Safety.

Types of valve
For fluids, metal seated ball valves are used as shut-down valves (SDV’s). Use of metal seated ball
valves leads to overall lower costs when taking into account lost production and inventory, and valve
repair costs resulting from the use of soft seated ball valves which have a lower initial cost.

Straight-through flow valves, such as rotary-shaft ball valves, are typically high-recovery valves. High
recovery valves are valves that lose little energy due to little flow turbulence. Flow paths are straight
through. Rotary control valves, butterfly valve and ball valves are good examples.

For air intake shut down, two distinct types are commonly utilized, i.e. butterfly valves and swing gate
or guillotine valves. Because diesel engines ignite fuel using compression instead of an electronic
ignition, shutting off the fuel source to a diesel engine will not necessarily stop the engine from running.

When an external hydrocarbon, such as methane gas, is present in the atmosphere, it can be sucked
into a diesel engine causing overspeed or over revving, potentially leading to a catastrophic failure
and explosion. When actuated, ESD valves stop the flow of air and prevent these failures.
Types of Actuation
As shutdown valves form part of a SIS. It is necessary to operate the valve by means of an actuator.

These actuators are normally fail safe fluid power type.

Typical examples of these are:

 Pneumatic cylinder
 Hydraulic cylinder
 Electro-hydraulic actuator

In addition to the fluid type, actuators also vary in the manner in which the energy is stored to operate
the valve on demand as follows:

 Single acting cylinder – Or spring return where the energy is stored by means of a compressed
spring
 Double acting cylinder – Energy is stored using a volume of compressed fluid

The type of actuation required depends upon the application, site facilities and also the physical space
available although the majority of actuators used for shutdown valves are of the spring return type due
to the fail safe nature of spring return systems.

Measuring Performance
For shutdown valves used in safety instrumented systems it is essential to know that the valve is capable
of providing the required level of safety performance and that the valve will operate on demand.

The required level of performance is dictated by the Safety Integrity Level (SIL). In order to adhere to
this level of performance it is necessary to test the valve. There are 2 types of testing methods
available being

 Proof test – A manual test that allows the operator to determine whether the valve is in the “as
good as new” condition by testing for all possible failure modes and requires a plant shutdown
 Diagnostic Test – An automated on-line test that will detect a percentage of the possible failure
modes of the shutdown valve. An example of this for a shutdown valve would be a partial stroke
test. An example of a mechanical partial stroke test device.
SIS Logic Solver
Control hardware for safety instrumented functions should be separate from the control hardware used
to regulate the process, if only for the simple reason that the SIF exists to bring the process to a safe
state in the event of any unsafe condition arising, including dangerous failure of the basic regulatory
controls.

If a single piece of control hardware served the dual purposes of regulation and shutdown, a failure
within that hardware resulting in loss of regulation (normal control) would not be protected because
the safety function would be disabled by the same fault.

Safety controls are usually discrete with regard to their output signals. When a process needs to be
shut down for safety reasons, the steps to implement the shutdown often take the form of opening and
closing certain valves fully rather than partially.

This sort of all-or-nothing control action is most easily implemented in the form of discrete signals
triggering solenoid valves or electric motor actuators.

SIS Logic Solvers

A digital controller specially designed for and tasked with the execution of safety instrumented
functions is usually called a logic solver, or sometimes a safety PLC, in recognition of this discrete-
output nature.

A photograph of a “safety PLC” used as an SIS in an oil refinery processing unit is shown here, the
controller being a Siemens “Quadlog” model:
Some logic solvers such as the Siemens Quadlog are adaptations of standard control systems (in the
case of the Quadlog, its standard counterpart is called APACS).
In the United States, where Rockwell’s Allen-Bradley line of programmable logic controllers holds the
dominant share of the PLC market, a version of the ControlLogix 5000 series called GuardLogix is
manufactured specifically for safety system applications.

Not only are there differences in hardware between standard and safety controllers (e.g. redundant
processors), but some of the programming instructions are unique to these safety-oriented controllers
as well.

An example of a safety-specific programming instruction is the GuardLogix DCSRT instruction, which

compares two redundant input channels for agreement before activating a “start” bit which may be
used to start some equipment function such as an electric motor:
In this case, the DCSRT instruction looks for two discrete inputs to be in the correct complementary
states (Channel A = 1 and Channel B = 0) before allowing a motor to start.

These states must not conflict for a time-span longer than 50 milliseconds, or else the DCSRT
instruction will set a “Fault Present” (FP) bit.

As you can see, the form-C push button contacts are wired to two discrete inputs on the GuardLogix
PLC, giving the PLC dual (complementary) indication of the switch status.

For specialized and highly critical applications, dedicated safety controllers exist which share
no legacy with standard control platforms.

Triconex and ICS-Triplex are two such manufacturers, producing triple-modular redundant (TMR)
control systems implementing 2oo3 voting at the hardware level, with redundant signal conditioning
I/O circuits, redundant processors, and redundant communication channels between all components.

The nuclear power industry boasts a wide array of application-specific digital control systems, with
triple (or greater!) component redundancy for extreme reliability.

An example of this is Toshiba’s TOSMAP system for boiling water nuclear power reactors, the digital
controller and electro-hydraulic steam turbine valve actuator subsystem having a stated MTBF of over
1000 years!

44MTBF stands for Mean Time Between Failure, and represents the reliability of a large collection of
components or systems.

For any large batch of identical components or systems constantly subjected to ordinary stresses,
MTBF is the theoretical length of time it will take for 63.2% of them to fail based on ordinary failure
rates within the lifetime of those components or systems.

Thus, MTBF may be thought of as the “time constant” (τ) for failure within a batch of identical
components or systems.

Safety Integrity Level (SIL) is a measure of safety system performance – not a measure of process
risk. The higher the level of risk, the greater the system performance required.

Based on a hazard and risk analysis, each individual Safety Instrumented Function (SIF) is assigned
a required performance level, or SIL. Safety Instrumented Systems may have different SILs for each
of its individual SIFs.

Difference between SIS, PLC and BPCS

HOW TO CALCULATE INTEGRITY LEVEL
Industrial plants require a multidiscipline team to evaluate and assign SIL performance levels for SIFs,
not a specific person.

Common departments assigned to the team are process, mechanical design, safety, operations and
control systems. Quantitative or qualitative analysis is used to calculate the SIL of each SIF:

1. ALARP, Risk Matrix and Risk Graphs

ALARP (As Low As Reasonably Practicable), Risk Matrixes and Risk Graphs are qualitative methods
of determining SIL.

Qualitative data is faster and easier, but is also subjective and many engineers are not comfortable
using this data to assign performance levels. Systems analyzed using qualitative data are often built
too conservatively, adding unnecessary costs.

2.LOPA (Layer of Protection Analysis)

LOPA is a quantitative method that identifies and analyzes the effects of independent layers of
protection (IPL) – devices, systems or actions capable of preventing a hazardous event.

LOPA are extremely detailed and require members of an organization to agree on risk tolerance levels.
Quantitative analysis typically delivers lower levels of required performance, reducing safety system
costs.
Once SILs are assigned using quantitative or qualitative analysis and independent protection layers
considered, a Safety Requirement Specifications (SRS) is written to describe the functional and
integrity requirements of the system.

Functional requirements describe the system inputs, outputs and logic. Integrity requirements describe
the performance needed for each function.

Incomplete or incorrect specifications cause 44% of accidents in safety applications, stressing the
importance of fully understanding the functional and integrity requirements of the system.
Device failure rates – dangerous detected (DD), dangerous undetected (DU), safe detected (SD) and
safe undetected (SU) – are required to calculate SIL.

Failures In Time (FITs) is the data owner/operators require to calculate of Probability of Failure on
Demand (PFD), Safe Failure Fraction (SFF), Risk Reduction Factor (RRF), Safety Availability (SA) and
Mean Time to Failure (MTTF). This FIT data makes calculating target SIL levels rather easy for simplex
systems.
To really understand a SIL rating you need to know what the Probability of Failure on Demand (PFD)
is. The PFD is a likelihood that a loop will fail when a demand is placed on it. The PFD of a SIF is
calculated using the number of potential dangerous undetected failures and the test interval of the
loop.

Safety instrumented systems are used to implement SIFs as layers of protection to reduce process
hazards. Its an automated way to take an action against a potentially unsafe condition and return a
process to a safe or stable state.
Some major differences between a SIS, PLC and BPCS hardware are :

 a Standard BPCS has unknown failure modes

 a SIS PLC will fail safely within a specified probability (SIL)
 a SIS PLC is certified to standards like IEC61508 for use in a safety application
 Safety PLC must be configured by person with appropriate competency in both safety and the
development platform.

Also Read: Safety Instrumented Systems Interview Questions

A single SIS PLC can have any number of safety instrumented functions being controlled within it
depending on how many unsafe conditions can exist in a facility, or area of a facility.

Most safety loops are designed to be configured as a de-energize to trip system, where the SIS PLC
must remove power to trip the loop.

Sensing elements that are typically connected to a SIS are Pressure Transmitters, Level Transmitters,
Temperature Transmitters, Flame Detectors, Smoke Detectors, Toxic Gas Detectors, Emergency Shut
Down (ESD) switches, and any number of input devices.

Final elements are typically Solenoid Operated Valves (SOV), Beacons, Horns, Exhaust Fans, and
Doors to name a few.

One thing to always keep in mind is that a SIS is not just a controller for a system. A SIS includes all
transmitters and final elements, as well as associated solenoids, exhaust valves, and loop
splitters. Any component where its failure could cause a potential failure on the loop is a component
that is included in the SIS.

Dangerous failures occur when a component is unavailable when a demand is required. Device
diagnostics greatly reduces the chance of dangerous failures. Safe failures, also known as nuisance
/spurious trips, often lead to unplanned shutdowns. Sensor voting logic is commonly used to avoid
nuisance trips and improve system performance.

IMPORTANCE OF INDEPENDENT SYSTEMS

Safety Instrumented Systems are required in the process industry because BPCSs are not perfect.
Many industrial standards and guidelines recommend that the SISs be separate from the BPCS.
“A device used to perform part of a safety instrumented function shall not be used for basic process
control purposes, where a failure of that device results in a failure of the basic process control function
which causes a demand on the safety instrumented function, unless an analysis has been carried out
to confirm that the overall risk is acceptable.” – ANSI/ISA 84.00.01-2004 11.2.10.

Human issues are the most common reason why SISs and BPCSs are independent. People cannot
be trusted to make safe decisions during emergencies, no matter how well trained.

A study analyzing human performance in life threatening situations discovered that people make the
wrong choice 99% of the time when required to do so in less than one minute, emphasizing the
importance of an automated SIS to protect against hazardous events.

If components are allowed to be shared between SIS and BPCS, specifications may be overlooked
leading to serious consequences. Separating the SIS from the BPCS assures that Safety Requirement
Specifications (SRS) are reviewed before changes are made, and all new potential hazards caused
by the proposed change will be identified before the change can be implemented.

Consideration should be given to using devices that are differentiated by color, unique tags or a
numbering system to help differentiate from BPCS devices.

SIS vs. BPCS

Safety instrumented Systems are passive and dormant, monitoring and maintaining the safety of the
process. These systems operate for long periods of time in which they simply wait to respond to a
system demand.

Diagnostics are critical in SISs to ensure that components are functioning properly, reducing the
frequency of manual tests. Changes after installation are subject to strict adherence to management
of change (MOC). Even the smallest change can have a significant consequence.
Basic Process Control Systems (BPCS) are active and dynamic, controlling the process. These
systems have a variety of digital and analog inputs and outputs that react to logic functions, making
most failures self-revealing. Changes to BPCSs are very common and required to maintain accurate
process control.

COMMON CAUSE FAILURES

Separating the SIS from the BPCS greatly reduces the risk of common cause failures, systematic
failures that affect the entire system. Common cause failures can include loss of power, bugs in
software or undetected device failures.

Assumptions are made that installing redundant components will lead to a safer and more reliable
system, but more is not always best. Typically, more components lead to more complexity in the
system, leading to more problems.

Common cause failures are often triggered by temperature fluctuations, equipment vibration, radio
frequency interference or power surges. The greater the performance level required of a SIF, the more
aware you must be to common cause failures.

The ideal way to prevent common cause failures is to install redundant devices with diverse
technologies and physically separate the devices. For example, if you install a safety differential
pressure transmitter to monitor a level application, you should also consider installing a gauge pressure
mechanical switch in the event you lose power to the transmitter.
Recommended methods to reduce these failures are:

 use of redundant devices

 install devices with diagnostics
 choose diverse technologies
 physically separate devices

WHICH TECHNOLOGY TO CHOOSE

CERTIFIED vs. PROVEN-IN-USE
A common question asked by many owner/operators is whether they should use certified or proven-
in-use devices in their SISs. ANSI/ISA 84.00.01-2004 in no way mandates the use of certified
components in a SIS.

Some manufactures provide “proven-in-use” or “SIL suitable” components that are not certified to IEC
61508. Manufacturers that supply proven-in-use components are required to provide quality programs,
demonstrate acceptable performance levels in similar environments and prove a volume of
experience..

The primary advantage of using certified devices is the ease of access to failure rate data (FITs)
collected by an independent third party. If considering a “proven-in-use” or “SIL suitable” device,
vendor’s field return data is often used to provide failure rate data, but this data does not accurately
represent total device failures and is not independently analyzed.

Data collected by a certified, independent third party allows owner/operators the ability to quickly
calculate required performance level (SIL) of their SIFs with reliable and tested data.

Owner/operators can elect to install non-certified components, referred to as “proven-in-use” or “SIL

suitable” in their SISs. This information is often available in facility maintenance records, vendor field
return data and third-party databases. Non-certified component failure rate data is often inaccurate.

Manufacturers use field return data to calculate product failure rates, but this data is dependent on
customer returns. Further, facility maintenance records are not always up to date with device failure
information unless an automated Maintenance Software Management System is installed. Use caution
when considering devices that do not have independent third-party failure rate data.

TRANSMITTER vs. SWITCH

You should consider installing both transmitters and switches in SISs. Transmitters are usually the first
component considered in SISs due to the increased diagnostics, field indication, lower failure rates,
and improved accuracy and repeatability.

But thought should be given to include redundant and diverse technologies to avoid common cause
failures in a system. Transmitters require power to operator and only provide control through a PLC or
DCS.

What happens if you lose power? What happens if the PLC or DCS fail? What happens if the
transmitter electronics fails? In this case, a mechanical switch will continue to operate and protect in
the event a hazardous situation develops. By installing redundant devices, risk is reduced by avoiding
common cause failures.

NUISANCE TRIPS
Nuisance trips are referred to as safe failures in SISs. Mean time to failure (MTTFspurious) is the term
used in SIS calculations to determine when a device will suffer a safe failure.

Safe failures occur when a device fails in a way in which the owner/operator is aware of the failure,
typically an alarm or warning via the PLC or DCS. Safe failures are a nuisance to owner/operators and
have economic consequences of lost production and downtime.

After a shutdown, it is required that manual action be taken by the owner/operator to reset the system
– it is not allowed to be restarted automatically.

The best way to avoid these nuisance trips is through sensor channel voting in a PLC or DCS. Voting
logic compares device channels and determines the action required.

It is important to understand the difference between safe and fault-tolerant. 1oo1 is very safe but is
not fault-tolerant, meaning any measurement outside a sensor’s programmed range will cause a
shutdown.

2oo2 is very fault-tolerant but is not as safe as 1oo1 because it requires two channels to agree before
a shutdown occurs. 2oo3 is a suitable trade-off of both dual modes. 1oo2D is the preferred
configuration to reduce nuisance trips and improve safety.

COMMUNICATION & DIAGNOSTICS

Component signals are commonly sent and received through a PLC or DCS. ANSI/ISA 84.00.01-2004
recommends that field devices be write-protected in the PLC or DCS to avoid the risk of making
changes to a device outside the Safety Requirement Specification.

Bi-lateral communication, such as HART or Foundation Fieldbus, is important in BPCS devices but is
not useful in SIS. In fact, increasing cyber security threats highlights the importance of requiring
devices be write-protected in the event device safety variables are manipulated during an attack. When
installing SIS sensors, bi-lateral communication is not necessary and only adds additional and
unnecessary cost.

Device diagnostics continue to improve and provide owner/operators the health status of devices in
their SISs. This information reduces the dangerous failure rates of the device by identifying when and
how a device fails. Owner/operators can then quickly replace the faulty device to ensure their process
is being properly protected.

The international standard IEC/EN 61508 has been widely accepted as the basis for the specification,
design and operation of safety instrumented systems (SIS).

As the basic standard, IEC/EN 61508 uses a formulation based on risk assessment: An assessment
of the risk is undertaken and on the basis of this the necessary Safety Integrity Level (SIL) is determined
for components and systems with safety functions.

SIL-evaluated components and systems are intended to reduce the risk associated with a device to a
justifiable level or “tolerable risk”.

Safety Instrumented System Module Failure

To categorise the safety integrity of a safety function the probability of failure is considered – in effect
the inverse of the SIL definition, looking at failure to perform rather than success.

It is easier to identify and quantify possible conditions and causes leading to failure of a safety function
than it is to guarantee the desired action of a safety function when called upon.

Two classes of SIL are identified, depending on the service provided by the safety function.

 For safety functions that are activated when required (on demand mode) the probability of failure
to perform correctly is given, whilst
 for safety functions that are in place continuously the probability of a dangerous failure is expressed
in terms of a given period of time (per hour)(continuous mode).

In summary, IEC/EN 61508 requires that when safety functions are to be performed as specified in
terms of a safety integrity level.

The probabilities of failure are also considered in safety integrity levels, as shown
The PFD value (Probability of Failure on Demand) is the probability of failure of a unit as a component
part of a complete safety system in the low demand mode.

The PFD value for the complete safety related function is derived from the values of individual
components. Sensor and actuator are fitted in the field, leading to exposed and physical stress factors
(process medium, pressure, temperature, vibration, etc.).

The risk of failure associated with these components is thus relatively high. 25 % of the entire PFD
should be therefore reserved for the sensor, 40 % for the actuator.

15 % remains for the fail-safe control, and 10 % for each of the interface modules (interface modules
and the control system have no contact with the process medium and are located in protected switch
rooms).
What is Safety Instrumented Functions ?
A Safety Instrumented Function, or SIF, is one or more components designed to execute a specific
safety-related task in the event of a specific dangerous condition.

The over-temperature shutdown switch inside a clothes dryer or an electric water heater is a simple,
domestic example of an SIF, shutting off the source of energy to the appliance in the event of a
detected over-temperature condition.

Safety Instrumented Functions are alternatively referred to as Instrument Protective Functions, or

IPFs.

A Safety Instrumented System, or SIS, is a collection of SIFs designed to bring an industrial process to
a safe condition in the event of any dangerous detected conditions.

Also known as Emergency Shutdown (ESD) or Protective Instrument Systems (PIS), these systems
serve as an additional “layer” of protection against process equipment damage, adverse
environmental impact, and/or human injury beyond the protection normally offered by a properly
operating regulatory control system.

Like all automatic control systems, an SIS consists of three basic sections:

1. Sensor(s) to detect a dangerous condition,

2. Controller to decide when to shut down the process, and
3. Final control element(s) to actually perform the shutdown action necessary to bring the process to
a safe condition.

Sensors may consist of process switches and/or transmitters separate from the regulatory control
system.

Controller for an SIS is usually called a logic solver, and is also separate from the regular control
system.

Final control elements for an SIS may be special on/off valves (often called “chopper” valves) or
override solenoids used to force the normal control valve into a shutdown state.

Some industries, such as chemical processing and nuclear power, have extensively employed safety
instrumented systems for many decades.

Likewise, automatic shutdown controls have been standard on steam boilers and combustion furnaces
for years. The increasing capability of modern instrumentation, coupled with the realization of
enormous costs (both social and fiscal) resulting from industrial disasters has pushed safety
instrumentation to new levels of sophistication and new breadths of application. It is the purpose of
this section to explore some common safety instrumented system concepts as well as some specific
industrial applications.
One of the challenges inherent to safety instrumented system design is to balance the goal of maximum
safety against the goal of maximum economy. If an industrial manufacturing facility is equipped with
enough sensors and layered safety shutdown systems to virtually ensure no unsafe condition will ever
prevail, that same facility will be plagued by “false alarm” and “spurious trip” events (Note 1) where the
safety systems malfunction in a manner detrimental to the profitable operation of the facility. In other
words, a process system designed with an emphasis on automatic shut-down will probably shut down
more frequently than it actually needs to.

While the avoidance of unsafe process conditions is obviously a noble goal, it cannot come at the
expense of economically practical operation or else there will be no reason for the facility to exist at
all (Note 2).

A safety system must fulfill its intended protective function, but not at the expense of compromising
the intended purpose of the facility.

Note 1 : Many synonyms exist to describe the action of a safety system needlessly shutting down a
process. The term “nuisance trip” is often (aptly) used to describe such events. Another (more
charitable) label is “fail-to-safe,” meaning the failure brings the process to a safe condition, as opposed
to a dangerous condition.

Note 2: Of course, there do exist industrial facilities operating at a financial loss for the greater public
benefit (e.g. certain waste processing operations), but these are the exception rather than the rule. It
is obviously the point of a business to turn a profit, and so the vast majority of industries simply cannot
sustain a philosophy of safety at any cost. One could argue that a “paranoid” safety system even at a
waste processing plant is unsustainable, because too many “false trips” result in inefficient processing
of the waste, posing a greater public health threat the longer it remains unprocessed.

This tension is understood well within the electric power generation and distribution industries. Faults
in high-voltage electrical lines can be very dangerous, as well as destructive to electrical equipment.

For this reason, special protective devices are placed within power systems to monitor conditions and
halt the flow of electricity if those conditions become threatening.

However, the very presence of these devices means it is possible for power to accidently shut off,
causing unnecessary power outages for customers. In the electrical industry, the word “dependability”
refers to the probability that the protective systems will cut power when required.

By contrast, the word “security” is used in the electrical industry to refer to the avoidance of
unnecessary outages. We will apply these terms to general process systems.

To illustrate the tension between dependability and security in a fluid process system, we may analyze
a double-block shutoff valve (Note 3) system for a petroleum pipeline:
Note 3: As drawn, these valves happen to be ball-design, the first actuated by an electric motor and
the second actuated by a pneumatic piston.

As is often the case with redundant instruments, an effort is made to diversify the technology applied
to the redundant elements in order to minimize the probability of common-cause failures.

If both block valves were electrically actuated, a failure of the electric power supply would disable both
valves. If both block valves were pneumatically actuated, a failure of the compressed air supply would
disable both valves.

The use of one electric valve and one pneumatic valve grants greater independence of operation to
the double-block valve system.

The safety function of these block valves is, of course, to shut off flow from the petroleum source to
the distribution pipeline in the event that the pipeline suffers a leak or rupture.

Having two block valves in “series” adds an additional layer of safety, in that only one of the block
valves need shut to fulfill the safety (dependability) function. Note the use of two different valve
actuator technologies: one electric (motor) and the other a piston (either pneumatic or hydraulically
actuated).

This diversity of actuator technologies helps avoid common-cause failures, helping to ensure both
valves will not simultaneously fail due to a single cause.

However, the typical operation of the pipeline demands both block valves be open in order for
petroleum to flow through it. The presence of redundant (dual) block valves, while increasing safety,
decreases security for the pipeline.

If either of the two block valves happened to fail shut when there was no need to shut off the pipeline,
flow through the pipeline would needlessly halt.

Having two series-plumbed block valves instead of one block valve increases the probability of
unnecessary pipeline shutdowns.

A precise notation useful for specifying dependability and security in redundant systems compares the
number of redundant elements necessary to achieve the desired result compared to the total number
of redundant elements.

If the desired result for our double-block valve array is to shut down the pipeline in the event of a
detected leak or rupture, we would say the system is one out of two (1oo2) redundant for dependability.

In other words, only one out of the two redundant valves needs to function properly (shut off) in order
to bring the pipeline to a safe condition. If the desired result is to allow flow through the pipeline when
the pipeline is leak-free, we would say the system is two out of two (2oo2) redundant for security.

This means both of the two block valves need to function properly (open up) in order to allow petroleum
to flow through the pipeline.

This numerical notation showing the number of essential elements versus number of total elements is
often referred to as MooN (“M out of N”) notation, or sometimes as NooM (“N out of M”) notation (Note
4). When discussing safety instrumented systems, the ISA standard 84 defines redundancy in terms
of the number of agreeing channels necessary to perform the safety (shutdown) function – in other
words, the ISA’s usage of “MooN” notation implies dependability, rather than security.

Note 4 : For what it’s worth, the ISA safety standard 84 defines this notation as “MooN,” but I have
seen sufficient examples of the contrary (“NooM”) to question the authority of either label.

A complementary method of quantifying dependability and security for redundant systems is to label
in terms of how many element failures the system may sustain while still achieving the desired result.

For this series set of double block valves, the safety (shutdown) function has a fault tolerance of one
(1), since one of the valves may fail to shut when called upon but the other valve remains sufficient in
itself to shut off the flow of petroleum to the pipeline.

The normal operation of the system, however, has a fault tolerance of zero (0). Both block valves must
open up when called upon in order to establish flow through the pipeline.

It should be clearly evident that a series set of block valves emphasizes dependability (the ability to
shut off flow through the pipeline when needed) at the expense of security (the ability to allow normal
flow through the pipeline when there is no leak).

We may now analyze a parallel block valve scheme to compare its redundant characteristics:

In this system, the safety (dependability) redundancy function is 2oo2, since both block valves would
have to shut off in order to bring the pipeline to a safe condition in the event of a detected pipeline
leak.

However, security would be 1oo2, since only one of the two valves would have to open up in order to
establish flow through the pipeline.

Thus, a parallel block valve array emphasizes production (the ability to allow flow through the pipeline)
over safety (the ability to shut off flow through the pipeline).

Another way to express the redundant behavior of the parallel block valve array is to say that the safety
function has a fault tolerance of zero (0), while the production function has a fault tolerance of one (1).
One way to avoid compromises between dependability and security is to increase the number of
redundant components, forming arrays of greater complexity.

Consider this quadruple block valve array, designed to serve the same function on a petroleum
pipeline:

In order to fulfill its safety function of shutting off the flow of petroleum to the pipeline, both parallel
pipe “branches” must be shut off.

At first, this might seem to indicate a two-out-of-four (2oo4) dependability, because all we would need
is for one valve in each branch (two valves total) out of the four valves to shut off in order to shut off
flow to the pipeline.

We must remember, however, that we do not have the luxury of assuming idealized faults. If only two
of the four valves function properly in shutting off, they just might happen to be two valves in the same
branch, in which case two valves properly functioning is not enough to guarantee a safe pipeline
condition.

Thus, this redundant system actually exhibits three-out-of-four (3oo4) dependability (i.e. it has a safety
fault tolerance of one), because we need three out of the four block valves to properly shut off in order
to guarantee a safe pipeline condition.

Analyzing this quadruple block valve array for security, we see that three out of the four valves need
to function properly (open up) in order to guarantee flow to the pipeline.

Once again, it may appear at first as though all we need are two of the four valves to open up in order
to establish flow to the pipeline, but this will not be enough if those two valves happen to be in different
parallel branches.

So, this system exhibits three-out-of-four (3oo4) security (i.e. it has an production fault tolerance of
one).
The Emergency Shutdown (ESD) System is designed to protect the personnel, plant, equipment
and the environment against pollution.

The purpose of the ESD system is to monitor process safety parameters and activate or shutdown the
process system and/or the utilities if these parameters deviate from normal conditions.

Shutdown Philosophy

This is the most important document associated with the Combined Safety System in that it lays
down the philosophy applicable to it. In this document are listed the hierarchical shutdowns.

One must not lose sight of the fact that although the system has the ability to implement very critical
shutdown features it also implements less critical unit and process shutdowns.

For instance on offshore platforms the usual stages of shutdown are as follows:-

UNIT SHUTDOWN
This, the lowest level of shutdown, causes the individual units to stop.

PROCESS TRAIN SHUTDOWN

An individual Process Train will shutdown on occurrence of any applicable trip.

PROCESS SHUTDOWN
On this process shutdown occurrence, the complete process stops but utilities remain running, in
effect it is a process ‘stop’ with NO BLOWDOWN in order to facilitate a easier startup on rectification
of the problem.

EMERGENCY SHUTDOWN
This action results generally from fire or Gas being sensed on the platform, obviously a fire in the
Galley or in a room in the accommodation does not cause a ESD but more serious events in the
Process, Wellhead or other critical areas will result in an ESD.

An ESD is actually a Process Shutdown with Blowdown and isolation of the platform trunkline. The
blowdown results in flaring of the gas component of the platform inventory whilst the liquid
component is maintained within the various process vessels. When co-incident fire detection in the
process or wellhead areas occurs one of the two strategically placed firepumps start and deluge
occurs automatically.

On some platforms main power is shutdown and the emergency generator starts when an ESD
occurs whilst on others main power is maintained by the generators switching to Diesel except when
there is fire in a critical area such as the wellheads.

This approach is advocated in that maintaining lighting ensures that at night the firefighting crew can
see what they are doing.

TOTAL PLATFORM SHUTDOWN

This shutdown hopefully will never require operation during the life of the platform since it usually is
the result of abandonment.

There are generally only two or three TPSD pushbuttons which are under the control of the Platform
Operations Manager.

The result of this action is total blackout of the platform including isolation of batteries except for
some navaids which continue to run.

The intent of this shutdown is to maintain some battery power for when the ‘black start team’ reboard
the platform.