You are on page 1of 7 bert.knegtering@honeywell.


Future trends in Safety Instrumented Systems

Co-written by 7 May, 2003
The process industry has always been faced with the difficult task of determining the required integrity of safeguarding systems. In spite of the application of a wide variety of safeguarding measures, many accidents in the process industries still happen. Experiences gained from these accidents have led to the application of a variety of technical and non-technical layers of protection, such as Safety Instrumented Systems (SIS). The central role of the safety-PLC forces companies to decide on the logic solver integrity class (e.g. SIL 3) taking into account the current risk levels to be reduced by the SIS, as well as future higher risk levels. This article describes the future expectations with regards to the requirements and application of dedicated safety-PLCs. It addresses issues such as the (un) acceptability to use a SIL 2 rated logic solver instead of SIL 3, and the (un) acceptability to use a single system both for control and process safeguarding functions.

Bert Knegtering, Mr., Dr. Honeywell Safety Management Systems


Jan Wiegerinck, Mr. Shell Global Solutions

This document is available on

Current developments of SIS standards

Safety Instrumented Functions Standards like IEC 61508, IEC 61511, and ANSI/ISA S84.01 concentrate on the functional safety of the SIS. All combined instrumentation, devices, and equipment that are required to fulfill an intended safeguarding function are considered to be part of the SIS. As the collection of safety instrumentation normally includes more than one safeguarding function (e.g. protect against overpressure, temperature protection, back flow protection, etc.), the SIS could be defined as the collection of all safety-related sensing elements, logic solvers and actuators. On the other hand, the SIS could be considered as separate for each safeguarding function, and would comprise only the devices to protect the Equipment Under Control (EUC) against one single hazardous situation. Consequently, the process installation would be comprised of a number of safety-instrumented systems. As particular devices such as safety-related PLCs and shut-off valves normally deal with more than one Safety Instrumented Function (SIF), this article uses the first definition; the SIS is comprised of all safety-related devices of the process installation. Figure 1 illustrates the definition of a SIS and the SIFs that will be executed; specifically a SIF that protects the process temperature and causes a shut-off valve to close in case of an out-of-control process temperature. Other SIFs that are performed by this example SIS are level protection and back-flow protection.
Temperature transmitter Temperature transmitter


Solenoid Shut-off valve

Level switch

Logic Solver


Flow transmitter


Globe valve

Figure 1 Safety Instrumented System with multiple SIFs

This document is available on

Distribution of the SIL requirements Based on the hazard and risk assessment, the safety requirements are defined and rated according to the needed SIL for each function to be realized by the safeguarding instrumentation. Figure 2 shows an actual SIL requirements distribution based on 392 analyzed SIFs from 16 different sites of various companies, which can be considered as reasonably representative for the process industry.
30% 25% 20% 15% 10% 5% 0% a SIL 1 SIL 2 SIL 3 SIL 4

Figure 2 SIL requirements distribution based on 392 analyzed SIFs.

It can be seen that 18% of all SIFs are required to meet SIL 3 or higher. Based on an average of 50 SIFs per safety PLC, approximately 9 SIFs will have to meet SIL 3 or higher. The probability that such a safety PLC does not contain any SIL 3 rated SIFs is negligible. Therefore, the need for SIL 3 rated safety PLCs as logic solver is substantially high and will form the majority of market demands. Layers of Protection Figure 3 shows the concept of layers of protection and the compositions of the different types of SIS as defined in part 1 of IEC 61511. A distinction exists between the Basic Process Control System (BPCS) and the SIS as part of the Prevention and Mitigation layers. The primary objective of a BPCS is to optimize process conditions to maximize production capacity and quality. SISs are primarily applied to prevent hazardous events from occurring (Prevention layer), and mitigation of the consequences of a hazardous event (Mitigation layer). The motivation for this distinction is due to the fact that a BPCS does not necessarily have to contribute to the risk reduction and sometimes might even pose a potential risk itself.

This document is available on


MITIGATION Mechanical Mitigation Systems Safety Instrumented Control Systems Safety Instrumented Mitigation Systems PREVENTION Mechanical Protection System Process Alarms Operator Supervision Safety Instrumented Control Systems Safety Instrumented Prevention Systems Basic Process Control Systems Monitoring Systems (process alarms) Operator Supervision Process Design

Figure 3 IEC 61511 - Independent Layers Of Protection the onion model.

The importance of the principle of having independent layers of protection is emphasized by the requirements specified by the latest standards on SISs. IEC 61508 part 1 clearly requires that the EUC control system shall be separate and independent from the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.

Technical evaluation of SIL requirements on safety PLCs

The role of the safety PLC as central unit Figure 4 shows a typical application of a safety PLC performing a large number of functions and with a combination of safety functions with different SILs. Although most functions only require a SIL 1 or SIL 2, the remaining SIL 3 required functions will result in the application of a SIL 3 certified common central part of the logic solver. For this reason most end-users have specified the SIL 3 requirement for the safety PLC into their technical specs.

Safety Sensors SIL 1

Safety Actuators SIL 1

Safety Sensors SIL 2


Safety PLC SIL 3

Safety Actuators SIL 2

Safety Sensors SIL 3

Safety Actuators SIL 3

Figure 4 A SIL 3 certified safety PLC as central unit. 4 This document is available on

Increasing SIL requirements on the safety PLC Accumulated risks

The safety PLC as central logic solver normally handles a large number of SIFs, so the risks of out-of-control process parameters have common elements that aim to reduce those risks. Because state-of-the-art risk analysis techniques do not consider the probability and degree of overlapping risks in detail, it is not always clear which elements should comply with a higher SIL and which should not. Experts responsible for the hazard and risk analysis often decide to increase the safety integrity requirements of the central safety PLC unit. For instance, assume a number of SIFs each protecting against individual hazardous situations/events. Each SIF has its own remaining/residual risk that has been made acceptable/tolerable by ensuring that the target SIL is achieved. For the complete unit/plant, these residual risks should be added together to arrive at the total remaining risk associated with those hazardous events that the SIFs are protecting against. This total remaining risk is still slightly high. An efficient way to improve the overall remaining risk is to improve the parts that are common to many SIF's. These are often final elements that are operated by a number of SIF's (e.g. close fuel gas to furnace) and in almost all SIF's it is the logic solver. Hence a SIL 3 logic solver is commonly selected, even if there are only a number of SIL1 and SIL2 functions. Because there are usually relatively few SIL3 functions, the logic solver is normally not required to meet SIL 4 requirements. Reducing spurious process trips

Increased safety requirements on a system also can have a positive effect on the availability of that system. To comply with higher safety requirements in combination with hardware fault tolerance, it is necessary to have a higher safe failure fraction, which in programmable systems is achieved through self-diagnostics. In combination with redundancy the results of the diagnostics also can be used to increase the availability. In addition to the accumulated risks, the shared probability of the occurrence of undesired spurious process trips due to safe failure of the PLC system is a common argument to increase the reliability of the system by increasing its Diagnostic Coverage (DC). Obviously, any tangible safety system will always have a probability of physical failure. However, this failure occurrence does not necessarily have to result in a process trip at the moment that due to the internal system diagnostics this failure is observed. A detected failure can be isolated and repaired within a predefined acceptable timeframe. It is clear that the DC factor importantly determines the added value to asset management and process uptime. This argument also forces companies to apply a SIL 3 safety PLC instead of a lower DC characterized SIL 2 system. Considerations on various BPCS and SIS configurations Increasing automation in the process industry is leading companies to ask for integration of various functionalities into one system. Advantages include easier to use systems, integrated exchange of information between the basic control system part and safety system part, and a cheaper solution due to the application of a single system. The next paragraphs describe the implications for three basic configurations concerning the process control and process safeguarding functionalities and the ability to achieve SIL requirements.

This document is available on

Configuration 1

The traditional solution applied in the process industry for the configuration of safety and control systems is a fully separate, thus no shared devices, control system (BPSC) and safety system (SIS) ( Figure 5).

Safety System

Control System C S C S

Figure 5. Full separation between the control system and the safety system.

Although questions often arise whether it would be appropriate and acceptable to share information of the devices, making use of single field instruments or even a single control and safety system, it is not done and the configuration of Figure 5 normally prevails. Not surprisingly, it is this design that is fully supported by the onion model and required by most SIS related standards. Configuration 2

Figure 6 illustrates the implementation of both control and safety functions into one single controller. At the moment that a SIL 3 requirement is applicable to the safety functions, the complete control system has to comply with these SIL 3 requirements, including its maintenance and operating procedures. Its essential weakness is that both functionalities will fail in case of central system failure. The control and safeguarding layers are not independent. In that case IEC 61511 requires that it is demonstrated that the overall resulting hazard rate is still acceptable or at least tolerable.
Safety & control system

Safety functions

Control functions C S C S

Figure 6. Fully integrated control functions and safety function into one system.

Since many SIFs also protect against the failure of the control system (including sensors and final elements), complete independency often has to be applied to achieve an acceptable hazard rate. Not surprisingly, the onion concept is enforcing this principle. The utilization of a single logic system both for safeguarding and control functions will only be acceptable in very specific situations where the demand rate on the safety functions is independent from failure of the control logic. Standards on SISs largely exclude the option to apply this concept. For clarity reasons, one of the current maintenance activities on IEC 61508 is to sharpen this requirement. 6 This document is available on

Market perception
Growing complexity

The following trends are currently observed in the process industry: Increasingly complex industrial processes Greater need for production capacity and flexibility Increasing numbers of people and organizations Higher circulation of employers and employees Greater use of information and communication High cost of an unwanted spurious process trip Significant consequences if process gets out of control. These trends mean that the requirements on the applied SIS are not expected to become less, but will mostly result in a predefined high SIL requirement. Companies that tend to apply a SIL 2 rated system will have to be fully aware of the consequences and probabilities in case something goes wrong, and will have to be absolutely certain that the above mentioned aspects are fully evaluated before a lower SIL rated safety system is selected. Increasing safety awareness and requirements on environmental protection

Due to a changing perception of society towards safety of people and protection of the environment, attention is focusing on protective and preventive measures. One characteristic is the application of state-of-the-art safety instrumentation. For the railroad industries generally a SIL 4 is required, whereas for the process industries, it is SIL 3. Concerning applications in the machinery industry, the majority of protective instrumentation is rated at SIL 2. As society is increasingly un-prepared to accept risks, the trend is towards SIL 3 rated safety PLCs. Where a lower SIL might be considered acceptable, the preference will be to continue to apply SIL 3 systems because of the priority to prevent hazardous situations from occurrence rather than mitigate the events by other risk reduction measures. It is also for this reason that safety PLCs will play a more important role.


Although the expectation that more reliable process control systems will enter the market, a clear need for dedicated safety PLCs will remain. The adoption of the onion model emphasizes the importance of differentiation between process control systems and the dedicated SIS. State-of-the-art technology will set the trend towards a continued application of best-in-class safety PLCs. As safety of people and the protection of the environment become more important, companies will stay away from the acceptance of less safe and less reliable or lower integrity protection systems. The majority of todays corporate standards and technical requirement specifications on SISs demand a SIL 3 certified rated safety PLC, often combined with requirements for independent safety certification. The fact that a significant amount of SIL 3 functions to be fulfilled by the PLC, in combination with the anticipated probability that SIL 3 functions might be required in future, prompts the industry for this system requirement. It is therefore concluded that the market demand for dedicated SIL 1 or SIL 2 certified safety PLCs is expected to be small compared to the SIL 3 certified rated safety systems market.

This document is available on