Professional Documents
Culture Documents
Safety Instrumented System (SIS) — A control system composed of sensors, logic solvers, and final
control elements designed to take a process to a safe state when predetermined conditions are violated.
Other terms commonly used include Emergency Shutdown System (ESD, ESS), Safety Shutdown
System (SSD), and Safety Interlock System.
Alarm Condition
Operator takes action High alarm level
Process value
Low level
Time
Degree of Flexibility
High flexibility needed to develop and maintain Fixed functionality, carefully minimized during
(complex) control and automation applications design
No guarantee on state of outputs during failure of Predictable state of output on any revealed single
control system, most likely outputs on hold functional failure in the system
Allow for a wide variety of on-line repair / Limited possibilities to repair the hardware while
modifications the plant is running
Test strategy
No need to test control system regularly except Explicit procedure and strategy to test for
for some back-up / redundant parts undetected failures of instrumented protective
functions Automatic testing
Safety Life Cycle — A sequential process used to evaluate the risks associated with a process,
determine the target risk reduction, define SIS design, commissioning, operation and maintenance.
Standards
The two most important standards for functional safety are the IEC 61508 and the IEC 61511. The
first one is mostly used to design and manufacturer safety systems like PLC's and safety instruments.
The IEC 61511 is normally used during the design, startup and operation of a complete plant.
The standards specify all kind of requirement for the complete life cycle of the plant, from cradle to
grave. It starts with the hazards analyses, risk analyses and definition of safety functions, then the
design and testing of the safety system, requirements for operation and maintenance, and finally it
describes who to demolish the (part of the) plant.
The standards have also requirements on the management of functional safety, on verification,
validation and assessments.
The standards focus on the management of all activities that are needed to specify, design and
maintain a process that has an acceptable low risk for the people, environment and assets. There fore
it has define a safety life cycle model. In this life cycle all activities that must be performed are
described. In the figure below the Safety Life Cycle is shown.
Allocation of safety
functions to protection
layers
Safety
Design and
engineering of
the SIS
Installation,
commissioning
and validation
Operation and
maintenance
Modification
Decommissioning
Acceptable Risk — Level of risk considered to be low enough for the process in question. This level
may be set by the company, regulatory agencies, insurance companies, or any combination thereof.
Safety Integrity Level (SIL) — One of four distinct levels of a safety function related to the overall
safety integrity. The higher the SIL requirement for protection, the higher the risk reduction is, and the
lower the PFD
In the beginning of the lifecycle, a close look at the true process characteristics is performed. This is
called the hazard analyses. The (preliminary) process design is evaluated and all possible risks are
identified.
Evaluating the inherent dangers associated with a particular process is the responsibility of the
manufacturer/end user. This hazard analyses is mandated by various agencies, such as the
Occupational Safety and Health Administration (OSHA), the National Fire Protection Agency
(NFPA), the Environmental Protection Agency (EPA), and industrial insurance companies. This is the
first in a series of steps known as the Safety Life Cycle.
The second step is to quantify the risks and to determine the needed risk reduction. There are several
methods to do so. As an example the method using a risk matrix is given below.
Up to this point, all physical efforts to reduce the process risks should have considered. These efforts
include process design modifications, redundant process equipment, or the installation of safety
devices such as relief valves. The SIS is then responsible for reducing the remaining process risk to
the acceptable level.
DESCRIPTIVE
LEVEL WORD FREQUENCY OF OCCURRENCE
So unlikely it can be
1 Improbable assumed to never occur once per 100 years
Detrimental offsite
5 Catastrophic Death release Loss > $1.5M
Finally the target integrity level of each SIF is defined as the Safety Integrity Level (SIL). The range
is 1 (minimum) to 4 (high). The target SIL is determined by the matrix below. See Table 2-3.When
the expected frequency of the hazard increases, the target SIL will increase. Similarly, as the
consequence increases, the target SIL increases as well.
Frequency
The target SILs for each safety function, together with all other safety requirements are documented
in the so-called Safety Requirement Specification (SRS).
The complete Safety Requirement Specification (SRS) is normally composed of several documents
like:
o SIL classification report from the HAZOP, describing all SIFs and their target SIL.
o C&E diagrams or Logic diagrams, describing the functionality of the SIS.
o I/O lists defining all inputs and outputs to/from the SIS.
o Safety narratives, safety philosophy, MOS requirements, etc.
Process Safety Time — The maximum period of time in which the process will move from a safe
operating condition to a dangerous condition. This is a characteristic of the process.
Hardware failures are caused by malfunctioning of a hardware component. They are repaired by
replacing the faulty module. Hardware failures are often cause by a stressor
Industrial stresses originate in many different areas. These stresses all have the potential to cause SIS
failure. Examples of stresses are listed below.
o Heat - specifically, high temperature in the proximity of the SIS can accelerate electronic
component failure rates. Typically, the failure rate doubles for every 18 deg F rise in
temperature.
o Chemical Corrosion - chemical fumes associated with the process can dramatically increase
electronic component failure rates.
o Vibration - mechanical shock or vibration can loosen SIS modules from their mounting,
thereby preventing the module from performing its function properly.
o Electro-static Discharge (ESD) - static electricity voltages, which can be as high as several
thousand volts, can easily damage components designed to operate at voltage levels as low as
3.3 volts.
o Operational and Maintenance Errors - the human error factor. Examples include placing the
incorrect module in a slot within the system or applying an improper voltage level to an I/O
module.
Methods to minimize the amount of systematic failures are: design reviews, testing, education of
engineers, functional safety management.
Safety integrity: what is the change that the safety system will act when it is necessary.
Safety integrity is specified as a SIL.
Availability: is the system available to do its job. Availability is calculated from the False Trip
Rate or Mean Time Between Failure. When the repair time (Mean Time To
Repair) is known the availability can be calculated as a percentage.
Diverse Redundancy — The use of different technology or design of components to reduce the
likelihood of a common cause failure. An example would be using two different methods of
measuring the same process value and comparing the results.
Voting System — The property in a redundant system which requires x out of y channels to be in
agreement prior to the SIS taking action. When the validity of the input signals are verified and the
operation of the output circuitry is supervised, the system is referred to as having diagnostic capability.
Fault Detection — The ability of a system to detect (internal) faults and to execute a safety action to
protect the process. Factors influencing fault detection include hardware diagnostic, software routines
etc.
Fault Tolerance — The built-in ability of a system to provide continued correct execution of its
assigned function in the presence of a limited number of hardware and software faults.
The use of redundancy and voting is most common in SIS applications. A voting system accomplishes
a much higher overall system integrity or system availability.
The ProSafe-RS is designed with an internal architecture of 1 out of 2 with diagnostics (1oo2D). See
figure 2-4. Note that this figures shows a single processor module. The achieved SIL capability is
SIL3. That means that the single module can be used in SIL1, 2 and 3 rated safety functions.
diagnostics
CPU module
Availability
To increase the availability of the system redundancy can be applied on module level. See figure 2-5
below. As this redundancy is on module level, the system can tolerate 1 or more failures without the
need to shutdown.
×
Input CPU Output
Circuit, MPU MPU, memory Circuit, MPU
With ProSafe-RS we use the term "PAIR & SPARE". PAIR to indicated the redundant internals of the
single modules, and SPARE to indicated the second module used when high availability is required.