Professional Documents
Culture Documents
Safety Instrumented Functions and Safety Integrity Levels (SIL)
Safety Instrumented Functions and Safety Integrity Levels (SIL)
TRANSACTIONS
1
Abstract
This paper discusses two performance-based standards, ANSI/ISA S84.01 and IEC d61508, and the requirements
they place upon user companies of electrical, electronic and programmable electronic safety related systems (E/E/PE
SRS) or Safety Instrumented Systems (SIS). To comply to the requirements of the standards, a user company would
have to: (a) identify the safety target level of the process; (b) evaluate the hazardous events that pose a risk higher than
the safety target level; (c) determine the safety function(s) that must be implemented in an SIS to achieve the safety
target level; (d) implement the safety functions in an SIS and evaluate its safety integrity level (SIL); (e) install, test and
commission the SIS; and (f) verify that the installed SIS does in fact reduce the process risk to below the safety target
level. Several risk analysis techniques that can be used to comply with the aforementioned requirements are discussed
and a simple example is used to illustrate the use, advantages and disadvantages of the techniques. The evaluation of
SIL of the SIS (probability to fail to respond to a process demand) is outside the scope of this paper. # 1998 Elsevier
Science Ltd.. All rights reserved.
Keywords: Process risk; Performance-based standards; ANSI/ISA S84.01; IEC d61508; Safety instrumented systems; Safety integrity
levels; Risk analysis; Standard compliance
0019-0578/98/$Ðsee front matter # 1998 Elsevier Science Ltd.. All rights reserved.
PII: S0019 -0 578(98)00038 -X
338 P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337±351
speci®c safety concerns. Rather, they present a dard that can be applied to any industrial process
prescription to a general set of known safety con- that uses E/E/PE SRS. An E/E/PE SRS or SIS1 is
cerns and attempt to deal with other unknown comprised of sensors, logic solvers and actuators
problems by utilizing conservative safety factors. (e.g., shutdown valves). The standard employs a
Recognizing the limitations of prescriptive safety life-cycle model, shown in Fig. 1, to identify
standards, some industries have begun focusing on and provide guidance for all activities that aect
the development of performance based standards functional safety of an SIS. It relies on perfor-
[1±6]. Similarly, government agencies have pub- mance-based metrics such as process risk and SIS
lished performance-based regulations [7,8]. The reliability. Therefore, it can objectively and sys-
goals of this approach are to improve the man- tematically be applied by industry, manufacturers
agement of technological risk by setting process- of systems, industry regulators and approval
speci®c, performance-based targets, such as pro- agencies. The standard provides guidance on how
cess safety target levels, and consistently evaluate to establish the speci®cations for the required
alternative solutions that can achieve these targets. safety functions that will be implemented in an
This approach is characterized by: (a) the detail SIS.
examination of a speci®c process; (b) the speci®ca- The performance metric for the safety functions
tion of safety solutions that account for the intri- and of the SIS is referred to as SIL and is shown in
cacies of the process; and (c) the identi®cation of Table 1. These SILs are given in terms of the
optimal process safety solution(s). The success of this probability of the SIS to fail to function, which
approach does not depend on compliance to the can be translated to process risk reduction (i.e.,
minimum requirements of a prescriptive standard. It reducing the likelihood of occurrence of hazar-
requires corporate commitment to process safety dous events due to the presence of a new safety
and a culture change that relies on a continuous and system without aecting the consequences) that
long-term commitment to understanding, evaluating can be achieved by employing the SIS.
and improving the safety of an industrial process.
2.1. IEC d61508 Standard
2. Performance-based safety standards and The IEC d61508 standard is comprised of seven
regulations parts. The normative parts ± the ®rst three ± deal
with the assessment of industrial process risk and
During the last two decades, great emphasis has the SIS hardware and software reliability. The
been placed on improving management of tech- other four parts deal with de®nitions and provide
nological risks. Improvement has occurred in the informative annexes to the standard.
chemical and petroleum industries through the use Part 1 of the standard de®nes the overall per-
of safety guidelines or standards utilizing perfor- formance-based criteria for an industrial process.
mance-based criteria and to evaluate the bene®ts It mandates the use of an overall safety life-cycle
of alternative risk management solutions. These shown in Fig. 1.2 The standard recommends qua-
solutions often incorporate sophisticated safety litative or quantitative techniques to identify pro-
systems, such as an electrical, electronic and pro- cess risk, allocate risk to safety related systems
grammable electronic (E/E/PE) system, to per- (independent safety layers or SRSs of other tech-
form complicated and critical safety functions. As nologies) and external risk reduction facilities in
a result, a great emphasis has been placed on the order to achieve a desired process safety level. It is
improved performance of these safety systems
through the development of industry guidelines 1
SIS is used in ANSI/ISA S84.01 to refer to E/E/PE SRSs.
that promote the systematic evaluation and certi- For the remainder of this paper the term SIS will be used.
®cation of their reliability [1±3]. 2
It also permits the use of a dierent life-cycle model pro-
The IEC d61508 performance-based draft stan- vided that it conforms to the overall requirements of the
dard [1] has been developed as an umbrella stan- standard.
P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337±351 339
this part of the standard that focuses on the pro- 2.2. ANSI/ISA S84.01 Standard for the process
cess risk and proposes alternative ways to reduce industry
the risk to manageable levels. It also provides
detailed guidance to evaluate the performance of The Instrument Society of America (ISA) has
the SIS in the ®eld. independently developed ANSI/ISA S84.01 [2] to
Part 2 of the standard is primarily directed be a performance-based standard for the use of
towards manufacturers and integrators of SISs. It safety instrumented systems (SIS) in the process
employs the safety speci®cations developed in Part industry. It follows a similar life-cycle model as
1 for an SIS and presents methods and techniques the IEC d61508, shown in Fig. 2, to identify the
that can be used to design, evaluate and certify its need for an SIS. The objectives are to determine
hardware reliability and thus its contribution to the safety functions and associated SILs that will
process risk reduction. be implemented in a SIS and evaluate the SIL of
Part 3 uses the software requirements for all the SIS in order to achieve the desired safety target
safety related software and provides information level. Detailed information on the requirements of
for the software/hardware integration. It does not the standard is given in Ref. [2].
apply to the performance of the E/E/PE systems in The standard uses the safety integrity levels in
the ®eld. This is dealt with in Part 1 that addres- Table 1, but clearly states that SIL 4 is not used in
sees the overall industrial process. the process industries. Currently, the International
The IEC d61508 standard allows the develop- Electrotechnical Commission (IEC) is working to
ment of industry sector speci®c standards pro- convert the ANSI/ISA S84.01standard to an IEC
vided they follow the same life-cycle model. d61511standard [3] for the process industry.
340 P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337±351
2.3. IEC d61511 Standard for the process industry and the EPA RMP Rules. It is also noteworthy
that OSHA views the ANSI/ISA S84.01 standard
This standard is being developed under the as ``good engineering practice''.
auspices of the International Electrotechnical
Commission. It is a performance-based standard 2.4.1. OSHA PSM (Process Safety
for the process industry and follows the philoso- Management) rule
phy of the IEC d61508 and ANSI/ISA S84.01 The OSHA PSM [7] rule lists a large number of
standards. Detailed information on the require- speci®c chemicals plus all hydrocarbons and pro-
ments of the standard is given in Ref. [3]. vides threshold values above which a company
using, storing, or producing the chemicals must
2.4. Performance-based regulations comply with the provisions of the law. The law is
performance based rather than a prescriptive
Recently, performance-based regulations have (speci®cation based) standard, with no speci®c
been published that mandate safety elements that measurements which the company is mandated to
are embedded in the aforementioned standards, meet.
such as hazard and risk analysis. Therefore, com- The speci®c provisions for compliance addres-
pliance to these regulations would, in part, sup- sing process safety and risk related issues are: Pro-
port some of the compliance activities of the cess safety information (PSI), process hazard
standards. The two regulations are OSHA PSM analysis (PHA), operating procedures, employee
training, pre-startup reviews, mechanical integrity,
Table 1 hot work permits, management of change, incident
IEC d1508 SIL investigations, emergency response and control,
Safety Integrity Level (SIL) Probability to fail to function compliance safety audits, contractor oversight,
employee participation and trade secrets.
SIL 4 510ÿ5±<10ÿ4
SIL 3 510ÿ4±<10ÿ3
SIL 2 510ÿ3±<10ÿ2
2.4.2. EPA's RMP (Risk Management Plan) rule
SIL 1 510ÿ2±<10ÿ1 EPA's Risk Management Plan (RMP) rule [8] is
designed to prevent accidental releases of regu-
lated substances and other extremely hazardous
substances into the air. Similar to OSHA's PSM,
EPA's RMP rule is performance based, and has
most of the same elements as OSHA's PSM Stan-
dard. However, the RMP rule sets minimum
requirements for ®xed installations in developing
risk management programs using dispersion mod-
eling to quantify the concentration of hazardous
material downwind of a release point. It is the
responsibility of individual plants to design sys-
tems to address these minimum requirements in a
way that prevents accidental releases of regulated
substances.
Those facilities that present a higher risk to
populations and the environment outside the plant
boundaries must comply with more stringent
requirements than those that present lower risks
to o site receptors. In fact, both the OSHA
PSM and the EPA RMP rule have essentially
Fig. 2. ANSI/ISA S84.01 safety life-cycle model. the same requirements for facilities with low risk
P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337±351 341
(i.e., facilities that fall under the level three pro- Step 1 establishes the safety target level of
grams). The full risk management program the process. Steps 2±9, inclusive, focus on
required by the RMP rule is comprised of a com- the risk analysis of the process and the
pilation of 5 year accident history, hazard assess- identi®cation of safety functions and their
ment, a management system, a prevention SIL in order to achieve the safety target
program and an emergency response program. level. This paper discusses techniques to
accomplish these steps using an example
2.5. Compliance to ANSI/ISA S84.01 and IEC detailed in the following section. Steps 10
d61508 standards and 11, inclusive, discuss the hardware and
software reliability requirements of the SIS
The overall objective of the standards is to and are outside the scope of this paper.
identify the required safety functions, establish
their SILs and implement them in an SIS in order
to achieve the desired safety level for the process. 3. Application example
The standards also mandate the development of a
safety management plan, require documentation Several risk analysis techniques that can be used
of safety activities that aect functional safety, to comply with the aforementioned requirements
and propose validation and veri®cation activities are discussed and a simple example is used to
throughout the safety life-cycle. The basic steps illustrate the use, advantages and disadvantages of
required to comply are the following: the techniques. The evaluation of SIL of the SIS
(probability to fail to respond to a process
1. Establish the safety target level of the pro- demand) is outside the scope of this paper.
cess.
2. Perform a hazard analysis. 3.1. Process
3. Perform a risk analysis of the process to
evaluate process risk. Consider a process comprised of a pressurized
4. Identify hazardous events that do not meet vessel containing volatile ¯ammable liquid with
the safety target level. associated instrumentation (see Fig. 3). Control of
5. Evaluate potential risk reduction using the process is handled through a Basic Process
safety systems of other technology Control System (BPCS) that monitors the signal
(mechanical devices) and external risk from the level transmitter and controls the opera-
reduction facilities (e.g., dike). tion of the valve. The engineered systems3 avail-
6. Identify instrumented safety function(s) that able are: (a) an independent pressure transmitter
must be implemented in an SIS. to initiate a high pressure alarm and alert the
7. Determine the SIL of the instrumented operator to take appropriate action to stop in¯ow
safety function(s). of material; and (b) in case the operator fails to
8. De®ne the speci®cation requirements of the respond, a pressure relief valve to release material
SISs safety function(s). to the environment and thus reduce the vessel
9. Integrate safety instrumented functions into pressure and prevent its failure.
a SIS.
10. Establish procedure to evaluate the prob- 3.2. Process safety target levels
ability to fail on demand of the SISs.
11. Evaluate the SIL of the SIS. A fundamental requirement for the successful
12. Evaluate process risk reduction due to the management of industrial risk is the concise and
use of the SIS.
13. Make the required modi®cations and analy- 3
Engineered systems refers to all systems available to respond
sis to make certain that SIS meets the risk to a process demand including other automatic protection lay-
reduction (SIL) requirements. ers and operator(s).
342 P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337±351
Table 2
HAZOP analysis results
High pressure 1. High level, Release to atmosphere 1. Alarm, operator, PRV Evaluate conditions for
2. External ®re 2. Deluge system release to atmosphere
Low/no ¯ow 1. Failure of BPCS No consequence of interest
Reverse ¯ow No consequence of interest
this illustrative example, the overpressure parameters) that may produce inconsistent results;
condition will be examined. (b) it is dicult to document all thought processes
that have led to the stated outcome; (c) it does not
3.4. Risk analysis techniques facilitate the use of a monitoring and management
of change system for life-cycle management; and
After the HAZOP has been performed, the risk (d) it may be dicult to use for complex processes.
associated with a process can be evaluated using The bene®ts of this approach are its simplicity,
qualitative or quantitative techniques published in timeliness and the limited resources required for its
literature [6±11]. These techniques rely on the execution making it a useful screening tool to
expertise of plant personnel and other hazard and identify areas of safety concern. The disadvantage
risk analysis specialists to identify potential acci- is that because it is so dependent on the expertise of
dent scenarios and evaluate the likelihood, con- the practitioners, consistency may be a problem.
sequences and impact of such accidents. One such technique from IEC 61508 and based
The risk associated with the process is expressed on DIN 19250 [10] that can be applied to safe-
in terms of the frequency of a hazardous event and guard personnel and the environment is shown in
its associated consequence. Similarly, the safety Fig. 4.
target level establishes the acceptable level of risk Similar risk graphs can be developed for
of a hazardous event in terms of frequency and damage to property. The risk graph identi®es the
consequence. For each hazardous event that is required SIL of a safety function. In other words,
examined, the introduction of a SIS is intended to it identi®es the required risk reduction in order to
reduce only the frequency of the hazardous event achieve the desired safety target level. Therefore, it
and not its consequence. Therefore, the dierence depends on the safety target level that has been
between the existing hazardous event frequency established, consistent with Section 4.1.
and the safety target level frequency is the SIL.
The proposed approach is to have a team of safety function required to protect against
experts examine the process, identify each safety the overpressure condition is estimated to
function that will be handled by an SIS and evaluate require a SIL 2. It is important to note
the SIL of each safety function. The highest SIL is that this approach requires speci®c experi-
then allocated to the common elements of the new ence and expertise with the process under
SIS that is needed to achieve a safety target level. analysis and detailed guidance on the cri-
tical safety issues that the analysts need to
3.4.1.1. Example qualitative risk assessment. The investigate in order to make a consistent
initiating event of interest is overpressurization. and systematic assessment of the four
Following the qualitative approach shown in parameters.
Fig. 4, the safety function needed to protect
against overpressure and its associated SIL is 3.4.2. Semi-quantitative risk assessment approach
determined as follows: A semi-quantitative approach can be used to
assess process risk [6,9,11]. Such a semi-quantita-
. Determine the extent of damage in the event tive approach allows a traceable path of how the
the overpressurization occurs. The analysis accident scenario develops, and comprises the fol-
team would identify this damage based on lowing steps: (1) identify the accident scenarios;
plant and process speci®c experience. (2) identify the basic events that comprise each
Assume for the example the damage is accident scenario, including the failure or success
assessed to be S2. of safety systems; (3) assign a typical likelihood of
. Determine the frequency of exposure of per- occurrence for each event; (3) estimate the like-
sonnel to the hazardous event. For this lihood (approximate range of occurrence) of an
example assume that it is a permanent expo- accident scenario; (4) perform consequence analy-
sure (i.e., vessel is not isolated), therefore A2. sis to understand the severity of the consequences
. Determine if there are measures in place or of the accident scenario; (5) assign the rating for
that can be taken to minimize or avoid per- the severity of the consequences; and (6) evaluate
sonnel exposure to this hazardous event. For the risk as a combination of the likelihood and the
the illustrative example assume that no mea- consequences. Typical guidance on how to esti-
sures can be taken, therefore assume G2. mate the likelihood of accidents to occur is pro-
. The last item to evaluate is the frequency of vided in Table 3. Table 4 shows one way of
occurrence of the hazardous event. For this converting the severity of the consequences into
example, assume that the frequency is low or ratings for a relative assessment. Similar tables for
W2. likelihood and severity of consequences can be
Following the path identi®ed by the risk developed based on plant speci®c expertise and
graph, speci®cally S2, A2, G2 and W2, the experience.
Table 3
Criteria for probability of occurence of hazardous events
Events like multiple instrument or valve failures, multiple human errors <10ÿ4 Very low
or spontaneous failures of process vessels
Events including combinations of instrument failures and human errors or 10ÿ4±10ÿ3 Low
full bore failures of small process lines or ®ttings
Events like dual instrument, valve failures, or major releases in loading /unloading 10ÿ3±10ÿ2 Moderate
areas
Events like process leaks, single instrument, valve failures or human errors that >10ÿ2 High
result in small releases of hazardous materials
P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337±351 345
Table 4
Criteria for severity of consequences of hazardous events
High Large scale damage of equipment. Shutdown of a process for a long time. Catastrophic consequence to personnel
and the environment
Moderate Damage to equipment. Short shutdown of the process. Serious damage to personnel and the environment
Low Minor damage to equipment. No shutdown of the process. Temporary injury to personnel and damage to the
environment
Very low No damage to equipment. Minor injury and environmental damage
A risk matrix can be used for the evaluation of A semi-quantitative approach is generally used
risk by combining the likelihood and the con- to identify and assess process risk where the
sequences. Such risk matrices, modi®ed to identify emphasis is more on relative assessment rather
SIL for risk reduction and shown in Fig. 5Fig. 6, than absolute assessment. The semi-quantitative
can be used with qualitative or semi-qualitative technique does provide a more systematic
approaches depending on the extent of informa- approach to assess risk than qualitative methods.
tion available. Such matrices can and should vary It also relies on the ability of the team to assign
with dierent applications. values to the risk parameters based on judgment.
The two-dimensional matrix in Fig. 5 assumes It does have all the bene®ts of the qualitative
that the likelihood of having the undesired event approach without presenting the same level of
(y-axis) includes the probability that existing challenge in documentation and life-cycle activities
safety systems of other technology (i.e., other management.
protection layers) have failed to respond to the
demand. 3.4.2.1. Example using semi-quantitative techni-
The three-dimensional matrix shown in Fig. 6 ques. The SIL of the safety function to protect
[6] accounts explicitly for the presence of SRSs of against overpressure can also be evaluated using
other technology such as pressure relief valves and the semi-quantitative method. After a careful and
rupture disks. Therefore, the likelihood of a systematic analysis of the events that would lead
hazardous event does not account for the con- to the occurrence of the overpressure, the analysis
tribution of other protection layers. team would identify the likelihood of occurrence
of an accident that was initiated due to the over-
pressure of the vessel. For the illustrative example,
assume that the accident probability of occurrence
Fig. 5. Process risk matrix with SIL identi®cation. Fig. 6. Three-dimensional risk matrix.
346 P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337±351
is again evaluated to be low. This probability signi®cant accident scenarios using model-
includes the probability of failure of safety systems ing techniques such as Event Trees or Fault
of other technologies. The potential consequences Trees [9].
were evaluated to be moderate. Using the risk 7. Evaluate the consequences of all signi®cant
matrix in Fig. 5, the safety function is evaluated to accident scenarios.
be SIL 2. 8. Integrate the results (consequence and
The development of the risk matrix and the probability of an accident) into risk asso-
identi®cation of the safety function SIL depends ciated with each accident scenario.
on the safety target level that has been established, The signi®cant outcomes of interest are:
consistent with Section 4.2. It is also important to . A better and more detailed understanding
note that this approach requires speci®c experi- of risks associated with the process.
ence and expertise with the process under analysis . The process risk pro®le (or safety level).
and detailed guidance on the critical safety issues . A measured contribution of existing
that the analysts need to investigate in order to safety systems to the overall risk reduc-
make a consistent and systematic assessment of tion or safety level of the process.
the probability of occurrence of an accident and . The identi®cation of each safety function
the severity of the consequences. needed to reduce process risk
. A comparison of current process safety
3.4.3. Quantitative risk analysis techniques with the process safety target level.
The quanti®cation of the risks associated with a
process is accomplished through a Quantitative The quantitative technique is resource intensive
Risk Analysis (QRA) that identi®es and quanti®es but does provide bene®ts that are not inherent in
the risks associated with potential process acci- the other two approaches. The technique relies
dents. The results (i.e., process risk or safety level) heavily on the expertise of a team to identify
can be used to identify safety functions and their hazards, provides an explicit method to handle
associated SIL in order to reduce the process risk existing safety systems of other technologies, uses
to an acceptable level. The assessment of process a framework to document all activities that have
risk using quantitative techniques can be dis- lead to the stated outcome, and provides a system
tinguished in the following major steps [11±14]. for life-cycle management.
The ®rst four steps can be performed during the
HAZOP study. 3.4.4. Comparison of techniques
The qualitative technique relies heavily on the
1. Identify process hazards.
expert opinion of the team performing the analy-
2. Identify safety layer4 composition.
sis. Such expert opinion is dicult to gain, retain
3. Identify initiating events.
and oftentimes impossible to replace. The
4. Develop accident scenarios for every initiat-
approach is however not resource intensive and
ing event.
can be used with good results depending on the
5. Ascertain the probability of occurrence of
level of expertise available and the complexity of
the initiating events and the reliability of
the process. It is an excellent basis for a screening
existing safety systems using historical data
tool that can be used to identify process areas for
or modeling techniques (Fault Tree Analy-
further analysis. It does however present chal-
sis, Markov Modeling).
lenges such as documentation of the thought pro-
6. Quantify the likelihood of occurrence of all
cesses used during the analysis and documentation
requirements for management of change and re-
4 evaluation of the process risk.
A safety layer comprises all the safety systems available to
safeguard a process and it includes SISs, SRSs of other tech- The semi-qualitative technique does provide a
nologies, external risk reduction facilities, and operator more systematic approach to risk assessment;
response. For a de®nition of safety layer, see Ref. [6]. however, it also relies on the ability of the team to
P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337±351 347
assign values to the risk parameters based on judg- the safety functions that will be incorporated into
ment. More often, the emphasis in semi-quantita- an SIS and comply with the standards is as follows:
tive assessment is on relative assessment rather
than absolute assessment. It does, however, have . Use the qualitative or semi-quantitative
all the bene®ts of the qualitative approach without technique as a screening tool to reduce
presenting the same level of challenge in doc- initial cost by identifying complicated and
umentation and life-cycle activities management. signi®cant, accident scenarios in terms of
The quantitative technique is resource intensive risk that require further analysis.
but does provide bene®ts that are not provided in . Use the quantitative technique to assess
the other two approaches. The technique relies on process risk and clearly document the
the expertise of a team to identify hazards, pro- procedure and results.
vides an explicit method to handle existing safety . Use a qualitative technique to re-assess
systems of other technologies, uses a framework to the process risk at periodic intervals that
document all activities that have lead to the stated are determined either by regulations,
outcome, and provides a system for life-cycle standards or changes in the process that
management. impact safety.
The bene®ts of each technique, in terms of
initial cost, ¯exibility and life-cycle cost, have been If, however, a user company has developed a
organized and are shown in Fig. 7. The y-axis signi®cant experience base with the operation of a
represents a relative scale for assessment of the particular process, the hazards and hazardous
three parameters. Flexibility refers to the ability of events of interest are probably well known, and
the technique to address all types of processes, SIS therefore a qualitative or semi-quantitative
and other safety systems of dierent technologies; method can be used to identify the safety func-
initial cost refers to the start-up cost of performing tions that should be implemented in an SIS. The
a risk assessment using the techniques; life-cycle success of any risk assessment technique will
represents the cost associated with life-cycle man- depend on the expertise of the analysis team and
agement activities such as documentation needs, their experience with the process under study.
ability to trace all work, opportunity to modify
the safety layer and re-assess the process risk to
claim compliance to standards in the future. 4. Example risk assessment
A proposed approach to assess the risk asso-
ciated with a new process in order to determine For the illustrative example, one initiating event
± overpressurization ± was identi®ed through the
HAZOP study to have the potential to release
material to the environment. It should be noted
that the approach used in this section is a combi-
nation of a quantitative assessment of the like-
lihood of the hazardous event to occur and a
qualitative evaluation of the consequences. This
approach is used to illustrate the systematic pro-
cedure that should be followed to identify hazar-
dous events and safety instrumented functions.
sible alternative risk reduction scheme. Therefore, second accident scenario, in Fig. 9, from 9 10ÿ3
since no other non-SIS protection can meet the in a year to or below the established safety target
safety target level, a safety function implemented of less than 10ÿ4 in one year. This requires a SIL 2
in an SIS is required to protect against an over- safety function (Probability to Fail to Function
pressure and the release of the ¯ammable material. 10ÿ3±10ÿ2, see Table 2). The new safety function is
shown in Fig. 11. It is not necessary at this point
4.4. Risk reduction using an SIS safety function to perform a detail design on the safety function.
This will be discussed in later sections. However, a
The safety target cannot be achieved using general concept of the new safety function should
safety systems of other technologies or external be available. For example, the new safety function
risk reduction facilities. Therefore, a new SIL 2 can use dual, safety dedicated, pressure sensors in
safety function implemented in an SIS is required
to meet the safety target level. The safety function 6
1oo2 means that either one of the pressure sensors can send
must reduce the probability of occurrence of the a signal to shut down the process.
350 P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337±351
a 1oo2 con®guration6 sending signals to a logic safeguard against a release of material to the
solver. The output of the logic solver controls one environment. A new SIS can be designed in terms
additional shutdown valve. of sensor con®guration (i.e., redundancy, voting,
The new SIL 2 safety function is used to mini- etc.), logic solver(s) requirements and valve con-
mize the likelihood of a release from the pressur- ®guration.7 One such example of an SIS is shown
ized vessel due to an overpressure. Fig. 11 presents in Fig. 12. The SIS shown includes the safety
the new safety layer and provides all the potential function against overpressure (safety dedicated
accident scenarios. As can be seen from this ®gure, dual pressure transmitters in a redundant 1oo2
the probability to have a release from this vessel con®guration sending signals to a logic solver
can be reduced to 10ÿ4 or lower and the safety that controls one shutdown valve), and three
target level can be met provided the safety func- additional safety functions to protect against
tion can be evaluated to be consistent with SIL 2 other initiating events. The common elements of
requirements. the SIS, logic solver, are assumed to meet the
SIL 2 requirements supported either by relia-
4.5. De®ne safety function speci®cation bility data taken from the manufacturer of the
requirements logic solver and independently evaluated,
through a reliability evaluation program or from
As was mentioned earlier, there are additional third party certi®cation program. Two shutdown
initiating events that may occur and cause the valves in series are employed to place the process
release of material from the pressure vessel. in a safe state.
These have to be examined using the aforemen- At this point the proposed SIS con®guration
tioned procedure. Using the same technique, must comply with the requirements of the stan-
event trees representing accident scenarios for dards and meet the SIL that was identi®ed
the chemical process for additional initiating through the risk analysis. It is beyond the scope of
events can be developed to identify all the
safety functions required to protect the process
and evaluate the SIL of each safety function.
Following the same procedure, assume that
three additional safety functions have been
identi®ed ranging from a SIL 1 to 2 require-
ment. All four safety functions will be
implemented into an SIS.
The new SIS must then be designed according
to the requirements for the highest SIL determined
from the analysis of the safety functions. What
this clearly implies is that the common elements of
the SIS, such as the logic solver, must meet the
SIL 2 requirements. However, SIS elements that
can be shown to be independent, such as sensors,
can be designed to meet the speci®c safety function Fig. 12. Schematic of proposed SIS.
SIL requirements.