 Safety Standards Explained

 What is a SIS (Safety Instrumented System)

 What is SIL (Safety Integrity Level)

 What is a SIF (Safety Instrumented Function)

 How is a SIS different from DCS (BPCS)

 Examples of SIF Loop Design

https://automationforum.co/ 1
Safety Acronyms
SIS – Safety Instrumented System

SIF – Safety Instrumented Function

SIL – Safety Integrity Level

PFD – Probability of Failure on Demand

PHA – Process Hazard Analysis

LOPA – Layer Of Protection Analysis

SRS – Safety Requirement Specification

PES – Programmable Electronic System

BPCS – Basic Process Control System

https://automationforum.co/ 2
 Evolving Standards
1984 TUV Guidelines for PES (SK Safety Classes 1-9)
1987 HSE PES Guidelines Parts 1 & 2
1989 DIN 19250/ VDE 0801 for PES (AK Safety Classes 1 - 8)
1994 Appendix to VDE 0801 - Harmonisation Document
1996 ISA SP84 - Safety Lifecycle, Quantitative Approach
1997 IEC 61508 - Safety Lifecycle, Quantitative and Qualitative
Approach
2003 ANSI/ISA 84.01 = IEC61511 - Functional Safety, SIS for the
Process industry sector
2004 DIN 19250 withdrawn and Introduction of Machine Safety
Standard IEC 62061
Today Many more to come?

https://automationforum.co/ 3
Industry Standards for
Safety Instrumented Systems (SIS)
Instrumentation, Systems, and
Automation Society (ISA), ANSI/ISA 84.01,
Application of Safety Instrumented
Systems for the Process Industry, 1996
(revised 2004).
•International Electrotechnical
Commission (IEC), IEC 61511, Functional
Safety: Safety Instrumented Systems for
the Process Sector

Performance Based Standards

https://automationforum.co/ 4
Evolving Standards
IEC 61508 is an “umbrella standard” for functional safety
across all industries

Each industry then uses IEC 61508 as a guide to develop

industry specific standards

•IEC/AS 61511 – Process Industry

•IEC 61513 – Nuclear Industry
•IEC 62061 – Machinery Industry
•Future – Rail, Medical, Automotive, Transport

https://automationforum.co/ 5
Evolving Standards
Other standards reference safety standards

•FM AS 7605 – Programmable Logic Control (PLC) Based

Burner Management

•FM AS 7610 – Combustion safeguards and Flame Sensing

•NFPA 85 – Boiler and Combustion Systems Hazards Code

•OSHA Process Safety Management & duty of care.

https://automationforum.co/ 6
Why do we need Functional
Safety?
Analysis Of 34 Incidents, based on 56 causes identified

20 %
Changes after
commissioning

44 %
Specifications

15%
Operations and
maintenance

6%
15%
Installations and
Design and
commissioning
implementations
Out of control
Why control systems go wrong and how to prevent failure?
(2nd edition, source: © Health & Safety Executive HSE – UK)
https://automationforum.co/ 7
IEC 61508 Lifecycle
1 Concept

Overall Scope
2 Definition

Hazard & Risk

3 Analysis Analysis Phase

4 Overall Safety
Requirements

Safety Requirements
5 Allocation

Overall Planning 9 Safety-related 10 Safety-related 11

systems: Systems: External Risk
6 7 8 E/E/PES Other Reduction
Overall Overall Technology Facilities
Overall
Operation & Installation
Validation Realisation
Maint & Com-
Planning [see E/E/PES Realisation Realisation
Planning missioning
Realisation Planning Safety
Lifecycle]
Phase
12 Overall Installation &
Commissioning

Overall back to appropriate

13 Overall Safety Lifecycle
Safety Validation
Phase

14 Overall Operation & 15 Overall Modification

Maintenance & Retrofit

Operation 16 Decommissioning
Phase

https://automationforum.co/ 8
IEC 61511 & ISA 84.01 Lifecycle
Manage - Safety Verifica -
Risk Analysis and
ment of Lifecycle tion
Protection Layer Design
Functional Structure 1 Subclause 8
Safety and
and Planning
Functional
Allocation of Safety
Safety
Functions to
Assess - Protection Layers
ment 2
Subclause 9
Analysis Phase

Safety Requirements
Specification for the Safety
Instrumented System
3 Subclause 10

Design and
Design and Engineering of Development of Other
Safety Instrumented System Means of
Subclause 11 Risk Reduction
4 Subclause 9
Realisation

Installation, Commissioning Phase

and Validation
Subclauses 14
5

Operation and Maintenance

6 Subclause 15

Modification Operation Phase

7 Subclause 15.4

Sub -clause
Clause 5 Sub -clause
6.2
10 Decommissioning 7, 12.7
8 Subclause 16 11

https://automationforum.co/ 9
When do I use IEC 61511 vs. IEC
61508?
Process Sector
Safety
Instrumented
System
Standards

Safety instrumented system designers,

Manufacturers and suppliers of integrators and users follow IEC 61511
devices use IEC 61508 & ISA 84.01

https://automationforum.co/ 10
Safety Lifecycle
Conceptual Process Design

Process Hazards Analysis Procedure Development

SIF Definition Construction, Installation,

And Commissioning

SIL Selection
PSAT

Conceptual Design
Operation, Maintenance
and Testing
SIL Verification

Design Specifications Management of Change

https://automationforum.co/ 11
Safety & Layers of Protection
Safety Instrumented Function

https://automationforum.co/ 12
 Independent Protection Layers
M P la n t an d /o r
I E m e r g en c y E m e r g e n c y r e s p o n s e la y e r
R es p o n s e
T
I
G
A
D i ke P a s s i v e p r o te c tio n la y e r
T
I R el i e f va l ve,
O R u p tu re d is k A c tiv e p r o te c tio n l a y e r
N
S afe ty E m e rg en cy S h u t
I n st ru m e n te d
S yst em D o w n a ct io n I s o la t e d p r o te c tio n la y e r
T r ip l e v el a l ar m
P
R W ild p r o c es s
E
O p er a to r P r o c e s s c o n tro l la y e r
I n te rv en t i o n p ar am e t er
V H ig h le v e l a l a rm
E H ig h le v e l
N B as i c
T P ro c es s P ro ce ss
C o n tr o l va lu e P r o c e s s c o n tro l la y e r
I
S yst em
N o rm a l b e h a v io r
O L o w le v e l
N P la n t
D es i g n

https://automationforum.co/ 13
What is a SIS?
Formal Definition:

 SIS – “instrumented system used to implement

one or more safety instrumented functions (SIF).
A SIS is composed of any combination of
sensor(s), logic solver(s), and final element(s)”
(IEC 61511 / ISA 84.01)
Informal Definition:
 Instrumented Control System that detects “out of
control” conditions and automatically returns the
process to a safe state
“Last Line of Defense”
 Not basic process control system (BPCS)

https://automationforum.co/ 14
 What makes up a SIS?
Process Process

Input Output
IAS

SIS Program SV

Transmitter Safety
valve

Sensor(s) Logic solver(s) Final Element(s)

https://automationforum.co/ 15
How SIS are Different from BPCS?

https://automationforum.co/ 16
Safety PLC vs. standard PLC –
what’s the difference?
 Standard PLC has unknown failure modes – don’t
know how it will fail before it fails

 Safety PLC is guaranteed to fail safely to within

certified probability (SIL 1, 2 or 3)

 Safety PLC is certified by a 3rd party to

international standards IEC 61508, IEC 61511 –
TÜV

 Certification includes certificate, report to the

certificate AND operation as per safety manual of
PLC

 Safety PLC must be configured by person with

appropriate safety competency
https://automationforum.co/ 17
Where would I need a SIS?
Typical applications for SIS

ESD: Emergency ShutDown System

F&G: Fire and Gas System
BMS: Burner Management System
TMC: Turbo Machinery Control System
HIPPS: High Integrity Pressure Protection System

https://automationforum.co/ 18
What is a Safety Instrumented
Function (SIF)?
Formal Definition:

SIF – “function to be implement by a SIS which is

intended to automatically achieve or maintain a safe
state for the process with respect to a specific
hazardous event.” (IEC61511 ISA SP 84.01)

Informal Definition:
Independent safety loop or interlock that automatically
brings process to a safe state in response to specific
initiating events

https://automationforum.co/ 19
 SIS versus SIF
SIF
SIS

Logic
Solver

Sensors
Final elements

https://automationforum.co/ 20
Safety Instrumented Function
Common Misconceptions:
Over temp on the burner exhaust is a SIF
Generating an operator alarm indication is a SIF
Detecting a flammable gas cloud is a SIF
Detecting smoke or fire is a SIF

None of the above include an action, associated with a

final element that automatically bring the plant to a safe
state
https://automationforum.co/ 21
What is (SIL) – Safety Integrity
Level?
Safety
Integrity Informal Definition:
Level
SIL ..the Safety Integrity Level of a specific Safety
Instrumented Function (SIF) which is being
SIL 4 implemented by a Safety Instrumented System (SIS).
OR
SIL 3
The amount of risk reduction achieved by a specific
Safety Instrumented Function (SIF)
SIL 2

SIL 1

https://automationforum.co/ 22
SIL expressed as PFD
PFD:
PFDavg = λDU TI / 2 Probability of Failure
on Demand

PFD (t)
λDU:
Dangerous Undetected
Failures
SIL 1
SIL 2 TI:
SIL 3 PFDavg Test Interval (proof)
SIL 4 test interval

time

https://automationforum.co/ 23
 Different levels of SIL
Safety
Probability of Risk Reduction
Integrity Safety
Failure on Demand Factor
Level

SIL 4 > 99.99% 0.001% to 0.01% 100,000 to 10,000

SIL 3 99.9% to 99.99% 0.01% to 0.1% 10,000 to 1,000

SIL 2 99% to 99.9% 0.1% to 1% 1,000 to 100

SIL 1 90% to 99% 1% to 10% 100 to 10

https://automationforum.co/ 24
Different levels of SIL

Safety
Probability of Risk Reduction
Integrity Safety
Failure on Demand Factor
Level

SIL 4 > 99.99% 0.001% to 0.01% 100,000 to 10,000

SIL 3 99.9% to 99.99% 0.01% to 0.1% 10,000 to 1,000

SILDEALT
2 WITH
99% IN ISA
to 99.9% 84.01
0.1% AND
to 1% IEC 61511
1,000 to 100

SIL 1 90% to 99% 1% to 10% 100 to 10

https://automationforum.co/ 25
Different levels of SIL

Safety
Probability of Risk Reduction
Integrity Safety
Failure on Demand Factor
Level

SIL 4DEALT WITH USING0.001%

> 99.99% IEC 61508
to 0.01% 100,000 to 10,000

SIL 3 99.9% to 99.99% 0.01% to 0.1% 10,000 to 1,000

SIL 2 99% to 99.9% 0.1% to 1% 1,000 to 100

SIL 1 90% to 99% 1% to 10% 100 to 10

https://automationforum.co/ 26
 What is Risk?
“the likelihood of a specified undesired event Serious consequence
x high likelihood =
occurring within a specified period or in higher risk
specified circumstances.”

RISK = Likelihood x consequence

Likelihood

high

moderate

Minor consequence x
low likelihood = low
low risk
minor serious extensive
Consequence

https://automationforum.co/ 27
 Effects of accepting too much risk
 Injury / death to Personnel

Likelihood  Environment damage and consequential clean up

high
costs

moderate
 Damage and loss of equipment / property

low
 Business interruption associated losses
minor serious extensive
Consequence
 Legal liability, litigation & “duty of care defense”

 Company image

 Lost market share

https://automationforum.co/ 28
 Tolerable Risk
 Moral, Legal and financial responsibility to limit our risk
 In some countries, the law mandates tolerable risk levels
Meeting OSHA requirements as minimum

Make plant as safe as

possible, disregard cost

Comply with regulation

as written, regardless of Legal Moral
cost or level of risk

Financial

Build the lowest cost plant

and keep operating budget
as small as possible
https://automationforum.co/ 29
Reducing Risk

Inherent Process Risk

Likelihood

Unacceptable
Risk Region

Tolerable
Risk Region
Consequence
https://automationforum.co/ 30
Reducing Risk

Inherent Process Risk

Active Protection
e.g. PRV
Likelihood

Unacceptable
Risk Region

Tolerable
Risk Region
Consequence
https://automationforum.co/ 31
Reducing Risk

Inherent Process Risk

Passive Protection Active Protection

e.g. Containment Dyke e.g. PRV
Likelihood

Unacceptable
Risk Region

Tolerable
Risk Region
Consequence
https://automationforum.co/ 32
Reducing Risk

Inherent Process Risk

Passive Protection Active Protection

e.g. Containment Dyke e.g. PRV
Likelihood

Unacceptable
SIS Applied
Risk Region

Tolerable
Risk Region
Consequence
https://automationforum.co/ 33
Reducing Risk

Inherent Process Risk

Passive Protection Active Protection

e.g. Containment Dyke e.g. PRV
Likelihood

SIL 1

SIL 2

SIL 3
Unacceptable
SIS Applied
Risk Region

Tolerable
Risk Region
Consequence
https://automationforum.co/ 34
 Summary
 IEC 61511 is the applicable safety standard for the process industry
 This is a performance based standards and addresses the entire safety
lifecycle
 Compliance is considered “best engineering practice” worldwide
 Compliance will help reduce risk and help meet obligations
 Safety System (SIS) PLC is different from normal PLC & must be
certified by 3rd party (TÜV) to IEC 61508, 61511
 A Safety System must always be separate from a DCS
 SIS is made up of sensors, logic solver and final elements
 DCS and SIS should not normally “share” the same field devices

https://automationforum.co/ 35
 Summary
 SIF (Safety Instrumented Function) consists of detection, logic and
automatic action to bring plant to safe state
 SIL (Safety Integrity Level) is a measure of risk reduction provided by a
specific SIF
 Risk is a product of likelihood and consequence
 Implementing a SIS can help you move from inherent risk region to
tolerable risk region
 Conceptual design of SIS involves many elements – not just equipment
 SIS device testing, voting and plant availability must all be considered in
design
 Without a safety CULTURE in the plant no amount of technology can
provide 100% protection

https://automationforum.co/ 36
Thank You