An Introduction to Safety Instrumented Systems

A safety instrumented system (SIS) takes automated action to keep a plant in a safe state or to put it into a safe state when abnormal conditions are present. These layers of protection measures are intended to prevent and/or mitigate the identified hazardous scenarios. In this newsletter, Marcel Amoros Marti explains the fundamental principles of SIS, the applicable standards, and the requirements for completing a Safety Requirements Specification (SRS) document.

SIS Applicable Standards

IEC 61508 ― Functional safety of electrical / electronic / programmable electronic safety-related systems. Parts 1-7, 2010 targets suppliers; i.e., requirements for suppliers of process control and instrumentation for component / sub-system safety.

IEC 61511 ― Safety instrumented systems for the process industry sector. Parts 1-3, 2018, target end-users, engineering contractors, and integrators in process industries, and covers the entire SIS Life Cycle. This is a performance-based standard, not prescriptive. This standard contains three parts:

• Part 1: Framework, definitions, system, hardware, and application programming requirements
• Part 2: Guidelines for the application of IEC 61511-1
• Part 3: Guidance for the determination of the required SILs

SIS Definitions According to IEC 61511

• An instrumented system is used to implement one or more Safety Instrumented Functions (SIFs)
• A Safety Instrumented System (SIS) is composed of any combination of sensor (s), logic solver (s), and final element(s). It includes communication and ancillary equipment (e.g., cables, tubing, power supply, impulse lines, heat tracing)
• A SIS may include software
• A SIS may include human action as part of a SIF
• It is a safety function to be implemented by a Safety Instrumented System (SIS)
• A SIF is designed to achieve a required Safety Integrity Level (SIL) which is determined in relationship with the other protection layers participating in the reduction of the same risk
• It is the discrete level (one out of four) allocated to the SIF for specifying the safety integrity requirements to be achieved by the SIS
• The higher the SIL, the lower the expected Probability of Failure on Demand average (PFDavg) for demand mode, or the lower the average frequency of dangerous failure causing a hazardous event for continuous mode
• SIL 4 is related to the highest level? of safety integrity; SIL 1 is related to the lowest

What Can We Extract from These Definitions

• One SIS may have multiple SIFs with different individual SILs, thus, it is ambiguous to define a SIL for an entire SIS
• A SIS is composed of three subsystems: sensor(s), logic solver(s), and final element(s)
• A SIF is a specific single set of actions and the corresponding equipment needed to identify a single hazard and act to bring the system to a safe state
• SIL is the discrete level of each SIF and ranges from 1 to 4

SIS Subsystems According to IEC 61511

Sensor ― Part of the Basic Control Process System (BPCS) or SIS that measures or detects the process condition and includes transmitters, transducers, process switches, position switches, etc.

Logic Solver ― Part of either the BPCS or SIS that performs one or more logic function(s) and includes electrical systems, programmable electronic systems, pneumatic systems, etc.

Final Element ―Part of the BPCS or SIS that implements the physical action necessary to achieve or maintain a safe state and includes valves, switch gears, motors, etc.

Safety Requirements Specification (SRS)

An SRS is a document where all the safety requirements for SIF / SIFs are clearly stated. This document must address two main categories:

Functional safety requirements ― Which are the SIFs to be implemented to prevent or act upon demands (hazardous scenarios).

Functional integrity requirements ― How reliable the SIFs must be in order to achieve adequate risk reduction.

Functional Safety Requirements: Mode of Operation

The Chemical Process Industry (CPI) mainly uses low demand SIFs.

Functional Safety Requirements: Design Principle

Many SIS are designed according to the de-energize-to-trip principle.

Functional Safety Requirements: SIS Main Functions

Perform the SIF on demand ― The SIS shall carry out the SIF according to the performance criteria specified in the SRS. The probability of a failure of this function is usually quantified by the average Probability of Failure on Demand (PFDavg).

Do not activate the SIF without the presence of a demand ― A failure of this function may lead to loss of production or service and have safety consequences. Such a failure is classified as a safe failure and is often called a false alarm or a spurious trip.

Functional Integrity Requirements: Safety Function Availability

The safety function availability, or level of risk reduction, is characterized by the Safety Integrity Level (SIL).

The SIL is a function of the Risk Reduction Factor (RRF), which directly defines the Probability of Failure on Demand average (PFDavg). The PFDavg is for low-demand systems only and can be defined as:

Thus, RRF, PFDavg, and SIL are directly correlated for low-demand systems. Using this table we can calculate the target PFDavg, i.e., the necessary level of risk reduction.

Functional Integrity Requirements: Architecture Constraints

We need to identify the system redundancy; i.e., architecture constraints. It is necessary to define the following parameters:

Hardware Fault Tolerance (HFT) ― Indicates the ability of a hardware subsystem to continue to perform a required function in the presence of faults or errors.

Safety Failure Fraction (SFF) ― Used to quantify the inherent tendency of a SIF to fail towards a safe state.

According to IEC 61508, there are two routes, 1H and 2H.

Route 1H ―

• Assumes there is no strong evidence failure rates were derived from realistic failure data
• SFF and Architecture Type (A or B) will determine the minimum HFT

Route 2H ―

• Assumes there is strong evidence failure rates are derived from realistic failure data, including a minimum of 1 year run time for new equipment
• The minimum HFT and demand mode will determine the SIL level

According to IEC 61511, there is only one route, which is the same as IEC 61508 Route 2H.

Functional Integrity Requirements: Voting

Within a SIS, there are three subsystems; i.e., sensor(s), logic solver(s), and final element(s). Each subsystem may have one or more voted groups / channels. A channel/group is a structure of one or more elements that can independently perform a safety function; e.g., a pressure transmitter.

Voting refers to the configuration such that it is functioning when at least m of its n channels are functioning. Moon refers to a m-out-of-n voted structure, typically called moon voting.

SIF Verification: Define Parameters

The goal of the SIF verification exercise is to develop the design. In order to do that, we need to define additional parameters:

• Selected equipment (e.g., failure rate data)
• End-user practices (e.g., proof test interval)

These parameters affect the SIF PFDavg, and can? be divided into two categories:

• Failure rate data, and
• Test and maintenance data

Understanding Failure Rate Data

Failure rate data is defined as the length of time that a device is expected to last in operation before the failure occurs. There are four types of failure rate data:

• Generic
• Manufacturer provided
• User-provided
• Expert judgment

Understanding Failure

There are four types of failures:

Consequence criteria ― Dangerous (D) failure, and Safe (S) failure.

Detectability criteria ― Detected (D) failure, and Undetected (U) failure.

ADU prevents the SIF activation on demand and is only revealed by proof-testing or when a demand occurs. Thus, these types of failures impact the SIF PFDavg.

Understanding Test and Maintenance Data

Test and maintenance data is used to characterize intervals, durations, and other characteristics of tests and inspections of the Safety Life Cycle (SLC). Some examples of test and maintenance data are:

• Proof test interval
• Proof test duration
• Proof test coverage

SIF Verification: Define Failure Rate

The goal of the SIF verification exercise is to calculate the probability of failure; i.e., how likely is the SIF to fail. We need to find a correlation between the failure rate and the probability of failure on demand (PFD). If we assume that the failure rate is constant, then the PFD can be defined as:

Assuming low values of failure probabilities and taking only the first order of a Taylor series, we can express it as:

Where t is the time period of interest.

SIF Verification: Define Time Period

To calculate the SIF probability of failure on demand (PFD), we need to define the time period of interest. Considering the test and maintenance parameters such as proof testing (perfect or imperfect), the PFD can be expressed as:

Where CPT is the proof test coverage, TI is the proof test interval, MT is the mission time, PTD is the proof test duration, and MTTR is the mean time to restore / repair. Note that we may need to account for common cause failures, which are characterized by the Beta factor (β).

In Summary

A Safety Requirements Specification (SRS) needs to address the SIS functional safety and functional integrity requirements:

The SIF probability of failure on demand (PFD) is a function of each subsystem PFD:

These are the key parameters to be considered during the SIF verification:

To learn more about Safety Instrumented Systems (SIS), download the Risk-Based Approach – Preventing Hazardous Scenarios White Paper > https://bit.ly/3UDJs05

Risk Reduction through Quantitative Risk Assessment Webinar

Register for this complimentary 60-minute webinar presented by Marcel Amoros Marti for an overview of the concept of risk and Quantitative Risk Assessment (QRA) , outlining the main steps in conducting a QRA as well as the type of results generated from this analysis. Additionally, this webinar will address the design of an Independent Protection Layer (IPL) from the reliability point of view with the aim to provide further insight and better inform process design and safety decisions.

Learn from our expert on risk reduction and register > https://bit.ly/3C1hP8o

Risk Assessments of Refinery Units Case Study

Using a combination of methodology and software, ioMosaic can customize risk assessments to carefully identify personnel, environmental, and operation hazards. Our approach is efficient and economical, making future revalidation easy for our clients.

To learn more, visit our website > https://bit.ly/36C1Ujb

Process Safety Training

We offer a wide spectrum of safety, technology, and risk management training, delivered in-person, virtually, or online.

To try our complimentary online learning modules right now, visit > https://bit.ly/3KTZ4uJ

?

Process Safety Management (PSM) Essentials Course

According to the US Environmental Protection Agency (EPA) , there are 150 serious chemical incidents a year in the U.S. This course teaches you why and how to create a robust PSM system to mitigate and prevent potential catastrophic incidents. With Process Safety Learning? , you can master the 14 essential elements required by the Occupational Safety and Health Administration PSM Standard 29 CFR 1910.119, one module at a time. Bundle and save! Enroll 2 learners and get 1 course free for a limited time.

To learn more and register, visit > https://bit.ly/3JvHDj7

?

SuperChems? Virtual Training

Charles Lea teaches techniques for addressing relief sizing for various scenarios, relief piping system design, flare header modeling and consequence modeling, as well as overviews of the Process Safety Office? SuperChems? v11.6 interface and its models August 20-22, 2024. Register now and save 10%!

To learn more and register, visit > https://bit.ly/3UWW7P8

#SIL #SafetyInstrumentedSystems #RiskAssessment

?

Copyright ? 2024 ioMosaic Corporation. All rights reserved