REV AA

09/26/03

Measurement Fundamentals

Safety Instrumented Systems

Introduction
Many industrial processes are inherently hazardous. These processes typically use toxic, flammable
or reactive materials, and often at elevated temperatures and pressures. In the event of equipment
malfunction or human error in these processes a catastrophic event could happen. Safety
Instrumented Systems (SIS) are automation systems designed to prevent these events.
Interest, particularly in the chemical, petrochemical, and refining industries, in these systems has
increased over the last few years because of new international standards.
A safety instrumented system is defined as a system composed of sensors, logic solvers and final
control elements designed for the purpose of:
- Automatically taking a process to a safe state when pre-determined conditions are violated.
- Permit a process to move forward in a safe manner when specified conditions allow
- Taking action to mitigate the consequences of an industrial hazard.
Safety Instrumented Systems are very similar to control systems in that they both use similar
components. However, given the purpose of a SIS, additional design requirements must be met. This
guide will provide an overview of these additional requirements.
This module contains the following sections:
Section 1: SIS Fundamentals
Section 2: SIS Standards
Section 3: SIS Loop Components - FMEDA Analysis Results and Applications
Section 4: SIS Loop Design
Section 5: SIS in the Future

PERFORMANCE OBJECTIVE
After you have completed this training course, you will understand Safety Instrumented Systems
basics, Standards, and the application of those standards.

Section 1 SIS Fundamentals

In this section you will learn the basic fundamentals of Safety Instrumented Systems.

LEARNING OBJECTIVE
After you have completed this section, you will be able to:
List and briefly explain:
Layers of protection
The purpose of an SIS
Components of an SIS

Layers of Protection
A plant has many layers of protection to protect personnel, equipment, and local communities from a
catastrophic event. These layers are also present to protect the companys reputation and provide
legal protection in the event that a catastrophic event occurs.
Some layers of protection are prevention layers, some layers are mitigation layers. A prevention layer
is there to prevent the catastrophic event from happening. A mitigation layer is used to contain the
event and reduce its cost after the event has occurred.

Figure 1.1

Figure 1.1 shows typical layers of protection. The Basic Process Control System (BPCS), Alarms,
and Safety Instrumented Systems are prevention layers. The rest of the layers are mitigation layers.
To illustrate layers of protection, lets look at a vessel where a reaction is taking place. Given the right
conditions, the reaction could runaway and without different layers of protection, the tank could
explode and cause significant damage. This example is depicted in figure 1.2.
The Protection layers are:
Layer 1 Basic process control system to control the temperature/pressure
Layer 2 An audible alarm to tell the operator to manually shut a valve to stop the reaction
3

Layer 3 An SIS to reduce the pressure before the tank explodes.

The mitigation layers are
Layer 4 A pressure relief valve to open before the tank ruptures.
Layer 5 The Plant Emergency Response team to make sure that the vapor released by the
pressure relief valve does not cause further damage and to minimize contamination to the
environment.

Figure 1.2 Layers of Protection example

Safety Instrumented Systems

What is the significance of an SIS layer and why does SIS have a dedicated standard? The SIS layer
is the last prevention layer. If there is a failure in the SIS, the hazard cannot be contained, only the
mitigation layers remain to limit the amount resulting damage. It is important that the SIS layer
provide enough protection to prevent significant damage or loss of life. The amount of protection
required equates to one term, risk management.

Risk Management
When it comes to risk management, the process industry parallels the risk management of our
personal life. For example, when we get into an automobile and drive we take a risk of damaging our
car or other cars, a risk of injury to ourselves or others, and a risk of death to ourselves or others. To
reduce risk:
The government will dictate some risk reduction with laws like car impact protection, mandatory
seat belts, speed limits, and other traffic laws.
The automobile manufacturers offer some risk reduction through standard safety equipment
and some optional safety equipment for the safety conscious.
We decide how much more risk reduction we want through buying the safety options, or not
driving while drinking, tired, or in bad weather.
The process industry parallel is:
The government will dictate risk reduction through laws or directives.
The process industry will offer risk reduction ideas by publishing standards and/or best
practices information.
The plant decides at what level risk they can operate at based on corporate standards, capacity
levels and other factors.

Risk management is not easy. Figure 1.3 illustrates the typical forces involved in the risk
management formula. The government can dictate some risk management, but the end-user has to
make the final decision on how safe the SIS layer should be.

Moral

Legal

Financial

Figure 1.3 Forces effecting SIS selection

SIS Components
Safety Instrumented Systems (SIS) are very similar to Basic Process Control Systems (BPCS). The
systems include all the elements from the sensor to the final control element connected to the
process, including inputs, outputs, SIS user interfaces, power supply, and a logic solver. SIS
components are usually separate and independent from the BPCS.
Although you have to consider all the things that are listed above when specifying a SIS, the three
key components in the calculation include:
sensors
a logic solver
final control elements.

Sensor

Control
Element

Logic
Solver

Figure 1.4 Three major components of a SIS

Sensors
Sensors measure pressure, temperature, flow, mass flow, level, flame detectors, pH or other
parameters. They range from simple pneumatic or electrical switches to Smart transmitters with onboard diagnostics. SIS sensors can be the same as typical process sensors (under certain qualifying
conditions that will be covered later) or can be sensors specifically designed for SIS applications.
5

Sensors specially designed for SIS have extra internal diagnostics and software allowing fault
detection and controlled access to device setup and calibration.
Again, the standards do not prescribe any specific type or technology for sensors used in SIS
applications. It is up to the designer of the system to determine the most optimal/safest technology.
What the standards will define are the specific requirements the end user must follow when
specifying, installing, and maintaining Sensors.

Logic Solver
The logic solver is typically a controller that reads signals from the sensors and executes
preprogrammed actions to prevent a hazard. There are many similarities between a safety logic
solver and a conventional DCS or PLC. They both perform logic functions and both have input and
output capability from sensors and final control elements. The difference is that the SIS Logic Solver
is designed to be fault tolerant, have internal redundancy, and designed to fail in a safe mode. They
are designed with extra internal diagnostics and hardware and software that will allow it to detect
faults. The safety logic solver also has added security to ensure against accidental configuration
changes.
Similar to sensors, the standards do not dictate what type or Logic Solver to use, only the
requirements for its application. Typical logic solvers on the market include: Triconex, HIMA, GE, and
Siemens-Moore (Quadlog).

Final Control Elements

Final Elements represent the final stage in implementing a safety shutdown. This is the piece that
acts to bring about the safe state. These elements include solenoid valves, ON/OFF valves, and
motor starters. The most common are solenoid valves which provide air to a diaphragm or the piston
actuator of a process shutdown valve. Valve suppliers including Fisher have recently released
smart positioners expressly designed for SIS applications. Similar to sensors, SIS final elements can
be the same as typical process final elements under certain qualifying conditions (covered later) or
they can be specifically designed for SIS applications. These specially designed final elements have
extra internal diagnostics and software enabling fault detection.
Again, similar to sensors, the standards do not prescribe any specific technology for final elements
used in SIS applications. It is up to the designer of the system to determine the optimal/safest
technology. The standard only states the requirements the end user must follow.
SIS Component Summary
There is a similar theme in the three components of a SIS, diagnostics. A SIS is designed to detect a
process upset and bring the process back to a safe state. It is imperative the operator is aware of any
SIS fault and be able to respond it.
If complying with the standard were a game, bonus points would be awarded for components with a
high percentage of internal component diagnostics or a proven history of detecting faults. Penalty
points would be awarded for situations where undetected faults occur (plugged impulse lines,
corrosion, ). The user would be awarded extra points for testing for faults that could go undetected
either internal to the components or externally like impulse lines.
The bottom line is that the higher the overall loop diagnostics coverage, the easier it is to comply with
SIS standards and the less testing required by users to maintain compliance.
6

Section 1 Quiz
1.1 The purpose of an SIS system is to:
a. automatically take a process to a safe state
b. permit a process to bypass a hazardous area
c. take action to prevent a hazard
d. all of the above
1.2 What are the three major components of an SIS.
a. front end, middle, back end
b. sensor, logic solver, final control element
c. input, processor, output
d. analysis, design, operation
1.3 An SIS is:
a. the first mitigation layer
b. the last Prevention layer
c. a prevention layer average
d. a mitigation layer average
1.4 The three forces involved in risk management is:
a. Moral, Legal, Engineering
b. Moral, Legal, Technical
c. Moral, Legal, Financial
d. Moral, Legal, Management
1.5 A similar theme for specially designed safety hardware is:
a. the devices are qualified by a third party organization
b. internally redundant
c. visually identified
d. the devices have more diagnostics than BPCS hardware

Section 2 SIS Standards

There are multiple documents for guidance when designing and operating SIS applications. This
section will cover the relevance of the guidance documents and two published international standards
for SIS.
After completing this section you should be able to
Explain the hierarchy of guidance
Explain/understand the two international standards pertaining to safety systems

Hierarchy of Guidance
The hierarchy of guidance is important to understand the actual SIS standards covered. The
hierarchy is Legislation, Regulation, Standards, and then recommended practices. This hierarchy is
important because it lays out what is mandatory, what is not, and what is in between. It basically
creates a hierarchy for company and personal exposure for liability.
Legislation or Directives are laws enacted by officials at a country union, country, state, or local
levels. It is a criminal offense to disobey a law or directive, subject to jail or significant fines.
Regulations are rules which have the weight of law through delegation of authority. An example in
the United States is the EPA (Environmental Protection Agency.) The federal government formed the
agency and delegated the power to create regulations subject to criminal offense if not followed.
Another example in the US; OSHA, Occupational Safety and Hazard Association, has recognized that
if you follow ISA S84.01 safety standard that you will be in compliance with their PSM (Plant Safety
Management) regulation.
Standards are guidelines that are a consensus of an industry or group and typically target the lowest
level of acceptable engineering. They are typically developed by industry people published through
agencies such as ANSI, ASME, IEC, and others.
Recommended Practices are recommendations of an industry group. Sometimes the practices are
published by an organization representative of a group such as NAMUR or WIB. Sometimes these
recommended practices are published by a manufacturer.
If the company is negligent in complying with laws and regulations and a hazardous event happens,
criminal charges can be brought against the company. Ramifications include, employees going to jail,
the company could get severe fines from the government and/or large punitive jury awards from
injured people. If a company is negligent in not complying with a standard and a hazardous event
happens and there is damage or somebody gets hurt, the company could be open to huge punitive
jury awards but probably not a jail sentence. If a company does not follow a recommended practice
it will probably not be liable for anything.
The laws and regulations are also of interest to the plants insurance company. In the first two
examples above, the plants insurance company has to pay for the replacement of damaged
equipment and/or medical bills and possibly punitive awards so it has an interest to make sure the
company is following all laws and standards. Providing insurance to a plant is a risk the insurance
company takes that nothing will happen and they will not have to pay claims. If the plant complies
8

with all laws, regulations, and standards, the less likely a hazardous event will happen and the
insurance premiums will be less.
An exception to the hierarchy is when a standard or recommended practice is given the power of law
or listed by a European directive. An example of this in the US is where OSHA would just reference
a standard instead of writing its own regulation. An example in Europe is where the Seveso Directive,
which was enacted in response to a dioxins that contaminated 17 square km of land near Seveso
Italy, references IEC61511 as a law to abide by.

Current Safety Standards

One of the reasons industries write their own standards and guidelines is to avoid government
regulation. The industry knows that if it doesnt police itself, the government will and the outcome of
the regulation could be not what the industry wants or needs. Standards for safety in the process
industries have been around for many years. These standards were typically national or country
standards such as ISA S84.01 - 1996 in the US or DIN 92150 in Europe. The reality of an
international safety standard finally came in the 1990s.
The two most recent international standards for safety are:
IEC61508 Functional Safety of Electrical/Electronic/Programmable Electronic
Safety Related Systems
IEC61511- Functional Safety: Safety Instrumented Systems for the Process Industry Sector
Four other standards that are commonly referenced are:
ISA S84.01 (US) 1996 ISA standard. This standard was being developed by ISA at the same
time IEC61508 was being developed. It introduced new terminology that was incorporated in to
IEC61511. ISA S84.01 will be replaced by ISA S84.01 (2003). ISA S84.01 (2003) is the same
as IEC61511 but will include a grandfather clause.
DIN 92150
NFPA 85 (US) Standard for the Prevention of Explosions/Implosions in Multiple Burner Boilers.
API RP 556 (US) Recommended practice for instrumentation and control manuals for refinery
service-fired heaters and steam generators.
API RP 14-C Recommended Practice for Analysis, design, installation, and testing of basic
surface safety systems for off shore production platforms.

IEC61508
IEC61508 was the first attempt to write an international standard for safety. This standard has had
several parts approved, 1998-2000. The intent of the standard was to be establish a foundation for
other industry specific safety standards. The standard developed key points that all future standards
will follow.
1. It was the first standard to focus on risk based safety related system design.
2. It required performance based assessment
3. Used a lifecycle approach (conception to decommissioning)
An example of the risk based system is basing the safety level of a loop by the amount of diagnostic
coverage. In IEC61508 the amount of diagnostic coverage is defined by a term named the Safe
Failure Fraction, SFF. Failures in a device can be categorized into four types as follows
1. safe detected this is not an on-scale failure but the component can detect it and act
appropriately
9

2. safe undetected the component can not detect this failure but the this failure will cause the
component output to go off-scale
3. dangerous detected this in an on-scale failure that the diagnostics can detect and set the
component output in to alarm
4. dangerous undetected this is an on-scale failure that can not be detected by diagnostics.
It can only be detected by testing.
The SFF is the fraction on the overall failure rate of the device of dangerous undetected faults to all
faults. In simple terms the SFF is the amount of diagnostic coverage. If a device with a SFF of 92.8%
means it can detect 92.8% of all faults or it cant detect 7.2% of all faults. The SFF depicts a
confidence level that a device/loop is working safely. The higher the SFF, the better the ability to
know whether the loop is working properly, the lower the risk of the event happening, and as a
byproduct, the less redundancy needed to comply with the standard. SFF data is typically supplied by
manufacturers of loop components on a FMEDA, Failure Modes Effects and Diagnostic Analysis/
report. The FMEDA report will be covered in Part 4 of this study guide.
Many of our customers adopted IEC51508 because of its risk based design which could result in far
more cost effective implementations but it but its intent was a basic or umbrella safety publication.
The standard is extensive. It has 7 parts and can be applied to any industry sector. This broad
coverage made it onerous to comply with in the process industry sector. From IEC61508 came other
industry specific standards such as IEC61513 for the Nuclear Sector, IEC62061 for the Machinery
Sector, and the one we are most interested in, IEC61511 for the Process Sector. Many of these
industry specific standards reference IEC61508 for specific SIS components.
IEC61513 :
Nuclear Sector

IEC61508 :
Generic

IEC62061 :
Machinery Sector

IEC61511 :
Process Sector

figure 2.1 IEC61508

Figure 2.2 is a drawing directly from IEC61511. It is an example of an industry specific standard,
IEC61511, referencing IEC61508.

10

Process Sector Safety

Instrumented Systems

Process
Sector Hardware

Process
Sector Software

Developing
New
Hardware
Devices

Using
Proven-InUse
Hardware
Devices

Using
Hardware
Developed
& Accessed
According
To
IEC61508

Developing
Embedded
(System)
Software

Developing
Application
Software
Using Full
Variability
Languages

Developing
Application
Software
Using
Limited
Variability
Languages

Follow
IEC61508

Follow
IEC61511

Follow
IEC61511

Follow
IEC61508-3

Follow
IEC61508-3

Follow
IEC61511

Figure 2.2 IEC61508 and IEC61511 relationship

So - IEC61511 is the standard/guideline for users and system integrators.

IEC61508 is the standard/guideline for manufacturers of safety equipment such as Rosemount.
Recent safety standards are written in a life cycle format. The safety life cycle is hailed as a common
sense approach to SIS as it starts with the analysis on whether an SIS is needed and ends with
decommissioning of the loop if it is no longer needed. ISA 84.01 safety standard was the first
standard to introduce the safety life cycle. IEC61508 life cycle is similar. The standard and the steps
are all written in a sequential order on how somebody would implement the standard. The individual
sections in the life cycle and how the SIS is planned and documented do vary within the standards
but are very similar.
Figure 2.2 illustrates the IEC 61508 Safety Life Cycle. The life cycle/standard has 16 sections that
can be broken down in to three categories. The categories are:
Analysis the plant is analyzed for potential hazards, an analysis of risk from the hazards and the
generation of a safety system requirements document.
Design the SIS design activities are done to make sure the SIS meets the safety system
requirements.
Operation the SIS is installed, operated, tested, modified, or decommissioned.

11

Concept

1
2

Analysis

Overall Scope Definition

Hazard Risk Analysis

3
4

Overall Safety Requirements

Safety Requirements Allocation

9

Overall Planning

Overall
Operation &
Maintenance
Planning

Overall
Validation
Planning

Overall
Installation &
Commissioning
Planning

Safety Related
Systems:
E / E / PES

10

Safety Related
Systems:
Other
Technology

Realisation

Realisation

11

External Risk
Reduction
Facilities

Realisation

Design

12 Overall Installation & Commissioning

Operation

13

Overall Safety Validation

14

Overall Operation & Maintenance

16

Decommissioning

Back to appropriate
Overall Safety Lifecycle Phase
15 Overall Modification & Retrofit

Figure 2.3 IEC61508 Safety Life Cycle

IEC61511
IEC61511 was published January, 2003. It has three parts,
Part One is the framework, definitions, hardware, and software requirements
Part Two is the guidance for applying the requirements
Part Three are examples of how to apply Part One.
IEC61511 was developed specifically for the process industry and recognized as a more
understandable version of IEC61508. It:
Is risk based
Is less prescriptive and more goal orientated than IEC61508
Has industry specific vocabulary
Has some new terminology
Has industry specific examples and tailored requirements
Requires more documentation.
Risk Based
IEC61511 is more risk based than IEC61508. Determination of safety coverage is stated in terms of
RRF (Risk Reduction Factor) and SIL (Safety Integrity Level.) In a most basic example, a plant
calculates that if a certain hazard occurs it could cost the plant $100 M. The plant standard, decided
through corporate policy and insurance, is that it should not have an exposure of more than $500K. In
this case the SIS design needs to decrease the risk by 200 or a Risk Reduction of 200. The designer
can now look at IEC61511to determine Safety Integrity Level (SIL) that must be achieved to meet the
target risk reduction.

12

Less Prescriptive and more goal orientated than IEC61508

IEC61511 allows the user much more flexibility in achieving a safety goal. Similar to IEC61508, it
allows probability calculations to be qualitative, calibrated qualitative, or quantitative. An example is
that a tank could overflow
Not very often Qualitative
Not very often (Not very often defined as 5-10 years) calibrated qualitative
Once every 7 years - quantitative
The only requirement is that the user document their logic on how the decisions were made.
Industry specific vocabulary
Layers of Protection is a standard term in the process industry. IEC61511 specifically states that a
Layers Of Protection Analysis, LOPA, be conducted. The process industry has always had back-up
protection, and some of the back-up protection had a secondary back-protection. The LOPA process
documents all primary, secondary, and other layers of protection and the risk reduction associated
with the layers. The user/designer can then calculate the existing risk reduction.
A second term is HAZOP (Hazard operational evaluation.) Similar to LOPA, the standard requires a
documented HAZOP type analysis to determine if a SIS is required.
New Terminology
IEC61511 is the first standard to use the term SIS. Many acronyms have been used for safety
shutdown systems. These acronyms are also used in other industries meaning something completely
different. The IEC61511 committee agreed on SIS, Safety Instrumented System, as a unique
identifiable acronym for process industries. SIS now replaces legacy terms such as ESD (Emergency
Shutdown Systems) and SSD (Safety Shutdown Systems.)
Another new term is SIF (Safety Instrumented Function.) It is defined as a function to be implemented
by a SIS to achieve or maintain a safe state. A few examples of SIFs are:
Open a valve
Shut off a pump
Turn on a siren.
A SIF is a single function compared to a SIS which is the actual hardware to perform the fuction. One
SIS can cover many SIFs. For example, a safety analysis may identify three SIFs that will prevent the
tank from exploding. An SIS is a single system with the sensors, logic solver, and final control
elements designed to detect and act to prevent a tank from exploding. The SIF could be the opening
of the valve to cool the vessel.
Another new and very important term introduced in IEC61511 is PFD, Probability of Failure on
Demand. PFD defined as the probability that the loop/device will have failure or be in a failure mode
upon demand when it is needed during a hazardous situation. PFD is the inverse of the RRF, Risk
Reduction Factor. Risk Reduction Factor is the amount of risk you want to take out of a particular
hazard occurring, see figure 2.3. If you want your Risk Reduction to go up, the probability that a
failure would cause the system to malfunction has to go down. As a manufacturer, PFDs need to be
provided for all the equipment that is intended for use in SIS. As a user, PFDs of all devices are
needed in the SIS loop as they are an integral piece of information needed during the design phase.
The summation of the PFDs are added and then compared to the target SIL PFD.

13

Figure 2.3 shows the SIL table referenced in IEC61511. You see you can either figure out the target
SIL by either RRF or PFD. Typically a customer would calculate the risk reduction they need for a
specific hazard. Then they would look at this table to give them two important pieces of information.
Target SIL
Target PFD
Also notice that the process industry only has SIL1, SIL2, or SIL3. IEC61511 states that if event
needs SIL 4 protection, the process needs to be reengineered.
Safety Integrity
Level

Probability of failure
on demand per year

Risk Reduction
Factor

(Demand mode of operation)

SIL 4
SIL 3

>=10-4 to <10-3

10000 to 1000

SIL 2

>=10-3 to <10-2

1000 to 100

SIL 1

>=10-2 to <10-1

100 to 10

Figure 2.3 SIL table

Figure 2.4 illustrates the Safety life cycle of IEC61511. It still has the three major components of
Analysis, Realization, and Operation. The major difference is the three vertical bars. This represents
the documentation piece of IEC61511. It requires thorough documentation of all the decisions that
were made in all stages of the life cycle.
How hardware is qualified under Prior Use is new.
Management
of functional
safety and
functional
safety
assessment
and auditing

Safety
Life-cycle
structure
and
planning

1
2

Operation

Allocation of Safety
functions
to Protection Layers

Design and
Engineering
of SIS

5
6

Verification

Analysis

Safety requirements
spec
3
for the SIS

Realization

Clause
5

Hazard and risk

assessment
Clause 8

Clause
6.2

7
8

figure 2.4 IEC61511 Safety life cycle

Design of other
means
of risk reduction

Installation, commissioning and validation

Clause 14 & 15
Operation and Maintenance
Clause 17
Modification
Clause 17
Decommissionin
g

14

Clause
7,
12.4,
and
12.7

Section 2 Quiz
2.1 The three major sections in the IEC61511 Lifecycle are analysis, design, and operation
T or F
2.2 IEC61511 standard is designed to be used by the
a. end user
b. system integrator
c. manufacturer
d. a or b
2.3 One SIS can handle multiple SIFs
T or F
2.5 Which is the most important to adhere to?
a. Legislation
b. Regulation
c. Standard
d. Recommended Practice

15

Section 3 FMEDA
An FMEDA, Failure Modes Effects and Diagnostic Analysis, is a required report for hardware used in
Safety SIS. This report provides detailed analysis and required device data for users to determine the
suitability for use in a SIS.
After completing this section you should be able to
Explain the whose responsible to produce the FMEDA
Explain/understand the major terminology used on the FMEDA
The FMEDA is commissioned by the manufacturer and is typically done by an independent party but
can be done by the manufacturer. The process is a systematic analysis of every component in the
evaluated device. The analysis evaluates each component in the device and the effect on the output
if the component, opens, shorts, or changes value. Typically this analysis is done by looking at
schematics but sometimes by actually injecting the fault. All outcomes are categorized in to four
categories. All other calculations are based on these four values.
Safe Detected
Safe Undetected
Dangerous Detected
Dangerous Undetected
The manufacturer is provided with a full report of the analysis from the agency performing the
analysis. Typically all that is provided to customers is the summary report. The summary report does
not have a standard format or amount of data. Typically the minimum information provided is the
PFDavg, PDFDangerous Undetected, SFF, and the Test Interval and assumptions of the analysis. This
information can be spelled out or could be, expressed by the word Lambda, or by the symbol .
Lamba - PFD - Overall failure rate- Safe+Dangerous The is standard on all FMEDA reports and
represents the overall number of failures over time, Number of Failures/Time, and is typically
expressed in number of failures per hour. It is important to understand that the PFD on a FMEDA is
calculated and as so is a theoretical number. The reason the PFD number is mentioned as a
theoretical number is the number could be significantly more conservative or liberal than actual field
failure data. Many customers keep device failure data bases and calculate the PFD for their
plant/applications. For those who dont keep databases, the FMEDA numbers are what they use for
calculations.
/PFD is typically expressed scientific notation, 638 x 10-9. It can also be expressed in FITs (failure in
time). One FIT equal 1 x 10-9. Therefore, 638 x 10-9 is the same as 638 FITS .
See example 3.1 to see how a customer could calculate the PFD for existing equipment.
A plant has 1306 3051C pressure transmitters. They are tested once per year. Over a three year
period there have been only 4 failures.
Time = 3 years x 1306 transmitters x (8760 hours/year).
= 4/34,321,680 = 0.116 failures per million hours or 0.001 failures/year
Example 3.1
16

PFDavg The Probability of Failure on Demand is a very important number as the overall calculation
of the PFDavg of the loop is a measure of loop safety. PFDavg is calculated and is a function of test
frequency and repair. As explained earlier, the longer a device goes without being tested for
undetected faults, the higher the probability of an undetected fault exists. An untested devices PFD
gets larger as time increases. The basic formula is t/2. Again if we go use some of the data from
Example 3.1 and the basic formula the PFDavg for this 3051C is 0.0005.
Figure 2.6 is the actual PFDavg graph for the 3051C. It is taken directly off the 3051C FMEDA. A
PFDavg that falls in the green area could qualify for use in a SIL2 application. A PFDavg that falls in the
pink area could qualify for use in a SIL3 application. You can see the 3051C PFDavg changes as the
proof test interval gets shorter.

figure 2.6 PFDavg

DU - LamdaDU - Number of Dangerous Undetected failures per unit operating hours. Again this can
be expressed in either format as described in . This is the most important number on the FMEDA.
For every dangerous undetected failure a proof test must be performed to ensure
MTTF Mean Time To Failure MTTF is just another measure of reliability. It is calculated as 1/ .
Assuming the failure rate constant the MTTF for Example 3.1 is 8.62 million hours or 984 years.
SFF Safe Failure Fraction The number of all failures in comparison to Dangerous Undetected
Failures expressed in %. This number is more important to the manufacturer than the user as a
manufacturers device has the requirement of a SFF above 90% to qualify for SIL 2 certification.
Some manufacturers claim their device is better as they have a higher SFF. It is important to
understand that this is just a ratio.
Proof Test Interval A proof test for a device is the test defined by the manufacturer to be
performed which will discover any dangerous undetected faults. The proof test interval relates to how
often testing has to be performed on the device to maintain the published PFDavg. The interval needs
close review as the PFDavg can be made to look very good if frequent testing is performed. For
example, testing a device once a month lowers the PFDavg but requires a large staff. Plants prefer to
test the system only during a plant shutdown which can be in excess of five years. Typically, the
manufacturer sets the proof test interval to one year. It is up to the customer to set the actual interval.

17

MTTR Mean Time To Repair The time it would take to replace a faulty device. This is important as
this calculation also effects the PFDavg. MTTR is typically 8 hrs.

Diagnostic coverage The percent of failures that are detected by internal diagnostics not a very
useful number as
1. many failures are detectable without a diagnostic
2. the figure does not have standard to compare against. For example: a device with 100
faults which can detect 90 faults has 90% diagnostic coverage where a device with 20
faults which can detect 15 faults has 75% diagnostic coverage. The 20 fault device has a
lower Diagnostic Coverage but has five fewer faults and could be a safer device.

Section 3 Quiz
3.1 An FMEDA is typically done by:
a. User
b. Manufacturer
c. Third party
d. Certified FMEDA agency
e. b or c
3.2 DU on a FMEDA is:
a. Number of dangerous Undetected failures
b. Number of detected dangerous failures
c. Number of dont use sensors in an SIS
d. A term rarely used in SIS applications
3.2 The actual Proof Test Interval is set by:
a. Manufacturer
b. Third Party
c. Doesnt matter
d. User

18

Section 4 SIS Design

The three major sections of IEC61511 are Analyze, Realization, and Operation.

Learning Objective
After you have completed this section, you will be able to:
List and briefly explain:
1. The major events in the three phases of the IEC61511 lifecycle
2. The difficulty in engineering a SIS loop
3. Voting systems
4. Requirements for using prior use devices

Analysis
The first thing that is done in the design phase is a functional safety assessment. The standard
clearly dictates that this assessment must be done by a cross functional team. The standard dictates
that the team includes technical, application, operations personnel and at least one senior competent
person.
The first responsibility of the team is to perform a hazard and risk assessment. This assessment:
1. determine the hazards and or hazardous events of the process and associated equipment
2. determine the sequence of events leading to the hazardous event
3. determine the hazards process risks associated with the hazardous event
4. determine any requirements for risk reduction
5. determine the safety functions required to achieve the necessary risk reduction
6. determine if any of the safety functions are safety instrumented functions
Performing a HAZOP (hazard and operational risk analysis) is done first. It is one of the new and
significant requirements of IEC61511. The requirement is a process to determine all the possible
hazards in the plant or process and the probability of the hazard actually occurring. There are two
major pieces to the HAZOP, how much is it going to cost including equipment damage and/or human
injury or life and the probability of the hazard occurring.
After all the hazards have been identified and a SIF identified for each hazard, a LOPA (Layers of
Protection Analysis) is performed. A LOPA is required for each SIF. Different safety functions are
assigned to layers and an assessment of the probability of the hazard occurring is derived. The LOPA
process requires documenting how the calculation layers were assigned and how the risk reduction
for each layer is calculated. IEC61511 clearly states this step is to be documented and the logic is
Clear and traceable.

19

Plant and
Emergency
Response

Mitigate

Emergency response layer

Containment,
Dike/Vessel

Passive protection layer

Relief valve,
Rupture disk

Active protection layer

Safety
Instrumented
System

Emergency
Shut Down

Operator
Intervention

Process
Shutdow

Safety
Trip level

Prevent

Process control
Process

Basic
Process
Control
System

Proces
s

Normal behavior

Process control

Figure 3.1 Layer of Protection Analysis

Figure 3.2 and 3.3 is and example of the assessment of a SIF. It is calculating the probability of an
flammable vapor escaping from a tank actually catching fire. The process can either be done
qualitatively or quantitatively. Figure 3.2 is a qualitative example of calculating the probability of the
excess vapor from a vent catching fire. You can tell it is a qualitative assessment as all probabilities
are described in words.
No Cooling Water

Quite
Possible

Source of ignition

Quite

Operator fails to open CW valve Possible

Cooling Water valve fails closed Possible

OR

Quite
Possible

Steam valve passes

Quite
Possible
Quite

Operator fails to adjust steam S.P.Possible

Controller fails to close valve

Possible

Possible

Quite
Possible

Hot solvent supply

Excess vapor
from vent
catches fire

OR

Quite
Possible

Quite
Possible

AND

Excess vapor
from vent

OR

Quite
Possible

Figure 3.2 Qualitative assessment of frequency of the hazardous event.

Figure 3.3 is a quantitative example of calculating the probability of the excess vapor from a vent
catching fire. You can tell it is a qualitative assessment as all probabilities are described numerically.
Either method, qualitative or quantitative, is acceptable. The only requirement per IEC61511 is that
the process be documented and the logic is Clear and traceable.

20

No Cooling Water

Excess vapor
from vent
catches fire

0.1

Operator fails to open CW valve

0.25

Cooling Water valve fails closed

0.05

Source of ignition

OR

0.09
0.1

0.4

0.9

OR

AND

0.5
Hot solvent supply

0.1

Steam valve passes

0.2

Operator fails to adjust steam S.P.

0.1

Controller fails to close valve

0.1

Excess vapor
from vent

OR

Figure 3.3 Quantitative assessment of frequency of the hazardous event.

The hazard and the probability of the hazard have now been calculated. The outcome of the
quantitative analysis is 0.09 occurrences per year or one failure every 11.1 years. If the hazard
analysis determined that every time the hazard happens it cost the company $20 million dollars and
the corporate policy or insurance policy states that no risk should cost more that $50,000, the risk
must be lowered by 400 ($20,000,000/$50,000=400.)
Since the current design is not adequate from a safety standpoint, the risk needs to be lowered.
Some of he options are to:
Reengineer the process so that the hazard does not exist or the risk is low.
Add a SIS as a layer of protection to lower the risk
Add other layers of protection to lower the risk
Typically the process cannot be easily redesigned which leaves two alternatives.
The least expensive alternative is to add an alarm layer of protection. If you take the example in
Figure 3.3 and add an alarm layer which is indicated by the AND gates in figure 3.4, the probability of
excess vapor catching fire has gone from .09 to .0065. Mathematically, 1/.0065=153, the risk
reduction for adding the alarm layer is only 153. Even with this extra layer it is still not enough to
satisfy the corporate or insurance policy.

21

Alarm does not operate 0.1

No Cooling Water 0.1
Operator fails to open CW valve 0.25

AND

0.4

OR

Excess vapor
from vent
catches fire

Source of ignition

0.00065

Cooling Water valve fails closed 0.05

0.01
0.04
0.065

OR
Hot solvent supply 0.1

Operator fails to adjust steam S.P. 0.1

Excess vapor
from vent

0.025

Steam valve passes 0.2

OR

0.5

AND

AND

Controller fails to close valve 0.1

Trip does not operate

0.05

Figure 3.4 Quantitative analysis with an alarm layer added

Thus, a SIS must be installed to meet the risk reduction target of 400. Risk reductions are stated as
SIL levels in SIS loops. The first thing that must be looked at is in IEC61511 section 9.2.4 where the
SIL tables are located. There are two tables. Table 3 is for demand mode of operation and most
frequently used in the process sector. As defined in IEC61511 Part 2, the demand mode determines
the demand for the action will be less than once per year. Table 4 would be used if the determined
demand would be more than once a year.
For our example, a risk reduction of 400 is required. Using Table 3 (Figure 3.4) in IEC61511, look at
the Risk Reduction Factor column to see what block 400 would be and then look to the left to find the
target SIL. With a RRF of 400, this SIS must be SIL2.
Safety Integrity
Level

Probability of failure
on demand per year

Risk Reduction
Factor

(Demand mode of operation)

SIL 4

>=10-5 to <10-4

100000 to 10000

SIL 3

>=10-4 to <10-3

10000 to 1000

SIL 2

>=10-3 to <10-2

1000 to 100

SIL 1

>=10-2 to <10-1

100 to 10

Figure 3.4 IEC61511, Section 9, Table 3 - Safety integrity levels: probability of failure on demand

SIL 2 means that when adding up all the PFDs of all the devices in the SIF and any penalties for
plugged impulse lines other common cause failures, the PDF will not be less than 10-3 demands per
year. For very basic example, figure 3.5 shows a flow application SIS. Using the most basic
calculation the PFD of this loop is 308 x 10-2 (228 x 10-9 + 5x 10-9 + 308 x 10-2.)

22

Sensor
-9

228 x 10

Logic
Solver
-9

5x 10

Control
Element
-2

308 x 10

Figure 3.5 PFD Calculations

The Analysis phase is just about complete. The last requirement is SIS safety requirements
document. This document by the safety team and is a very comprehensive document that describes
all the requirements of the SIS. It starts with the description of the SIF and then describes the:
Safe state of the process
The assumed demand rate
Test intervals
Response time requirements
SIL level
Manual shutdown requirements
How to restart the system
Maximum allowable spurious trip rate
Interfaces between the SIS and other systems
Extremes of environmental conditions
Time to repair requirements
And many other requirements

DESIGN
The design phase is where the SIS safety requirements document comes to life. This is where the
equipment and equipment configuration are selected to meet the documented requirements.
To get the equipment needed to meet the SIL level specified in the Safety Requirements Documents
can be a long laborious task. It is a juggling act of finding the right equipment that:
requires the least amount of maintenance, testing
meets the required performance specifications
will have the least amount of spurious trips
works in the proposed environment
has the required response time
has the required Mean Time To Repair time

23

System Requirements Spec

Select Technology

Select Architecture

Determine Test
philosophy

SIL
Achieved?

Reliability,
safety evaluation

SIS Detail Design

figure 3.6

Figure 3.5 is a typical first calculation where the PFD is 308 x 10-2 for the loop. You should notice that
the valve is so dominant, large PFD, that the other devices are insignificant in the calculation. Valves
have large PFDs because they are primarily mechanical and the mechanical pieces dont move in a
SIS unless an upset is detected. There are strategies to lower the PFD number of the valve so the
other devices become more significant such as using certified positioners or testing more often. At
some point in time valve configuration cost becomes unrealistic and it is time look at the sensor and
logic solver to help lower the PFD.
To begin, the first step is to look at the fault tolerance table. The fault tolerance table indicates the
mandated minimum number of redundant sensors needed for a particular SIL. The table is in
IEC61511. In our example we need SIL2, refer to figure 3.7, a minimum of two sensors to stay in
compliance.

SIL

FTmin

See
61508

Figure 3.7 Fault Tolerance Table

Figure 3.8 is an example using the fault tolerance table. For a SIL1 application the Fault Tolerance is
0 which means all you need for your SIS is one sensor. For a SIL2 application the fault tolerance is 1
which means you need two sensors, one and a back up for your SIS.

24

SIL

FTmin

See
61508

BPC

BPC

Figure 3.8 Fault Tolerance Table example

There are three ways to qualify/justify equipment to be used in an SIS. The combination of the right
equipment and redundancy is needed to lower the PFD. The key is getting the two critical pieces of
information needed to verify the SIS meets the SIL requirement, PFD, and SFF. The three ways are:
1. You can use existing equipment or new non-certified equipment. To use existing or new noncertified equipment requires the user/designer/integrator to look for equipment reliability data.
There are multiple sources for this data, ORIEDA (Offshore Reliability database), CCPS
(American Society of Chemical Engineers database), or EXIDA has its own reliability
database. A person could look up a piece of equipment and get the MTBF (Mean Time Before
Failure.) They could then calculate PFD as it is the reciprocal of the MTBF. There is not SFF
data published so an educated estimate must be taken. There are many issues with designing
using database information but the primary one is that analog pressure transmitters, smart
pressure transmitters, and pressure switches are frequently lumped together. Being lumped
together yields a very high PFD which makes the user use maximum redundancy in design. So
the initial lower cost of using standard equipment is offset by adding redundancy and proof test
requirements.
2. You can qualify existing equipment through a Prior Use clause in the standard. For Prior
Use the user is required to keep a large data base of equipment type, revisions, installation
connections, installation processes. The user can then use this database to calculate all the
required data needed to verify the SIS meets the SIL. The issue is maintaining the database,
especially with the new requirements of IEC61511.
Qualifying a piece of hardware under IEC61511Prior Use now requires:
a. Consideration of the manufacturers quality, management and configuration management,
management of change.
1. Manufacturer must have a process that documents the impact product modification.
b. Demonstration of performance of components in similar operating profiles and
environments.
c. Maintain a list of Approved use based on extensive history in safety or non-safety
applications.
1. List must be maintained and reviewed regularly
2. Field devices can be added after sufficient operating experience
3. Filed devices must be removed when they have a history of not performing
4. Process applications are included
25

If the database can be maintained, the reward is less redundancy needed in the design.
IEC61511 lets you take a credit of one if you can qualify a sensor under Prior Use. Figure 3.9
shows an example of getting the fault tolerance credit. With the credit I only have to use one
sensor in the SIL2 loop.

SIL

FTmin

Prior
Use

-1

-1

See
61508

Prior Use

Figure 3.9 Fault Tolerance with Prior Use

3. You can buy certified equipment. Certified equipment lowers the PFD and lowers the
redundancy requirements but typically is specialized equipment that is not as reliable as
standard equipment. So even though the certified equipment will make it easier to meet the
required PFD and SFF, they traditionally have a higher spurious trip rate and might require
special maintenance. A spurious trip is defined as the device malfunction caused the SIS to
trip, not the process. The advantage other than less redundancy of certified equipment is that
the manufacturer is responsible for making sure all changes made within the transmitter do not
affect the safety of the transmitter.

SIL

FTmin

Certified
IEC61508

-1

-1

See
61508

IEC61508

Figure 3.10 Fault Tolerance using IEC61508 SIL2 certified sensors

Figure 3.9 shows an example of getting the fault tolerance credit. With the credit you only have to use
one sensor in the SIL2 loop.

26

The three ways of qualifying sensors for use are:

Third Party Reliability data base
High PFD
Maximum redundant sensors
High installed and maintenance cost
Prior Use Low PFD
Probably high reliability because this is what you typically use throughout plant
Fault Tolerance credit Lower redundancy
Low maintenance cost
You must maintain a detailed reliability database
Certified Sensor Low PFD
Questionable reliability
Fault Tolerance Credit Lower redundancy
Higher maintenance cost
Redundant sensors might have to be used because
1. The Fault Tolerance table requirement
2. It might be the only way to lower to target PFD
3. Up time (Reliability) is needed
When redundant equipment is used it is called a voting system. There are many different voting
systems. A sample of the names are: 1oo2, 2oo2, 2oo3, 1oo2D, 2oo2D.
Figure 3.1 illustrates some voting systems schematics. A and B represent installed sensors. The
1oo2 diagram illustrates that there are two transmitters installed and if either one of them fails the
circuit is complete and the safety system will trip. The 2oo2 schematic illustrates that both sensors
need a fault before the circuit is complete and the system trips. The advantages and disadvantages
between these configurations are very detailed and will not be covered in this document.

Figure 3.11 Standard Voting Logic

Another redundancy configuration utilized sometimes is specified with a D at the end. Examples are
1oo2D or 2oo2D. The D means that the control system has separate hardware to alarm in case of a
failure. The advantage of the diagnostic channel is lower PFDs without redundant sensors.

27

figure 3.8 Voting Logic plus a diagnostic channel

Common cause problems are sometimes an issue with voting systems. Common cause faults are
faults caused by stress, pressure, temperature, or humidity, could cause. The stress would cause an
undetected failure to be in all the equipment at the same time and the user would never know it. For
example: a high temperature could cause the same undetected failure in every sensor. Many experts
say that using a variety of technologies diversity is the safest way to go. However, diversity only
provides value if the back up is immune to the equivalent stress of the primary sensor. Using a variety
of technologies can also complicate proof testing and maintenance.
Part of the loop PFD calculation addresses identical redundant equipment. This correction is specified
as beta and sometimes can be found on the FMEDA report. Some manufacturers (Rosemount) do
not publish a beta on the FMEDA as beta is only used in voting systems and the FMEDA is for a
single device. Additionally, this calculation requires more information than a single devices data.
Sometimes the correction to the PFD is small but and it can be significant.
Be aware that things are not as intuitively obvious when it comes to SIS. Dual redundancy in not
always better than single redundancy and triple redundancy is not always better than Dual
redundancy. Which technology, redundancy, and test interval make a big difference.
Different tactics/philosophies are used at this stage to select SIS hardware. Some use internal staff,
some over engineer almost everything thinking they are safe no matter what the requirement is and
then others use engineering firms that specialize in SIS.
On one end of the spectrum are the big multi national companies. They are staffed that to design a
system providing the safety coverage needed at the right CAPEX and OPEX. They have reliability
departments that track and supply data to support using standard BPCS equipment in SIS under the
Prior Use clause. They have departments that specialize that can specify a system that is safe and
economical
Some plants take the easy way and just make all loops SIL3 plant wide and do not pursue extensive
calculations. If there is a hazard they install a SIL3 loop. This can be a very expensive way of
complying with the SIS standards, CAPEX and OPEX. The increased CAPEX come from having to
buy extra equipment, wiring, system I/O, and installation cost. After installation there are high OPEX
cost performing the extra proof test.
Engineering firms are starting to emerge that specialize in safety standard compliance and safety
shutdown systems. Process companies of all sizes hire these firms to help them in all aspects of
safety compliance. These specialized engineering firms have people that specialize in areas from
HAZOPs to SIL selection, to SIS specifying, installation, and startup.

28

Many plants outsource their SIS engineering. Most of the outsourcing is to their normally contracted
engineering firm of which some have the expertise in SIS, some dont. This is where you will have the
most questions and probably the most marginally acceptable SIS engineering. This is especially true
in jobs where the emphasis is on low cost.
There are some tools available on the market to help your customers through the design phase. For
example: Exida has a program called SilVer which is an online program that has a large reliability
data base that allows the user to select many different technologies from a variety of manufacturers.
The program uses reliability data from multiple sources and asks the difficult questions to account for
other faults such as impulse lines. The user initially sets selects a sensor, logic solver, architecture,
and a final element. The program will calculate the PFD and the SIL level that can be achieved by
that configuration. It then allows the user to keep modifying the variable until the required SIL is
reached.
As stated earlier, SIS design is not an easy task. Only the biggest companies are staffed and have
the proper tools while others contract design work to safety specialty engineering firms.

Installation and Operation

SIS installation and commissioning part of the IEC61511 standard starts at section 12. There is a
planning phase where assignments are made as to who is going to do the installation. And then there
are multiple requirements to make sure the manufacturers instructions are followed (safety manual),
a visual inspection is made of the installation and the devices, and the instrument is calibrated.
Records of commissioning of the SIS shall be produced, stating the test results and whether the
objectives of the design phase have been met.
Safety Validation is the next to last and most labor intensive steps before operation can begin. Again
this is a process that documents the testing of the SIS to ensure it meets the SIS design document.
Written procedures are required on how to test the system during start-up, automatic, manual, resetting, shutdown, maintenance, bypass, and more.
One other section in the operation phase is modification to a SIS. The standard clearly states that a
team be assembled to evaluate the impact on safety for any system modification. It also states that
the evaluation be clearly documented
The last section in IEC61511 is the decommissioning of an SIS. Again it primarily is a documentation
exercise that ensures that everybody knows that the SIS is being decommissioned.
Section 4 Quiz
4.1 A HAZOP is recommended practice.
T or F
4.2 The SIS requirements document is the last requirement in the ________________ section.
a. Analysis
b. Design
c. Operation

29

4.3 CAPEX and OPEX are covered indepth in IEC61511.

T or F
4.4 Redundant devices in the loop.
a. Lower the PFD
b. Raise the PFD
c. Have no effect on the PFD
d. Can not tell with out more information
4.5 The diagram below is a schematic of a ______________ voting system.

a.
b.
c.
d.

2oo2
2oo3
3oo2
1oo3

4.6 Additional requirements for Prior Use devices per IEC61511

a. They must be registered with the IEC61511 committee
b. They must have consideration of the manufacturers quality
c. They must have documented evidence of installation and failure history
d. both b and c

30

Section 4 SIS in the Future

International standards are standardizing SIS requirements throughout the world. This section will
cover the migration of world area/country standards to one IEC standard and some of the anticipated
changes to those standards.

Learning Objective
After you have completed this section, you will be able to:
Briefly explain:
How fast IEC61511 is being adopted.
What the next major modification will be to IEC61511.
Safety has always been an important part of the process industry. Many years ago the process
industry figured out it needed to police itself to insure that workers, plants, and surrounding
communities are safe. They knew that if they did not police themselves, the government would.
As time went on different standards became The standard to follow. Sometimes the standards were
modified as a better practice was determined. Sometimes the standards were modified as technology
changed. Europe was the world leader in drafting safety standards. In other world areas safety
standards were created or modified due to a catastrophic plant accident.
International agreement is finally here. IEC61511 was basically ten years in the making and is gaining
popularity. Within this next year IEC61511 will become the Standard for the European Community
and the United States. There will be some changes by world area but the basics of the standard will
be standard.
An example of a small change per world area is the United States. The standard for the United States
has be ISA S84.01. ISA is in the process of replacing ISAS84.01 with IEC61511. The new document
will be titled ISA S84.01 (2003). It is IEC61511 with one small modification that allows users adopt the
standard but all existing installations will be Grandfathered. This means that even though the user
adopts IEC61511 they do not have to go through their plant immediately and bring it in compliance.
They can bring their existing installations in to compliance during the normal review cycle which is
every three to five years.
The next major modification to the standard is allowing different protocols to be used in SIS
applications. Today the standard only recognizes 4-20mA as a safe signal. Profibus has released a
version with a Safety layer within the protocol which is being recognized as safe. Foundation
fieldbus is working on getting certified for use in SIS applications. Currently there is an ISA committee
working on drafting a requirements document to allow digital protocols in SIS applications that will
eventually become part of IEC61508 and IEC61511. It could be another year or two before digital
buses are approved for use in a SIS.
As with all IEC documents, IEC61511 will be reviewed and updated in five years.

31

Section 5 Quiz
5.1 How fast the United States and Europe are going to adopt IEC61511.
a. The next world environmental summit
b. Within the next five years
c. Within the next two years
d. Within the next year
5.2 The next major modification to the IEC61511 will be
a. Additional requirements for Prior Use devices
b. Allowing the use of digital buses
c. Addition of a grandfather clause
d. Additional requirements system integrators

32