Improving Safety in Process Control

Environmental law, customers, and good business sense require finding effective ways to integrate plant safety into industrial process systems. No one wants an unsafe situation, but overengineering safety can put a company out of business almost as fast as a major violation.Regulatory agencies' standards and regulations require process plants to protect against accidental damage to person...


Key Words


  • Process control & instrumentation

  • Safety

  • Process control systems

  • Standards and regulations

  • Redundant control

Environmental law, customers, and good business sense require finding effective ways to integrate plant safety into industrial process systems. No one wants an unsafe situation, but overengineering safety can put a company out of business almost as fast as a major violation.

Regulatory agencies' standards and regulations require process plants to protect against accidental damage to personnel and the environment. Agencies include the U.S. Occupational Safety and Health Administration, the American Petroleum Institute, and the U.S. Environmental Protection Agency, to name of few. In the European community, standard and certifying agencies include the International Electrotechnical Commission, and TÜV.

To minimize risk, these agencies generally need extensive documentation of process design, operation, maintenance, training, and plant renovations.

Compliance with regulations often requires formal company safety and operation review. Techniques such as a Hazard and Operability (HAZOP) study, Hazard Analysis (HAZAN), or Fault Tree Analysis (FTA) can reveal potential operating and safety-related design problems. A hazard study may disclose, for example, that a plant should implement a Safety Instrumented System (SIS) to properly minimize a potentially hazardous process condition.

Instrumented systems designed to protect the plant differ significantly from systems designed for basic process control. Safety instrumented systems continuously monitor selected variables, but remain inoperative until an abnormal and possibly dangerous condition arises. To function successfully, a SIS requires a higher level of performance and diagnostics than normally needed by general-purpose process control equipment. Additionally, plants often specifically identify safety systems, and physically separate them from general-purpose control systems.

The ANSI/ISA-S84.01-1996 "Application of Safety Instrumented Systems for the Process Industry" standard defines SIS as, "A system composed of sensors, logic solvers, and final control elements for the purpose of taking the process to a safe state when predetermined conditions are violated."

This definition can also be applied to other commonly used plant safety systems, such as emergency shutdown systems, safety shutdown systems, and safety interlock systems.

Key questions to ask

A process control engineer implementing a safety instrumented system must answer several questions:

  • What level of risk is acceptable?

  • How many layers of protection is needed?

  • When is a safety instrumented system required?

  • Which architecture should I choose?

Industry standards now exist that provide a basic framework for answering these questions.

ISA S84.01 was organized around the safety life cycle (see flowchart). This systematic approach for designing safety systems can be applied to various hazardous processes—conception through decommissioning. Even so, many methods for performing the initial activities of safety life cycle are out of the standard's scope.

Evaluate risks

The best way to minimize risks in plant operation is to design inherently safe processes. In practice, total inherent safety is not always achievable.

Risks prevail wherever hazardous or toxic materials are stored, processed, or handled. Since it is difficult, if not impossible, to completely eliminate all levels of risk, some level of operational risk must be agreed upon. To specify the required performance of a safety system, control engineers must determine an acceptable level of operational risk.

After properly identifying process hazards, using a HAZOP study is among the ways to evaluate each process risk, usually by considering the severity and likelihood of a hazardous event. Determining severity requires the control engineer to assess site-specific conditions, including population density, in-plant traffic patterns, and meteorological data. Control engineers can determine the likelihood of a hazardous event by certain qualitative or quantitative techniques or in some cases by examining historical data.

After understanding the severity and likelihood of a hazardous event, engineers can rank the risks (see graphic). Risk reduction techniques would be necessary if the process exhibited risk higher than the company's acceptable level.

Multiple independent protection layers, or IPLs, reduce risk for process plants that operate with potential to cause harm. Control engineers design each protective layer to avoid or mitigate the harmful effects of a hazardous event. Protection layers start at the process and work outward to a community emergency response during an escalating incident (see graphic). Each layer should be separate and stand alone.

Rating for safety

ISA S84.01 does not specify how to decide if a Safety Instrumented System is needed, nor does it require any particular method of hazard analysis. (The American Institute of Chemical Engineering's documentation does address this.) The ISA standard does provide a common rating system called the Safety Integrity Level (SIL).

SIL defines three levels of safety performance for a safety instrumented system: 1, 2, and 3. The higher the SIL value, the greater the risk reduction. This increased risk reduction results from availability of the safety functions. Factors such as redundancy, frequent testing, and diagnostic fault detection tend to increase SIL levels, improving the SIS risk reduction. (For European and other countries in process of adopting draft international standard IEC D61508, a four-layer model is standard.)

ISA S84 shows a correlation that exists between the SIL values and three key performance metrics—safety availability, probability of failure on demand (PFD), hazard reduction factor (HRF). Safety availability represents the fraction of time that a safety system can perform its designated safety service when the process is operating (see table). PFD indicates the probability of a system failing to respond on demand. The following expression defines the relationship between safety availability and PFD:

Safety Availability = 1– PFD.

It often may be desirable to express the SIL level in terms of the hazard reduction factor, where HRF is defined as: HRF = 1/PFD.

Linking risks to SIL

To determine the application of an SIS for an actual installation, the control engineer should use a qualitative classification of risk assessment.

A qualitative evaluation of safety integrity level weighs the severity and likelihood of the hazardous event. It also considers the number of independent protection layers addressing the same cause of a hazardous event.

Once determined, such an SIL value becomes the basic communication interface and requirement parameter for implementing the safety instrumented system. (Such systems do not necessarily have to include a programmable electronic system. Hard-wired relay systems are often used and can meet SIL 3 requirements.) SIL 3 is quantified in ISA S84.01 as a Probability of Failure on Demand average range (PFD avg) of 10-3to 10-4.

Safety architectures

Several system architectures are applied in process safety applications, including single-channel systems to triple redundant configurations. Control engineers must best match an architecture to operating process safety requirements, accounting for failure in the safety system.

One concern is that many safety systems in operation, or under construction, do not follow basic protection principles. Unsafe practices include:

  • Performing the safety shutdown within the basic process control systems (BPCS) or distributed control systems (DCS).

  • Using conventional programmable logic controllers (PLCs) in safety critical applications. (Safety PLCs are certified to meet safety critical applications to SIL 2 and SIL 3.)

  • Implementing single element (nonredundant) microprocessor-based systems on critical processes.

The conventional PLC architecture provides only a single electronic path. Sensors send process signals to the input modules. The logic solver evaluates these inputs, determines if a potentially hazardous condition exists, and energizes or de-energizes the solid-state output. (Fire and gas detection systems, for example, use the "energized to trip" philosophy.)

In case of failure

Suppose the safety system de-energizes the output to move the process to a safe state. Suppose also that one of the components in the single path fails so that the output cannot be de-energized. Then the conventional PLC won't provide its desired safety protection function.

A special class of programmable logic controllers, called safety PLCs, represents an alternative. Safety PLCs provide high reliability and high safety via special electronics, special software, pre-engineered redundancy, and independent certification. The safety PLC has input/output circuits designed to be fail-safe, using built-in diagnostics. The central processing unit (CPU) of a safety PLC has built-in diagnostics for memory, CPU operation, watchdog timer, and communication systems.

Progress, complexities

Accurately evaluating the safety level for a specific control device in the context of a potential hazardous event poses a major and difficult problem for many control engineers. Associations and agencies worldwide have made considerable progress toward establishing standards and implementation guidelines for safety instrumented systems. These standards attempt to match the risk inherent in a given situation to the required integrity level of the safety system.

Unfortunately, many of these guidelines and standards are not specific to a particular type of process and deal only with a qualitative level of risk. Control engineers must use considerable judgment in evaluating risk and applying instrumentation that properly addresses established design procedures within budget restraints.

For more information about Moore Process Automation Solutions, Circle 274 or visit

Probabilities of Safety
Safety integrity levels (SIL) correspond to specific ranges of safety availability, probability of failure on demand (PFD), and hazard reduction factor (HRF).


Safety availability

Probability of PFD average range


Cahners Business Information graphic with data from the ISA S84 standard



10-1 to 10-2




10-2 to 10-3




10-3 to 10-4


Acronyms of Process Safety


basic process control systems


distributed control system


fault tree analysis


hazard and operability


hazard analysis


hazard reduction factor


independent protection layers


probability of failure on demand


programmable logic controller


safety integrity level


safety instrumented system


safety requirement specification

Safety and Standards-Related Organizations
Safety knows no borders, but organizations for regulations, certifications, and standards do. Here are a variety of sources across the worldworth getting to know. For added information, circle the following numbers on the card in this issue or visit




American Petroleum Institute (API)


American Institute of Chemical Engineers (AIChE)

New York

American National Standards Institute (ANSI)

New York

British Standards Institution (BSI)


European Committee for Electrotechnical Standarization (CENELEC)


European Committee for Standardization (CEN)


Factory Mutual Research (FM)

Norwood, Mass.

Food and Drug Administration


Global Engineering Documents

St. Louis, Mo.

International Electrotechnical Commission (EIC)


International Organization for Standardization (ISO)


ISA Research Triangle

Park, N.C.

Occupational Safety and Health Administration (OSHA)


National Fire Protection Association (NFPA)

Quincy, Mass.

TÜV Product Service

Munich, Germany

U.S. Environmental Protection Agency (EPA)


Cahners Business Information graphic with data from Moore Process Automation Solutions, Rockwell Automation, Internet.

Author Information

Charles M. Fialkowski is senior marketing specialist, Critical Systems Marketing, Moore Process Automation Solutions (Moore Products Co.), Spring House, Pa.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me