Safety instrumented systems: Tips from the trenches: Part I
The two-part installment introduces safety instrumented systems (SIS) and outlines specific tips on designing, developing, and verifying SIS applications.
Today’s article focuses on the purpose and application of the SIS as well as safety integrity layer (SIL) calculations. The second installment will finish up with exploring tips for SIS hardware and the control system interface.
“What is this SIS thing?” I’ve been asked that.
“It makes your hair fall out.” I’ve answered that.
In all seriousness, a safety instrumented system (SIS) is commonly referred to as a control system, but it is actually a critical shutdown system. It is composed of sensing devices, logic solvers, and final elements. An SIS contains interlocks known as safety instrumented functions (SIFs) that put the process in a safe state in order to mitigate the risk of a hazardous situation. The sole function of an SIS is to protect life and limb, not mechanical equipment.
The SIS is the last line of defense in automation. This is opposed to the basic process control system (BPCS) that sits on the front lines. The BPCS performs the basic regulatory control functions in the plant, and is the workhorse of automation.
ANSI/ISA 84.00.01-2004 (IEC 61511 Mod) is the SIS standard for the process industry. It is a performance-based (rather than prescriptive) standard meaning that all components of the SIS have to meet certain performance criteria. And, it is the burden of the SIS developer to determine how to meet these criteria.
Designing, developing, and verifying an SIS can be an onerous task. Here are some tips based on real-world experience that may be helpful:
Nothing should be placed in an SIS unless it is required by a process hazard analysis (PHA). Furthermore, if a PHA has not been performed on the process, there is no justification for even having an SIS. This is the most important item in the list. Read it again.
- An SIS can be expensive and has a considerable lifecycle commitment. For this reason, if the PHA for a plant only has single-credit deficits in a few scenarios, installing an SIS would not be the most cost effective option. Adding hard-wired interlocks as a separate layer of protection (this could even involve programmable stand-alone controller) may be the best method to take care of the PHA credit deficit.
- A BPCS is used for control while an SIS is used for safety. Control functions should not be placed in the SIS. Likewise, critical safety functions should not be placed in the BPCS.
- SIS logic should be simple and straight-forward. For instance, a high level on a tank closes a block valve and stops a pump. Period. The SIS is not the place for long sequences or complex operations. Those belong in the BPCS.
- When choosing an SIS, select a system that has been certified as SIL 3 (this should cover any safety function ever required by the process). Certain processors are SIL capable and this should not be confused with SIL certified. SIL certified means that the system has been vetted by a qualified third party for the specified SIL and is good to go out of the box. SIL capable means the system is able to attain the given SIL only if an extra set of safety guidelines are followed by the user. These guidelines can be extensive and complicated. They also put an extra burden and expense on the person designing, configuring and maintaining the SIS. Even if a SIL-capable system is designed and installed following all of the required safety guidelines, there is always the possibility that a modification could be made in the future that would invalidate the system’s SIL capability.
SIL and SIL Calculations
- Each SIF is required to have a calculated safety integrity level (SIL) that defines the amount of risk reduction it can provide. A SIF is the only item that can truly carry a SIL rating. Some devices are certified as SIL 2 or SIL 3, but that only means they have been proven as acceptable for use in a SIL 2 or SIL 3 safety function (with possible redundancy requirements). Using one of these instruments does not automatically guarantee a SIL 2 or 3 interlock. A SIL calculation still has to be performed incorporating all devices and factors in the SIF.
- While a safety function’s SIL is based primarily on the probability of failure on demand (PFD) determined from a calculation, there is also an accompanying SIL that is based on the architectural requirements of the function. This requirement deals with the redundancy of each device in the SIF and depends on the hardware fault tolerance (HFT) of each instrument. A device’s safety certificate will list the HFT that is required for each SIL value that the device is certified for. An HFT of 0 means no redundancy is required, while an HFT of 1 means 1oo2 redundancy is needed. SIL 1 does not require redundancy unless the safe failure fraction (percentage of total failures that are safe vs. dangerous) of a smart instrument is less than 60% (and this is rare). In this case, the instrument will have to be redundant in order to even meet SIL 1. SIL 2 typically requires redundancy in either the initiating or final devices while SIL 3 will require it for both. After taking all of this into account, the final achieved SIL of the safety function will be the lesser of the SIL from the PFD calculation and the SIL from the architectural requirements.
- The main component of the PFD calculation is the dangerous undetected failure rate (λDU) of each device in the safety function. There are three other types of device failure rates (safe detected, safe undetected and dangerous detected), but they are not related to the PFD. λDU can be found on the device’s safety certificate or its failure modes effects and diagnostic analysis (FMEDA) report. It is usually expressed in units of failures in time (FIT) which is failures per billion hours.
- SIL 4 interlocks are science fiction in the process industry (however, they are seen in nuclear reactors, airplanes and railways). If a process hazard requires a SIL 4 interlock, it is time to go back to the drawing board. SIL 3 interlocks are difficult and expensive and should be rare at best.
- The test interval (how often a complete SIF validation test is performed) and mission time (how often a device is replaced or refurbished to as-new condition) both affect the SIL. Lowering either one can potentially lower the PFD and raise the SIL. For this reason, people may play with the test interval or mission time values in order to force a SIF into a SIL value it normally would not be able to meet. Beware of this. It is good practice to adopt a standard test interval (typically one year) for all SIFs and a standard mission time (typically 10 or 15 years) for categories of SIS devices. It is highly unlikely someone will remember that one particular SIF that needs to be tested monthly, or that one instrument that needs to be replaced every year.
Today’s article just scratched the surface of SIS basics. Keep in mind the tips presented, including the fact that the SIS should be used for safety and not basic control – it’s the last line of defense for the automation system and intended as a critical shutdown system. There are several nuances to be aware of when designing, developing and verifying a safety instrumented system. We have much more to cover in the next article, including SIS hardware and the interface to the main control system.
This post was written by Jay Griffin. Jay is a principal engineer at MAVERICK Technologies, a leading automation solutions provider offering industrial automation, strategic manufacturing, and enterprise integration services for the process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, business process optimization and more.
MAVERICK Technologies is a CSIA member as of 3/20/2015