Process Safety

Four overlooked aspects of risk management, process safety

Process safety trends in risk management and functional safety: The basic process control system (BPCS) focuses on optimizing the process for business continuity. Risks mitigated through “after-the-fact” measures try to minimize an event’s impact. Between these strategies lies the very important layer of Safety Instrumented Systems (SIS). See four often overlooked aspects of risk management.

By Erik Reynolds, CFSE, PMP November 26, 2015

Automation can help people operate more safely, and that requires a proactive application of risk management techniques. Functional safety is a positive move and can help control engineers and those around them rest easier. Risk management has four often overlooked areas.

What is risk management?

Every engineered system has risks: to people, to the environment, and to 
equipment and/or facilities. These risks are here to stay, but the key to good risk management is to drive them down to as low as reasonably practicable (ALARP). Functional safety, the planned reduction of those risks through automated safety systems, is increasingly being specified as a requirement in the design and retrofit of processes. Safety Integrity Levels (SILs) are here to stay.

In the process sector, risks are prevented, controlled, and mitigated through layers of protection. At the fundamental level, the basic process control system (BPCS) focuses on optimizing the process for business continuity. However, the BPCS alone provides only a piece of the risk prevention and control strategy. Conversely, risks are mitigated through "after-the-fact" measures that try to minimize the impact of an undesirable event. In between these two strategies lies the very important layer of Safety Instrumented Systems (SIS).

1. Often overlooked is an initial risk assessment: Conducting an initial risk assessment early in the process design is a critical and often missing element. Since everything relating to functional safety hinges on a proper risk assessment, re-using an old one or simply not conducting one at all hamstrings any further efforts. In fact, up to 40% of the failures in industrial accidents can be traced back to poor or lacking initial risk assessments and requirement specifications. 

Meaning of SIS?

What is a SIS? A SIS is the last line of defense before calling the fire department and various three-letter government agencies. When all else fails, the SIS saves the day.

SIS can address specific needs expressed in the Safety Requirements Specification (SRS) as Safety Instrumented Functions (SIFs). These come out of a Process Hazard Analysis (PHA) or Hazard and Operability (HAZOP) study. Most processes will have several loops working simultaneously to bring risk to a tolerable level. Such systems can employ electronic, pneumatic, hydraulic, or combination control methods.

A SIS usually consists of one or more sensing elements reporting the state of the system, a logic processor to make decisions that keep the system in a safe state, and a suite of actuators to carry out the commands of the logic processor. The successful implementation of such a safety system can reduce residual risk by several orders of magnitude, with obvious benefits to safety as well as business continuity.

The best practices for the design, realization, operation, maintenance, and decommissioning of a SIS for the process sector are outlined by IEC 61511/ISA 84. Manufacturers of specific products, such as sensors, logic controllers, or actuators, are governed by IEC 61508. Understanding the similarities and differences between these two approaches is critical to the effective specification of components in the SIS.

2. Often overlooked is a requirements allocation: The importance of requirements allocation is often overlooked in SIS design. This vital step is where SIFs are delegated to hardware, software, or some combination of the two. Often designers are ready to jump ahead in the process and start building the system before they have a good grasp on what the best architecture is to accomplish the required risk reduction. However, such a "leap before you look" mentality can lead to either an over-designed system that is also very expensive or, tragically, an under-designed system that exposes the operation to unacceptable risk.

Achieving a SIL

How do you achieve an SIL? Both approaches above use SILs to quantify the trustworthiness of a SIS. Ranging in increasing confidence from SIL 1-4, each SIL represents an order of magnitude increase in the trustworthiness of the SIS to reduce risk to a tolerable level. This trustworthiness is measured by probability of failure on demand (PFD) calculations.

Achieving a given SIL requires the satisfaction of three requirements: probability of failure on demand (PFD), hardware fault tolerance (HFT), and safe failure fraction (SFF). All three must be achieved in concert to validate that the SIFs in the SRS are adequately realized.

3. Often overlooked is the use of available architectures: To streamline the process of achieving a SIL, it is helpful to leverage available architectures, which are often overlooked. Meeting the required PFD can be very onerous if using a one-out-of-one (1oo1) architecture. However, the design of redundancy in the system, such as with a two-out-of-three architecture (2oo3), can both increase the safety and reduce the overall cost of the system. This can also help with the tradeoff between having a system that detects dangerous conditions while minimizing spurious trips (false alarms). 

FSM importance

How important is functional safety management (FSM)? Part of driving down risk also means paying careful attention to risk throughout the development lifecycle, whether for a process or a product. So FSM is perhaps the most important part of any attempt at realizing reduced risk. A good FSM execution is documented, auditable, and verifiable by functional safety assessments, both internal and external.

4. Often overlooked is the use of functional safety throughout the lifecycle: Functional safety management needs to be the first thing started in the process and also the last thing completed. Waiting until after the design is finalized (or worse yet, after the system is built and ready to be commissioned) before thinking about FSM is a sure way to encounter schedule delays and cost overruns.

What’s next for process safety?

Where will process safety progress? As societies around the world become increasingly risk averse, there is great opportunity to leverage automation to both make the world a safer place and maximize the benefit of our processes to the world. The key to achieving this will be a conscious posture shift toward risk management. Functional safety is an excellent step in this direction, and when diligently applied, can help control engineers and their communities sleep well at night.

– Erik Reynolds, CFSE, PMP, is a consultant at Intertek, a CFE Media content partner. Edited by Mark T. Hoske, content manager, CFE Media, Control Engineering,

Key concepts

  • Attention to functional safety can improve risk management.
  • A safety integrated system can provide a last line of defense.
  • Know where safety integrated functions should be.

Consider this

Would a little redundancy greatly decrease process risk?

ONLINE extra: This online posting includes more details and two more graphics.

See the process safety page under the process manufacturing pull-down menu at