ICEweb has nearly 100 Control, Instrumentation, Fire & Gas, Safety Instrumented Systems core pages and a total of more than 300 pages - It Really is Cool Engineering - By Engineers for Engineers it must be just about the World's first choice for Technical Information.
Whilst every effort is made to ensure technical accuracy of the information supplied on iceweb.com.au, Keyfleet Pty Ltd and its employees accept no liability for any loss or damage caused by error or omission from the data supplied. Users should make and rely on their own independent inquiries. By accessing the site users accept this condition. Should you note any error/omission or an article offends please do not ignore it, contact the webmaster and we will review, rectify and remove as necessary.
This very popular
Safety Instrumented Systems (SIS) page is seen
by an average of 320 engineers per month
can be yours at VERY reasonable rates - Contact ICEweb here for details
This very Comprehensive Resource has numerous links to Safety Instrumented
Systems Technical Papers across a broad range of subjects and is Indexed
Alphabetically - please click on the bookmarks to go to the relevant section
that interests you. Design of Safety Instrumented Systems | Alarm
Management in Safety Instrumented Systems | Front End
Design of a Safety Instrumented System | Fundamentals of
Designing Safety Instrumented Systems | Fault Management
Analysis | Layer of Protection Analysis | Logic
Solvers | Combined Process Control and
Safety Instrumented Systems or Independent Systems? | Common
Cause Failures | Failure Rate and Failure Mode Data /
Failure Modes Effects and Diagnostic Analysis | Fieldbus for Safety Instrumented Systems
| Fire &
Gas Interface in Safety Instrumented Systems | Maintenance
of Safety Instrumented Systems | Occupational Health and
Safety and Safety Instrumented Systems | PLC v Safety PLC
| Process Risk | Protection Functions | Redundancy
| Reliability in Control Systems Software | Safety
Bus Systems | Safety Requirements Specification | Safety
Trip Alarms | Safety Instrumented Systems Quality Assurance
| Smart Positioners in Safety Instrumented Systems
| Software Implemented Safety Logic | Fire
& Explosion Hazard Management | IEC 16508 / IEC
16511/ANSI - ISA 84.00.01 | ANSI/ISA 84.00.01-2004 | Risk
Assessment | Safety Instrumented Function | Safety
Integrity Levels (SIL) | Safety Instrumented Systems
Replacement | Safety Instrumented Systems Definitions,
Abbreviations and Acronyms | Safety Instrumented Systems
Applications | Statistical Signature Analysis
| Software Tools for Safety Instrumented Systems
Lifecycle Support | Partial Stroke Testing of Block Valves
(Shutdown and Blowdown Valves) | Process Safety Management (PSM)
| Transmitters for Safety Instrumented Systems | TÜV
FSEng Training | Functional Safety Management and Compliance
| Hazard Management | HAZOP - Hazard and
Operability Analysis | HSE (UK) Safety Instrumented System
Documents | Safety Instrumented Systems Training
Alarm Management in Safety Instrumented Systems
The Ups and Downs of Alarms -read about alarms in a Safety Instrumented Systems Environment - Something happens, a signal peaks or falls, and you need to know. A limit alarm trip can trigger the response needed to maintain normal, and safe, operations. A limit alarm trip monitors a process signal (such as one representing temperature, pressure, level or flow) and compares it against a preset limit. If the process signal moves to an undesirable high or low condition, the alarm activates a relay output to warn of trouble, provide on/off control or institute an emergency shutdown -Moore Industries International.
Alarm Rationalisation - C.R. Timms - Anyone who has been involved in the application of IEC 61508 (1) and the Safety Integrity Level (SIL) determination for Safety Instrumented Functions (SIF) will appreciate the amount of effort and tenacity that is required to undertake the task. However, the SIL determination of Safety Instrumented Functions, or trip functions as they are often called, is only the tip of an iceberg when we come to consider what is involved in reviewing or configuring a typical alarm system - from SIL Support.
Hazards Equal Trips or Alarms or Both - C.R. Timms - This paper details various methods of criticality assessment which have been successfully applied to set the appropriate priority, identify the critical alarms that need to be upgraded to trips and to rationalise those of no value. It will also cover the use of software tools which can significantly reduce the effort involved in this process - from SIL Support.
The following papers are from Exida
You Asked: Alarm Management - Setting a new Standard for Performance, Safety, and Reliability with ISA-18.2 - Alarm Management affects both the bottom line and plant safety. A well functioning alarm system can help a process run closer to its ideal operating point – leading to higher yields, reduced production costs, increased throughput, and higher quality, all of which add up to higher profi ts. Poor alarm management, on the other hand, is one of the leading causes of unplanned downtime and has been a major contributor to some of the worst industrial safety accidents on record.
Saved by the Bell: Using Alarm Management to make Your Plant Safer - Recent industrial accidents at Texas City, Buncefield (UK) and Institute, WV have highlighted the connection between poor alarm management and process safety incidents. At Texas City key level alarms failed to notify the operator of the unsafe and abnormal conditions that existed within the tower and blowdown drum. The resulting explosion and fire killed 15 people and injured 180 more. The tank overflow and resultant fire at the Buncefield Oil Depot resulted in a £1 billion (1.6 billion USD) loss. It could have been prevented if the tank’s high level safety switch, per design, had notified the operator of the high level condition or had automatically shut off the incoming flow. At the Bayer facility (Institute, WV) improper procedures, worker fatigue, and lack of operator training on a new control system caused the residue treater to be overcharged with Methomyl - leading to an explosion and chemical release. Accidents like these demonstrate what can happen when an alarm system and operator response fail as a layer of protection in a hazardous process. They also provided the motivation for the new ISA-18.2 standard "Management of Alarm Systems for the Process Industries", which provides a framework for the successful design, implementation, operation and management of alarm systems in a process plant. It offers guidance on how alarm management can be used to help a plant operate more safely. ISA-18.2 can also be used to bring together the disciplines of alarm management and safety system design, which must work more closely to prevent future accidents.
Alarm Management and ISA 18 - A Journey, not a Destination - Todd Stauffer,Nicholas P. Sands and Donald G. Dunn - Poor alarm management is one of the leading causes of unplanned downtime, contributing to over $20B in lost production every year, and of major industrial incidents such as the one in Texas City. Developing good alarm management practices is not a discrete activity, but more of a continuous process (i.e., it is more of a journey than a destination). This paper will describe the new ISA-18.2 standard -"Management of Alarm Systems for the Process Industries". This standard provides a framework and methodology for the successful design, implementation, operation and management of alarm systems and will allow end-users to address one of the fundamental conclusions of Bransby and Jenkinson that "Poor performance costs money in lost production and plant damage and weakens a very important line of defense against hazards to people."  Following a lifecycle model will help users systematically address all phases of the journey to good alarm management. This paper will provide an overview of the new standard and the key activities that are contained in each step of the lifecycle.
Get a life(cycle)! Connecting Alarm Management and Safety Instrumented Systems - Todd Stauffer, Nicholas P. Sands and Donald G. Dunn - Alarms and operator response are one of the first layers of defense in preventing a plant upset from escalating into an abnormal situation. The new ISA 18.2 standard  on alarm management recommends following a lifecycle approach similar to the existing ISA84/IEC 61511 standard on functional safety. This paper will highlight where these lifecycles interact and overlap, as well as how to address them holistically. Specific examples within ISA 18 will illustrate where the output of one lifecycle is used as input to the other, such as when alarms identified as a safeguards during a process hazards analysis (PHA) are used as an input to alarm identification and rationalization. The paper will also provide recommendations on how to integrate the safety and alarm management lifecycles.
Why is Alarm Management Required in Modern Plants? - Stan DeVries - All modern process control systems provide alarm systems to assist process operators in managing abnormal situations. Nevertheless, the integrity and effectiveness of alarm systems can either provide assistance or be a hindrance to the process operators in responding to these situations. Through the efforts of the Abnormal Situation Management Consortium, EEMUA, and other professional groups, a large amount of best practice information exists to aid the control system engineer in designing effective alarm systems. However, due to various reasons, most existing control systems must be redesigned/re-engineered in order to take advantage of these newer system capabilities and best practices. The re-design/re-engineering of alarm systems in these control systems is a responsible first step in responding to the increasing frequency of industrial incidents and to begin to address the billions of dollars that these incidents cost manufacturers annually. By any comparison, the re-design/re-engineering efforts are well worth the investment. This white paper presents a new alarm philosophy and approach to achieve these objectives - from Triconex.
Front End Design of a Safety Instrumented
A Brief Discussion over Safety Costs in New Enterprises - Alejandro Esparza and Monica Levy Hochleitner - The starting point of a new industrial plant concerning the levels of reliability required to keep the process under a defined tolerable risk is a challenge most contractors company face. During the embryonic phases, in the bidding process and for budget purposes, a pre-defined Safety Instrumented System (SIS) design must be provided to the contractor, sometimes even before the process conceptual design is well defined. The consequences of such situation, in which no risk analysis have been considered, not only disregards the Safety Lifecycle template suggested by the recent versions of the functional safety standards applied to the process industry, IEC 61511  and ANSI/ISA 84.01  but also implies in unpredictable outcomes. By means of actual examples, where the customers names will be suppressed for confidentiality matters, this paper will present and briefly discuss the pros and cons of some actual applications, the achieved safety of the resulting design and the impact of investments during implementation and operation phases of the enterprise - from Exida.
Fundamentals of Designing Safety Instrumented Systems
Understanding Safety Integrity Level (SIL) - Understanding Safety Integrity Level - This brochure targets safety applications and Emergency Shutdown Systems. It provides an excellent overview of the concept.
Safety Instrumented Systems - Steve Gillespie - In an increasingly multidisciplinary engineering environment, and in the face of ever increasing system complexity, there is a growing need for all engineers and technicians involved in process engineering to be aware of the implications of designing and operating safety-related systems. This includes knowledge of the relevant safety standards. Safety Instrumented Systems play a vital role in providing the protective layer functionality in many industrial process and automation systems. This article describes the purpose of process safety-related systems in general and highlights best engineering practice in the design and implementation of typical safety instrumented systems, underpinned by the relevant standards - from IDC.
Functional Safety of Globe Valves, Rotary Plug Valves, Ball Valves and Butterﬂy Valves
Risky Business: Functional Safety at Origin - Peter Todd, Engineering Manager, Origin Upstream - No, this is not a review of the 1983 American teen comedy starring Tom Cruise but a brief overview of the serious subject of process functional safety. There are significant differences in the legislative frameworks both domestically and internationally under which Origin operate. Legal framework objectives are generally to prevent and minimise the effects of major accidents and near misses. As an operator, legal compliance requirements are often exceeded by adopting performance based standards. One such standard is IEC61511. In order to manage Risk it is useful to understand where errors can occur - Many thanks to the Origin Energy Talent Team.
Functional Safety: A Practical Approach for End-Users and System Integrators- Tino Vande Capelle,Dr. M.J.M. Houtermans - The object of this paper is to demonstrate through a practical example how an end-user should deal with functional safety while designing a safety instrumented function and implementing it in a safety instrumented system - from HIMA Australia.
Safety Systems -Prof. Dr.-Ing. habil. Josef Börcsök - This technical paper gives an excellent overview of Safety Systems covering development history, the fundamental considerations required, fault avoidance basis and measurement, fault control basis, along with external influences such as environmental demands, electromagnetic, mechanical and climatic considerations - from HIMA Australia.
Guidelines for Safe and Reliable Instrumented Protective Systems (IPS) - Written with guidance from members of the CCPS’s Guidelines for Safe and Reliable Instrumented Protective Systems subcommittee, author and safety standards expert Dr. Angela Summers explores the decision making processes necessary for the management of the protection systems commonly applied throughout the process industry. Based on the framework defined in the harmonized ANSI/ISA 84.01/IEC 61511 standards, this book provides readers with much-requested guidance in an easy to understand discussion that addresses IPS planning, risk assessment, design, engineering, installation, commissioning, validation, operation, and maintenance activities - from SIS-TECH Solutions.
A Culture of Safety - Industry Moves to Make Sure Accidents DON'T Happen - Amy W. Richardson - In response to some major disasters in the 1970s and ‘80s, in which control system failures were contributing factors, a new culture of industrial process automation safety was born. As part of this movement, end-users, industry associations, and equipment suppliers alike moved to more closely consider control and safety applications with the aim of minimizing common modes of failure. For decades, it was common to build certain protections into the Basic Process Control System (BPCS) to prevent failures. However, the new approach focused on separation between control and safety applications to reduce failures. In the ‘90s, the ISA-SP84 Committee settled on the term Safety Instrumented System (SIS) to describe an independent automated safety system. Today, if the layers of safety measures built into a modern process control systems were peeled back, one would likely find the SIS at the outermost level, providing the last preventive layer of protection against undetected and detected equipment failures that lead to unsafe process conditions - from www.flowcontrolnetwork.com.
Safety Instrumented Systems design Tips for Instrumentation and Control Engineers - Modern chemical and hydrocarbon processing plants, oil & gas production facilities, power plants and other similar process plants all have some instrumentation and automation that ensures safety. These are known as Safety Instrumented Systems (SIS for short). These systems also are known by various other names such as Emergency Shutdown Systems (ESD for short), Safety Shutdown Systems, High Integrity Pressure Protection Systems (HIPPS) and so on. But all of them belong to the class of systems that are referred to as SIS. With respect of Designing a Safety Instrumented System no, here we are not talking about designing the next breakthrough in a great logic solver (also commonly referred to as a "Safety PLC"). We are addressing the situation in which many Instrumentation and Control engineers find themselves in, when assigned a job to design the SIS for a process plant. Here, the entire process involves finding out what kind of systems and devices to use in the application that the client or user wants. These design tips should make the task somewhat easier - from Abhisam Software.
Basic Fundamentals Of Safety Instrumented Systems - This section of a training course explains the basic concepts, definitions and commonly used terms in Safety Instrumented Systems and provide a basic understanding of SIS related concepts - from Emerson Process Management
SIS Frequently Asked Questions- from Emerson Process Management
If you go to the following SIS link you can register and download the following very useful documents which cover;
Basic safety concepts
What is risk? / Reducing risk/ Safety standards
Building your SIS
Physical design/Functional design/ Verification & validation/ Installation & commissioning
Using your SIS
Operations & maintenance/ Modifications/ Decommissioning
The intelligent advantage
Safety Instrumented Systems - Published in Perry’s Handbook of Chemical Engineering 2007 - Covers Hazard and Risk Analysis, Design Basis, Requirements Specifications, Engineering, Installation, Commissioning and Validation along with Operating Basis - from SIS-TECH Solutions.
Automatic Shutdown Industry Example Systems & Methodology - David Ransome - Covers the Safety Lifecycle, Hazard and Risk assessment, Safety Instrumented Functions & Safety Requirements Specifications, Safety Integrity Levels, Safety Instrumented Function, Design of Safety Instrumented System, Sensors, Logic Solvers, Final Elements along with applications for Rail Tanker, Ship Offloading, Pipeline Transfer and Jetty Transfer Systems, This presentation is reasonably useful, it is a shame that it does not come with the audio as well though - from eemua.
Avoid Bad Engineering Practices in Safety Instrumented System Design - Angela E. Summers, Ph.D., P.E - As industry races toward compliance, it must work hard to prevent the creation and acceptance of bad engineering practices, which threaten the economics of plant operation and erode the effectiveness of SIS designs - from SIS-TECH Solutions.
Improve Facility SIS Performance and Reliability - Angela E. Summers, Ph.D., P.E, President, SIS-TECH Solutions, LP and Bryan A. Zachary, Operations Manager
Functional Safety: A Practical Approach for End-Users and System Integrators- Tino Vande Capelle,Dr. M.J.M. Houtermans - The object of this paper is to demonstrate through a practical example how an end-user should deal with functional safety while designing a safety instrumented function and implementing it in a safety instrumented system.
To Err is Human: Using Technology to Try to Solve this Problem is Equally Human - In 2003, ConocoPhillips Marine conducted a study of the initial behaviours that are the root causes of incidents or accidents. It showed that for every 300,000 ‘at-risk’ behaviours there are 3000 near misses, 300 recordable injuries, 30 lost workdays and, ultimately, one fatality. In a control room scenario, if we can maximise the ability of the operator to make the correct decision when called upon, we can maximise human reliability with the aim of reducing the number of at-risk behaviours and ultimately the number of major incidents or fatalities - from www.processonline.com.au and PAS Inc.
An Introduction to Inherently Safer Design - Dennis C. Hendershot
An Integrated Approach to Safety: Defense in Depth - Ensuring safety requires reducing the risk of incidents, faults and failures that can disrupt normal operations. This effort goes far beyond simply installing fail-safe controllers or a safety instrumented system. In fact, to mitigate the risk of serious incidents that can cause injury to personnel, equipment and the environment, it is important to consider safety from all aspects of a plant’s operation - from Honeywell
Standard - Design of Safety Significant Safety Instrumented Systems Used at US Department of Energy Nonreactor Nuclear Facilities - This standard provides requirements and guidance for the design, procurement, installation, testing, maintenance, operation, and quality assurance of safety instrumented systems (SIS) that may be used at Department of Energy (DOE) nonreactor nuclear facilities for safety significant (SS) functions. The focus of this standard is on how the process industry standard, American National Standards Institute/International Society of Automation (ANSI/ISA) 84.00.01-2004, Functional Safety: Safety Instrumented Systems for the Process Industry Sector, can be utilized to support design of reliable SS SISs - from the USDOE.
The Hidden Costs of Successful Safety - Luis Duran - This article describes many of the hidden costs and side effects associated with safety instrumented systems (SISs), especially those embedded with distributed control systems (DCSs). It covers some of the safety-related questions users need to ask their DCS vendors, even though many suppliers don’t want to answer them. Thanks to www.controlglobal.com
The following papers are from ICEweb sponsor IDC
Technologies - Specialists In Engineering Courses & Training
Optimizing Component Arrangement in Complex SIS - A Case Study - Hamid Jahanian, Senior Engineer, Siemens Ltd - The arrangement of components plays a key role in the performance of complex Safety Instrumented Systems (SIS) in which a SIS logic solver is interlocked with other logic solvers, to share a final element, for instance. The position of components and the way they are utilized affects the reliability characteristics, such as the Probability of Failure on Demand (PFD), Spurious Trip Rate (STR), architectural sensitivity and model uncertainty. A real-life example is presented in this article to highlight the impact of component arrangement. The case study uses quantitative and qualitative analysis to review two SIS architecture solutions in a renovation project where the existing turbine protection system is upgraded to incorporate a new over-speed protection system. Also, a classification for SIS components based on their response to demand is introduced, and a set of guidelines for SIS architecture engineering is developed - from the IDC Safety Control Systems Conference 2015
Introduction to Functional Safety Standards in Gas Detection - Preeju Anirudhan - Draeger Safety Pacific Pty Ltd - The objective of this session is to create awareness on gas detection and the various technologies used in gas detection, including the role of gas detectors in risk reduction. This paper covers gas dispersion & placement of sensors and the considerations that must be given while deciding sensor technology, sensor placement and maintenance of the detectors, with a life-cycle approach. It also discusses the various standards applicable in the field of gas detection, functional safety applications, including standards applicable to plants & projects. In addition it addresses common mistakes due to incorrect use of standards, controller and precautions that must be taken while using PLC’s and the limitations of using PLC’s for gas detection applications - from the IDC Safety Control Systems Conference 2015
The following papers are from Triconex
Finding, Measuring and Closing Safety Integrity Gaps - Steve J. Elliott - How Modern Process Safety Management goes beyond Functional Safety to Keep your Plant Continuously Safe and Profitable - Steve J. Elliott - Functional safety focuses on the safeguards required to manage and mitigate hazards. It seeks to answer the following types of questions: What can go wrong? (Hazard identification), How severe might it be? (Consequence assessment), How likely is it to happen? (Frequency assessment), Does it matter? (Risk assessment) and Do we have enough protection? (Layers of protection assessment.) Safeguards typically include safety instrumented systems (SISs) such as emergency shutdown systems (ESDs). They also includes alarm functionality of the distributed control system (DCS), burner management systems and pretty much any other automation and control technology that provide a layer of protection that enables safe operation. But regardless of how well designed, functional systems are only fully effective if operated and maintained properly, and growing awareness of this fact has given rise to the newer discipline of process safety.
When a SIL Rating is not Enough - Robin McCrea-Steele, TÜV FSExp Invensys-Premier Consulting Services - SIL rating is a measure of the risk reduction capability and probability of failure-on-demand. It measures only the "Fail Safe" nature of the device and should not be the primary or sole measurement considered when selecting a safety system.
Dual SIS Technologies do not cost less than TMR; They almost always Cost More -Many companies advertise their Dual SIS technology (1oo2D (Dual), 1oo2DR (Dual Redundant), 2oo4D) as a lower-cost alternative to Triple Modular Redundant (TMR) systems. This is an unfortunate misrepresentation of the capabilities of Dual SIS architectures. Dual PLCs in a 1oo2 (1 out of 2) configuration were the initial solution of choice for "fail safe" applications, but they cannot overcome an inherent problem with false trips.
Is a TÜV Certificate Enough? - Robin McCrea-Steele, TÜV FSExp - SIS vendors advertise their TÜV certification, but rarely tell you about their implementation and operational restrictions - Most safety system vendors focus on how the system performs when it is healthy, but don't talk much about what happens when an internal failure is diagnosed; worst case, the entire system shuts down. Each SIS vendor must provide clear information on factors that might impair system performance, such as the system's implementation, specific programming or configuration requirements, module or architecture choices, and operational restrictions.
Given a Choice, the Implementation and Installation of your SIS should not be Entrusted to Strangers - Choosing an SIS implementer can be as important as choosing the product itself. No matter how well the system is designed or manufactured, failures are likely to occur if the implementation team is not following proper procedures, is not experienced, or lacks adequate technical qualification for the tasks they must perform.
Safety Considerations Guide - This guide provides information about safety concepts and standards that apply to the version 2.x Triconex® General Purpose System however there is some really useful information contained in Chapters 1 and 2.
Fault Management Analysis
Fault Management Analysis - Examining a device based on repairable or replaceable components may be your best bet for designing failure out of your SIS - from SIS-TECH Solutions.
Layer of Protection Analysis
Introduction to Layer of Protection Analysis -This paper provides an overview of the LOPA process, highlighting the key considerations - from SIS-TECH Solutions.
Consistent Consequence Severity Estimation - Angela Summers, PhD, PE William Vogtmann and Steven Smolen - Most risk analysis methods rely on a qualitative judgment of consequence severity, regardless of the analysis rigor applied to the estimation of hazardous event frequency. Since the risk analysis is dependent on the estimated frequency and consequence severity of the hazardous event, the error associated with the consequence severity estimate directly impacts the estimated risk and ultimately the risk reduction requirements. Overstatement of the consequence severity creates excessive risk reduction requirements. Understatement results in inadequate risk reduction. Consistency in the Layers of Protection Analysis (LOPA) can be substantially improved by implementing consequence estimation tools that assist team members in understanding theflammability, explosivity, or toxicity of process chemical releases. This paper provides justification for developing semi-quantitative look-up tables to support the team assessment of consequence severity. Just as the frequency and risk reduction tables have greatly improved consistency in the estimate of the hazardous event frequency, consequence severity tables can significantly increase confidence in the severity estimate
Safety Controls, Alarms, and Interlocks as IPLs - Angela E. Summers, Ph.D., P.E. - Layers of Protection Analysis (LOPA) evaluates the sequence of events that first initiate and then propagate to a hazardous event. This semi-quantitative risk assessment technique can expose the role that automation plays in causing initiating events and in responding to the resulting abnormal operation. Automation that is specifically designed to achieve or maintain a safe state of a process in response to a hazardous event is now referred to as safety controls, alarms, and interlocks (SCAI). Guidelines for Initiating Events and Independent Protection Layers addresses four basic types of SCAI: safety controls, safety alarms, safety interlocks, and safety instrumented systems (SIS). This article discusses the design, operation, maintenance, and testing practices necessary for SCAI to be considered as independent protection layers (IPL). It also provides guidance on claiming multiple layers of protection in the basic process control system - - from SIS-TECH Solutions.
Safety Instrumented Systems: The "Logic" of Single Loop Logic Solvers - What can the "new generation" of safety-certified Single Loop Logic Solvers do for you?
Combined Process Control and Safety Instrumented Systems or Independent
Integrated SIS DCS versus separate SIS and DCS -Which one is Better? - In the past Safety Instrumented Systems were strictly separate from the normal plant control systems (referred to as a BPCS (Basic Process Control System-which most people refer to as the "plant DCS"). This was done for a variety of reasons, but mainly to segregate the safety and control functions and to have higher availability and reliability.Lately, there have been many launches of new "integrated" control systems, that have both DCS and SIS systems in the same package. For those of you are not familiar with these terms, an SIS is short for "Safety Instrumented System", which is a special kind of control system that is used for the safety critical parts of process plants, turbomachinery, boilers and so on. Emergency Shutdown Systems (ESD for short), can be considered a subset of the SIS category of control systems. Also other kinds of high reliability specialized systems like HIPPS (High Integrity Pressure Protection Systems), BMS (Burner Management Systems) and so on can be considered as belonging to the same class, i.e. a SIS rather than a BPCS - - from Abhisam Software.
The Evolution of Plant Automation - Most owner/operators continue the practice of implementing separate, and often diverse, platforms for the BPCS and SIS, this paper discusses the reasons behind this - from SIS-TECH Solutions.
Centralised or Distributed Process Safety - Picking the Best Safety System Architecture cuts Risk and Cost while Simplifying Implementation and Maintenance - Dr. Angela Summers - Process plant safety systems can either be centralized, distributed, or a combination of both. Each approach has its advantages and challenges, with selection of the best option dependent on a variety of factors. This article will examine various safety system architectures and will show process plant users how to pick the best solution to fit their specific needs - from SIS-TECH Solutions.
Safety & Automation System (SAS) - How the Safety and the Automation Systems finally come together as an HMI - Ian Nimmo - Today we have clear guidelines on how the Safety Instrumented Systems (SIS) and basic Process Control Systems (BPCS) should be separated from a controls and network perspective. But what does this mean to the HMI and the control room design? Where do Fire & Gas Systems fit into the big picture and what about new Security and Environmental monitoring tasks? What does the Instrument Engineer needs to know about operators and how systems communicate with them. The evolution of the control room continues as Large Screen Displays provide a big picture view of multiple systems. Do rules and guidelines exist for this aspect of independent protection layers? What are today’s best practices for bringing these islands of technology together. This paper reviews the topic and provides advice on a subject on which the books remain silent. Today’s practices are haphazard and left to individuals without a systematic design or guidance - from Plant Services.
Integrating Control and Safety - Where to Draw the Line - Robin McCrea-Steele, TÜV FSExpert - New digital technology now makes it feasible to integrate process control and safety instrumented functions within a common automation infrastructure. While this can provide productivity and asset management benefits, if not done correctly, it can also compromise the safety and security of an industrial operation. This makes it critically important for process industry users to understand where to draw the line. Cyber-security and sabotage vulnerability further accentuate the need for securing the Safety Instrumented System (SIS) - from Triconex.
Common Cause Failures
Common Cause and Common Sense Designing Failure Out of Your SIS -Angela E. Summers, Ph.D. and Glenn Raney- The paper will focus on how to identify potential common cause events through the application of industry or internal design standards or through the use of qualitative assessment techniques - from SIS-TECH Solutions.
Estimation and Evaluation of Common Cause Failures in SIS - Angela E. Summers, Ph.D., Kimberly A. Ford, and Glenn Raney - This paper discusses the methodologies that are currently used to assess common cause faults in SIS. These include qualitative techniques for identifying and reducing the potential for common cause failures and quantitative techniques for including CCF in SIS performance calculations - from SIS-TECH Solutions.
Common Cause Simulation - Dr. William M. Goble - Fault tolerant systems have been designed for safety critical applications including the protection of potentially dangerous industrial processes - from Exida.
Failure Rate and Failure Mode Data / Failure Modes Effects and Diagnostic Analysis
The following excellent links are from Exida
Accurate Failure Metrics for Mechanical Instruments -Dr. William M. Goble -Probabilistic calculations done to verify the integrity of a Safety Instrumented System design require failure rate data and failure mode data of all equipment including the mechanical devices.
Development of a Mechanical Component Failure Database -Dr. William Goble & Julia Bukowski - In this paper, they present a methodology to derive component failure rate data for mechanical components used in automation systems based on warranty and field failure rate data as well as expert opinion.
FMEDA - Accurate Product Failure Metrics - John C. Grebe and Dr. William Goble - The letters FMEDA form an acronym for "Failure Modes Effects and Diagnostic Analysis." The name was given by one of the authors in 1994 to describe a systematic analysis technique that had been in development since 1998 to obtain subsystem / product level failure rates, failure modes and diagnostic capability..
Getting Failure Rate Data - Dr. William M. Goble - Safety verification calculations for each safety instrumented function are a key concept in functional safety standards like ISA 84.01 and IEC 61511.
Mechanical Database Verification Report -Julia Bukowski - The purpose of this document is to report on exida's successful efforts to validate statistically certain random equipment failure rate data used in a mechanical parts failure rate and failure mode database and, by extension, to validate the techniques used to derive the data. To accomplish this, a Failure Modes, Effects, and Diagnostic Analysis (FMEDA) is initially used to predict the useful- life failure rate for the fail-to-open condition of a particular pressure relief valve (PRV) using the failure rates from the mechanical parts database. Next, this prediction is statistically tested against three independent data sets consisting of proof test data for PRV provided by Fortune 500 operating companies. The data sets all meet the intent of the quality assurance of proof test data as documented by the Center for Chemical Process Safety (CCPS) Process Equipment Reliability Database (PERD) initiative.
Mechanical Failure Rate Data for Low Demand Applications - The use of IEC 61508  and IEC 61511  has increased rapidly in the past several years. Along with the adoption of the standards has come an increase in the need for accurate reliability data for devices used in Safety Instrumented Systems (SIS), both electronic and mechanical. While the methodology of determining failure rates for electronic equipment is fairly well accepted and applied, the same can not be said for mechanical equipment. Several methods are currently being utilized for generating failure rates for mechanical components. These methods vary in their approach and often lead to dramatically different failure rates which can lead to significant differences when calculating the reliability of a safety instrumented function (SIF). Some methods can result in dangerously optimistic failure rate numbers.
Mechanical FMEDA Presentation - Slide show presentation by Dr. William M. Goble
Modeling & Analyzing The Effects Of Periodic Inspection On The Performance Of Safety-Critical Systems - Julia V. Bukowski - This paper presents a method for incorporating into Markov models of safety-critical systems, periodic inspections and repairs which occur deterministically in time
Field Failure Data – the Good, the Bad and the Ugly - This paper presents some common field failure analysis techniques, shows some of the limitations of the methods and describes important attributes of a good field failure data collection system
Fire & Gas Interface in Safety Instrumented Systems
Risk Prevention and Mitigation-Where Does Gas Detection Fit In?-Dirk Schreier - It is quite common in today's process industry to see the terms fire and gas (F&G). These terms have been used hand in hand for many years and are also combined when referring to applications involving safety-instrumented systems. This article challenges the thinking behind this concept and demonstrates that although fire systems and gas detection systems both reduce risk; their methods are actually quite different - from HIMA Australia.
Maintenance of Safety Instrumented Systems
The following papers are from ICEweb sponsor IDC
Technologies - Specialists In Engineering Courses & Training
How Could it be Considered “Good Engineering Practice” to Bypass your SIS during the Most Critical Time of Your Process? - Luis M. Garcia G. CFSE - Siemens Energy & Automation - Although most facilities embrace ANSI/ISA 84.00.01-2004 (IEC 61511) and the Safety Life Cycle (SLC) as the way to comply with regulatory requirements (Like OSHA 1910.119), there are specific instances when most operations deviate from the standard. These are during start-up, shut-downs and process transitions. Processes with adequately designed Safety Instrumented Functions (SIF) that are validated to well developed Safety Requirement Specifications (SRS) are commonly (although momentarily) idled, and instead are practically replaced by a team of operators, managers and specialized personnel. Bypassing, inhibiting or masking is a common practice during these plant conditions. In these cases, the Safety Instrumented System (SIS) is temporarily replaced by humans in calculated and intensely watched conditions. This paper questions the need for this practice and confronts the practical limitations that lead to it. It examines the assumptions used to justify the suspension of certain SIFs and uses Burner Management Standards and typical process SIS, as an example of how to automate the permissive sequencing required for these process change of states. Finally, the paper examines how a cause and effect tool could be used to simplify the development and implementation of automated permissive sequences including verification and validation as required in the standard - from the IDC Safety Control Systems Conference 2015
The Impact of Bypassing and Imperfect Testing on Safety Instrumented System Performance - Paul Gruhn, P.E., ISA 84 Expert Global Process Safety Consultant, Rockwell Automation - Bypassing and imperfect manual testing have historically been ignored in safety system modelling, yet the impact of both is quite easy to model, and the negative performance impact is much greater than many people realize. In fact, one of many recurring causes of chemical plant accidents has been documented as “inadequate indications of process condition”, of which at least one case consisted of operations continuing when a safety instrument was in bypass. The second edition of IEC 61511 about to be released now acknowledges dangerous failures not detected by automatic diagnostics or manual testing. This paper summarises how these two factors can be modelled and their dramatic impact on system performance - from the IDC Safety Control Systems Conference 2015
Engineering Maintenance of Safety Instrumented Functions - Early Involvement Improves Operations and Maintenance through the Safety Life Cycle - Henry Johnston and Fahad Howimil - International standards for safety instrumented systems (SIS) have had a profound influence on the analysis and design of these protection systems. The old prescriptive or recipe type was changed to a performance approach that designers must satisfy. The first stages of the safety life cycle (SLC) are now well known by a majority of designers and engineers involved in SIS; however, such grade of understanding and influence has not been widely accomplished at the final stages of the SLC as are the operation and maintenance (O&M). O&M involvement in the engineering of SIS is normally passive, participating in specific analysis when requested. Such approach leaves almost the complete engineering of the protection system under project designer “responsibility.” An early involvement with a proactive approach to complement the designer experience with reliability and maintainability vision is necessary to balance the design and to manage the SIS - from the ISA and InTech.
Occupational Health and Safety and Safety Instrumented Systems
Shift Handover -The Importance of Continuity - Shift handover has been shown to be a common source of revenue loss and safety incidents in plant operation. Both economic and regulatory pressures demand substantial improvement in the shift handover process. Every engineer knows that discontinuities are invariably a source of weakness, whether in physical structures or in continuous processes. This is particularly true in the case of shift handover but, whereas physical discontinuities may be easy to identify and remove, discontinuities in working procedures can be far more difficult. It has long been recognised in the plant industries that the discontinuities of shift handover are among the most common and potentially serious sources of problems. These can range from minor impacts on operational efficiency to the most serious safety incidents; all incur corresponding levels of economic cost. The root of the issue is the transfer of information from outgoing to incoming shift teams. This paper looks into the problems arising and describes how the latest information management technology can be used to overcome them. To download AVEVA's paper on Shift Handover visit http://www.aveva.com/en/Media-Centre/Business_Papers.aspx
Legal Implications in Australia for Companies and Individuals under “Industrial Manslaughter”-Dean McNair - There has been a lot of discussion in Australia recently over proposed new occupational health and safety (OH&S) legislation which will include the provision to prosecute corporations and individuals under industrial manslaughter laws. State and territory governments are enacting these new laws in response to workplace deaths in the hope that it will force company directors and senior executives to improve the safety cultures within their organisations - from HIMA Australia.
PLC v Safety PLC
PLC vs Safety PLC - Dr. William M. Goble - Safety Programmable Logic Controllers (PLCs) are special purpose machines that are used to provide critical control and safety applications for automation users. These controllers are normally an integral part of a safety instrumented system (SIS) which are used to detect potentially dangerous process situations - from Exida.
A Process Engineering View of Safe Automation -This step-by-step procedure applies instrumented safety systems (ISS) to continuously reduce process risk - from SIS-TECH Solutions.
Achieve Continuous Safety Improvement - Balancing safety and production goals can be a tenuous, delicate and complex act. It is undeniable that safety and production are compatible. It is indisputable that investments in safety yield long-term benefits. However, these benefits are not as obvious nor do they produce the rapid results associated with production investments, which generally have a high certainty of providing a measurable, positive effect within a short time frame. For protection and safety, many of the benefits are less tangible. When successful, the instrumented protective system (IPS) is blamed for a process outage; when it fails, it is blamed for the incident. The hazard and risk analysis describes the hazardous event prevented by the operation of each instrumented protective function (IPF). When an IPF operates as required, the IPF should be given credit for the event avoided by its successful operation, including potential fatalities, injuries, environmental releases, equipment damage, and financial losses. Also, the IPF should be credited when its fault tolerant design prevents a safe IPF equipment failure from taking spurious action on the process - from SIS-TECH Solutions.
The Safety Fitness Test - The First Step in Any Athlete's Performance Improvement Plan Is a Thorough Fitness Assessment. In the Case of Our Plant's Safety Systems, the Assessment Phase Begins With a Thorough Updating of Process Conditions and Risk Factors - from Control Global.
Plan for Safety System Success - The First Step in Achieving--or Restoring--the Performance of Your Plant's Safety Systems Begins With a Cold-Eyed Assessment of Their Current Capabilities. Only Then Can You Begin to Develop a Plan to Bring Them Back Up to Speed - from Control Global. This should be read in conjunction with the article "Safety Fitness Test" above.
Protection Functions as Probabilistic Filters for Accidents - Andreas Belzner - “Protection Functions” are instrumented control system functions for machinery or process installations, which are implemented for preventing specific accidents. Frequently, such functions induce an emergency shutdown of the controlled machinery. The over-speed protection function of a turbine is a typical example. The prevented accidents may affect assets only (equipment damages, production losses). They may endanger the health and safety of people, the environment or other values. Since the protection target is not relevant in the current context, the generic term “protection function” is used in this paper rather than “safety instrumented function”. For such protection functions, two sets of requirements are typically specified; (1) Functional Requirements and (2)
Estimating The Beta Factor - Dr. William M. Goble - A Safety Instrumented System (SIS) is often designed to help protect an industrial process against potentially dangerous hazards. These systems often use redundant equipment to achieve the needed levels of protection. If the design was done to meet requirements of IEC 61511 or IEC 61508, probabilistic evaluation is done to verify that the design achieves risk reduction goals - from Exida.
PFDavg Calculations For Redundant Systems With Incomplete Testing - Harry Cheddie - A common definition of a Safety Instrumented Function (SIF) as defined in Functional Safety Standards is "Function to be implemented by a Safety Instrumented System (SIS) to mitigate or prevent a specific hazardous event." - from Exida.
Modern 2oo4-Processing Architecture for Safety Systems-Prof. Dr.-Ing. habil. Josef Börcsök -This paper provides an overview of two out of four system architecture and associated considerations - from HIMA Australia.
Valve System Controls for Safety - A matrix that substantially increases the level of safety in the process industries while significantly reducing the number of nuisance trips - Improved safety brings more nuisance trips, which means lost production. The single block valve is the weak point of the 2oo2D architecture and Parallel valve technology can provide 95% diagnostic coverage- G. Paul Baker and safetysil.com.
Reliability in Control Systems Software
PDS Method Handbook 2010 Edition - Reliability Prediction Method for Safety Instrumented Systems - The “PDS Method Handbook” gives a description of the PDS method, including the mathematical details. It has also been the objective to make it comprehensible to the non-expert. The IEC-standards 61508 (”Functional safety of safety-related systems”) and IEC 61511 (Functional safety — Safety instrumented systems for the process industry sector) provide useful information and guidance on safety requirements regarding the use of Safety Instrumented Systems (SIS). In the latest "PDS Method Handbook" the notation has been further updated in order to be in line with the IEC standard. The objective has been to “keep the best of the PDS method and at the same time to adapt the method to terms and requirements in IEC”. New features of this 2010 Edition of the PDS Method Handbook include:
A general review and up
Date of the methodology and the formulas, including a more in depth discussion of the assumptions underlying the formulas
An update of the model for common cause failures (CCF) in multiple redundant systems
A discussion on the use of the method for continuously (high demand mode) operating systems
Some new and revised terminology
An electronic version (in PDF-format) of the
first three chapters of the PDS Method Handbook can be viewed here.
* PDS is a Norwegian Acronym for "Reliability of Computer Based Safety Systems.
The following excellent papers are from Exida
Techniques for Achieving Reliability in Safety PLC Embedded Software - Dr. William M. Goble - Considering the components used in the current control systems, hardware failure cause have been widely studied. There is a strong trend toward the use of programmable electronics in safety instrumented systems. Yet some users still avoid software-based systems. They cite the unpredictability of software and case histories of software failure. However, a special class of PLC called a “safety PLC” does meet the need for safety and high availability in critical automation. A safety PLC must meet the requirements of a set of rigorous international standards that cover the design, the design methods and testing of software and hardware. Third party experts (typically TUV in GERMANY) enforce the rigor when the products go through the certification process. Some of the methods used to build “high integrity software” for safety PLCs are described in this paper.
Software Safety Technique - Dr. William M. Goble - There is a strong trend toward the use of programmable electronics in safety instrumented systems. yet some users still avoid software-based systems.
Accurate Modeling of Shared Components in High Reliability Applications - This paper addresses how to model and evaluate the Risk Reduction Factor (RRF) of Safety Instrumented Systems when one or more of the components in the SIS can cause the dangerous condition or hazard that the SIS is designed to protect against.
Safety Critical Software-Prof. Dr.-Ing. habil. Josef Börcsök -This paper discusses the methodical analysis of hardware architectures used in safety-related applications. It provides an excursus on a safe computer system’s software technology and specifies the overview in greater detail - from HIMA Australia.
Reliability with Respect to Safety Instrumented Systems - Bonne Hoekstra - The term Safety Instrumented System (SIS) has been introduced in the international standard IEC 61511 and covers the equipment from sensors, logic solver and final elements that is needed to realise the Safety Integrity Functions (SIF), another IEC term. Reliability with respect to these systems is defined by its ability to command an output to a safe state on a process demand and to function within a required time span without causing a spurious action (e.g. nuisance process trip). The first term has to do with safety integrity as meant by IEC 61508; the second is often presented as process availability, in short availability. The latter is not formally defined in international standards. Systematic failures as well as the human factor are also mentioned in this standard, however they will not be considered in this context for the sake of clearness - from Yokogawa.
Don't Gamble with Control Safety and Reliability - Understand the benefits and limitations of safety instrumented systems - Arthur Zatarain - As a wise singer once crooned, you have to “know when to hold ’em and know when to fold ’em.” But Kenny “The Gambler” Rogers merely had to beat long-shot odds to win at his game. Outside the casino, designers of industrial control systems don’t have the luxury of being right only 51% of the time. For many manufacturing and process systems, a control system failure — even for a second — simply isn’t an option. Hence, it’s important that control systems deliver safe and reliable performance, even when things go wrong - from PlantServices.com.
Safety Bus Systems
Safety Bus Systems -Prof. Dr.-Ing. habil. Josef Börcsök - Modern distributed control systems are connected via bus systems, which need effective and uninterrupted communication between all subscribers. Therefore it is necessary for these communications to be fault tolerant and safe. For safety related systems, additional safety layers are required to fulfil these requirements - from HIMA Australia.
Introduction in Safety Bus Systems-Prof. Dr.-Ing. habil. Josef Börcsök - This paper discusses how modern distributed control systems are connected via bus systems, and need effective and uninterrupted communication between all bus stations. Therefore it is necessary that these communications are fault tolerant and safe - from HIMA Australia.
Safety Requirements Specification
The Importance of a Clear Safety Requirements Specification as Part of the Overall Safety Lifecycle -Andy Crosland - The need for specifying requirements clearly is recognised best practice for most automation projects, so it makes sense to be extra-vigilant when dealing with safety systems. Many project specifications cover functional and user requirements in great detail, but often miss the key safety considerations set out in IEC 61511. As well as the obvious benefits of a clear specification from the outset, the Safety Requirement Specification (SRS) is the essential reference document for the mandatory IEC 61511 Safety Lifecycle task of SIS Safety Validation. You will be shown the key SRS considerations, particularly why this information is so important at Validation time - from IDC.
Safety Trip Alarms
New Video from Moore Industries Highlights the Use of the STA Safety Trip Alarm in Safety Instrumented Systems - Moore Industries has produced a new video showing how its STA Safety Trip Alarm serves as a logic solver that goes beyond what customers would expect from a standard alarm trip. The video shows how the STA can monitor potentially hazardous events as well as initiating emergency shutdown procedures or alerting personnel of unsafe process conditions
Safety Instrumented Systems Quality Assurance
Quality Assurance in Safe Automation - A perfect process would have no hazards, but perfection is impossible in the real world. Nearly all process units have inherent risk associated with their design and operation. Safe operation is maintained with a risk reduction strategy relying on a wide variety of safety systems. This article focuses on the most common safety systems for managing process deviations during planned operating modes – instrumented safety systems (ISSs), such as safety alarms, safety controls, and safety instrumented systems (SIS). Rigorous quality assurance is necessary to achieve real-world risk reduction, so this article follows the Plan, Do, Check, and Act process to discuss quality assurance and its application to ISS - from SIS-TECH Solutions.
Smart Positioners in Safety Instrumented
Smart Valve Positioners and their use in Safety Instrumented Systems - Thomas Karte, Jörg Kiesbauer - As part of efforts to reduce life cycle costs of control valves in the process industry, smart electro-pneumatic positioners play an important role due to their self-adaptive features and their highly developed diagnostic functions. Their use can lead to decisive improvements in availability and reliability. To make full use of this potential, which has often been discussed in theory in the past but hardly been put into practice to date, NAMUR Recommendation 107 and Guideline VOl 2650 provide information on the scope of diagnostics and the generation of alarm states. Applications in safety instrumented systems are of particular interest as smart positioners are used more and more with on/off valves in place of classic solenoid valves. In the process industry, the use of on/off valves in safety instrumented systems is governed by the IEC 6 1511 standard. The basic principle behind this standard is the safety management life cycle, which can be effectively supported by the diagnostic functions of positioner - from Samson Controls.
Software Implemented Safety Logic
Software Implemented Safety Logic - This paper discusses some of the requirements for implementing safety logic via software based systems - from SIS-TECH Solutions.
The development of Fieldbus for Safety Instrumented Systems (SIS) has been ongoing by the Fieldbus Foundation since 2002. There has been various test sites but as at April 2015 the technology appears to have not been developed to a point where it is readily accepted by SIS engineers and Industry.
ICEweb requires papers and information on the latest developments, please contact us here if you have any to publish or know of any larger projects that are using the technology.
Fire and Explosion Hazard Management (FEHM)
- An Overview - The purpose of the document is to provide a printable version
and brief explanation of the diagrams used to develop Industry Recommended
Practice IRP 18 – Fire and
Explosion Hazard Management. These diagrams were created
as part of the work of a Canadian Oil and Gas Industry Committee looking
into fires and explosions in the
upstream industry. Enform has issued an Industry
Recommended Practice prepared by the IRP18 Committee.
These diagrams were created by
Walter Tersmette, P. Eng., as part of his role as the Co-chairman of this
Fire and Explosion Hazard Management - An Industry Recommended Practice (IRP) for the Canadian Oil and Gas Industry - The purpose of this IRP is to improve worker safety by providing industry with (a) A more thorough understanding of fire and explosion hazards. (b) A process for identifying such hazards and (c) Effective methods for managing these hazards – from Piston Well
The Fire and Blast Information Group (FABIG) is a membership organisation created in 1992 to facilitate the sharing and dissemination of knowledge and best practice on design against hydrocarbon fires & explosions and related safety aspects - They have comprehensive information however you have to either become a member or pay.
Map to the Latest Safety Standards - James R. Koelsch - Safety standards and
their terminology continue to multiply and evolve, generating a confusing sea of
letters and numerals that few can navigate. This guide should help novices to
chart a course - from Automation
Understanding Safety Life Cycles - IEC/EN 61508 is the basis for the specification, design, and operation of safety instrumented systems (SIS) - The international standard IEC/EN 61508 has been widely accepted as the basis for the specification, design, and operation of safety instrumented systems (SIS). In general, IEC/EN 61508 uses a formulation based on risk assessment: An assessment of the risk is undertaken and, on the basis of this assessment, the necessary safety integrity level (SIL) is determined for components and systems with safety functions. SIL-evaluated components and systems are intended to reduce the risk associated with a device to a justifiable level or “tolerable risk.” When considering safety in the process industry, there are several relevant national, industry, and company safety standards used when determining and applying safety within a process plant - from ISA and InTech.
The following papers are from ICEweb sponsor IDC
Technologies - Specialists In Engineering Courses & Training
Achieving Compliance in Hardware Fault Tolerance - Mirek Generowicz FS Senior Expert (TÜV Rheinland #183/12) - Engineering Manager, I&E Systems Pty Ltd - The functional safety standards ISA S84/IEC 61511 and IEC 61508 both set out requirements for ‘hardware fault tolerance’ or ‘architectural constraints’. The method specified in ISA S84 and IEC 61511 for assessing hardware fault tolerance has often proven to be impracticable for SIL 3 in the process sector. Many users in the process sector have not been able to comply fully with the requirements. Further confusion has been created because there are many SIL certificates in circulation that are undeniably incorrect and misleading. This paper describes common problems and misunderstandings in assessing hardware fault tolerance. The 2010 edition of IEC 61508 brought in a new and much simpler and more practicable method for assessing hardware fault tolerance. The method is called Route 2H. This paper explains how Route 2H overcomes the problems with the earlier methods. The proposed new edition of IEC 61511 will be based on Route 2H - from the IDC Safety Control Systems Conference 2015.
Improving Allocation of Client and Contractor Responsibilities for AS 61508 Safety Lifecycle Activities - Mike Dean - Principal Engineer/Director, EUC Engineering Pty Ltd - Correct allocation of activities and deliverables related to the safety lifecycle of AS 61508 between a client (end-user) and contractor is crucial to achieving success for a project targeting AS 61508 compliance. Too often end-users establish specifications and scopes of work with the stated intention for the contractor to carry out all of the activities and providing all of the deliverables of overall safety lifecycle phases 1 to 13, without appreciation of their own key role. End-users need to understand their own legal obligations and the intent of AS 61508 for establishing overall safety requirements. This paper proposes an allocation of responsibilities which achieves legal and AS 61508 compliance - from the IDC Safety Control Systems Conference 2015
Cookbook Versus Performance SIS Practices - Angela E. Summers, Ph.D., P.E, and Michela Gentile - A Safety Instrumented System (SIS) is designed to achieve or maintain a safe state of the process when unacceptable process conditions are detected. An SIS is an Independent Protection Layer that is covered by the performance-based standard ANSI/ISA 84.00.01-2004. The risk reduction allocated to the SIS determines its target safety integrity level (SIL). ANSI/ISA 84.00.01-2004 allows a combination of factors to be considered in the verification of the SIL of the SIS. Performance-based practices provide flexibility to users, yet add complexity to the design process, encouraging project teams to reinvent the wheel for even widely used process equipment. For many engineering applications, prescriptive approaches are favoured due to simplicity. These so-called “cookbook” practices were very common in the process industry when ANSI/ISA 84.01-1996 was issued. They are also the backbone of many application standards and recommended practices. The cookbook typically specifies the SIS and maximum proof test interval based on analysis and accepted practice. The user must ensure that the cookbook assumptions are met by the existing equipment and mechanical integrity program. Otherwise, the installed risk reduction may not achieve the expected performance. This paper provides an example of a “cookbook” approach for a simple SIS and illustrates the effect of extending the proof test interval from 1 year to 5 years on its probability of failure on demand - from SIS-TECH Solutions.
User Approval of SIS Device -This paper explains the concept of user approval as documented in ANSI/ISA 84.00.01-2004, ANSI/ISA TR84.00.04, and the Center for ChemicalProcess Safety book, Guidelines for Safe and Reliable Instrumented Protective Systems - from SIS-TECH Solutions.
ANSI/ISA 84.00.01-2004 and Existing Safety Instrumented Systems - Angela E. Summers, PhD, PE - In September 2004, the European Committee for Electrotechnical Standardization (CENELEC) and the American National Standards Institute (ANSI) accepted a new process sector standard. With its adoption, this standard becomes the primary driving force behind the work processes that should be followed to design and manage safety instrumented systems (SIS). These systems consist of the instrumentation and controls intended to achieve (or maintain) a safe state with respect to a specific process risk. This standard is IEC 61511, or EN IEC 61511, or ANSI/ISA 84.00.01-2004 Parts 1-3 (IEC 61511 Mod). This article concerns the United States version, which will be referred to as S84.01-2004. S84.01-2004 is identical to IEC 61511 with one exception. The United States added a “grandfather clause” for existing SISs.
IEC 16508 and IEC16511
Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf - This very comprehensive 55 page guideline from the Norwegian Oil Industry association is very useful.
Proven in use / Prior use claims - 61508 Association Policy document: Proven in Use - The requirements of 61508 and 61511 for “proven in use” are very demanding. The user is required to have appropriate evidence that the components and subsystems are suitable for use in the SIS. This link provides some guidance on this - from the 61508 Association.
Final Elements and the IEC 61508 and IEC 61511 Functional Safety Standards Book - This book reviews and explains the application of the IEC 61508 and IEC 61511 functional safety standards as they apply to final control elements. The overall safety lifecycle and reliability requirements are reviewed with special focus on the challenges encountered when dealing with complex electro-mechanical subsystems. Throughout the book requirements for designing and implementing reliable and effective safety instrumented functions are covered in a clear step by step manner - from Exida.
61508 and 61511; What Is an Operations Company Supposed to Do? - Eric Scharpf - The typical first reaction from the process operations side of the table when confronted with a new standard is, "How much will this cost and how much extra paperwork will it involve?".... IEC 61508 and 61511, the standards covering the design and use of a safety instrumented system to reduce process plant accidents, are no exception to this initial reaction - from Exida.
Reliability Data and the use of Control Valves in the Process Industry in accordance with IEC 61508/61511 - Thomas Karte, Eugen Nebel, Manfred Dietz and Helge Essig - IEC 61508 and IEC 61511 are the relevant standards for the speciﬁcation and design of safety-related control loops in the process industry. Control valves used in these loops play a key role when it comes to determining the safety integrity level (SIL) of the safety instrumented function (SIF). A wide variety of sensors and PLCs, the other key components in the safety loop, are available with validated data concerning their probability of failure. However, this sort of data is only available for a limited number of control valves as statistical proof is difﬁcult to obtain due to the multitude of process conditions that exist in the chemical industry. This paper describes the investigation method used for a series of control valves. The user can determine the SIL achieved using this investigation data, the planned plant structure, and an exact analysis of the process - from Samson Controls.
Introduction & background to IEC 61508 - Ron Bell - Over the past 25 years there have been a number of initiatives worldwide to develop guidelines and standards to enable the safe exploitation of programmable electronic systems used for safety applications. In the context of industrial applications (to distinguish from aerospace and military applications) a major initiative has been focussed on IEC 61508 and this standard is emerging as a key international standard in many industrial sectors. This paper looks at the background to the development of IEC 61508, considers some of the key features and indicates some of the issues that are being considered in the current revision of the standard - Thanks to crpit.com
IEC 61508 - Is it Pain or Gain? - C.R. Timms - IEC 61508 provides designers and operators with the first generic internationally accepted benchmark standard for determining the Safety Integrity Level (SIL), the design requirements and test intervals for Safety Instrumented Functions (SIF). It covers every aspect of the full lifecycle management requirements for Safety Instrumented Systems (SIS). Before the introduction of IEC 61508, the most widely accepted standard was ANSI/ISA SP84.01, but it is most likely that ISA SP84-01 will be superseded in 2003 by the publication of IEC 61511 which is the process sector specific version of IEC 61508. The IEC 61508 standard provides a lifecycle road map for any SIS, yet is widely regarded as difficult to use and costly to implement. Numerous articles, presentations and training courses have addressed details of the standard but to date there has been little practical application advice available. This situation is now changing; by utilising experienced practitioners and appropriate software tools users of the standard can assure asset integrity whilst reducing the capital costof new projects and the maintenance costs for existing facilities - from SIL Support.
Safety standard IEC 61508 - Consequences for Automation Technology and Implementation at HIMA -This white paper provides an overview of IEC 61508 and how HIMA have addressed it's requirements - from HIMA Australia.
How functional safety helps to save lives -In this article Ron Bell explains functional safety and looks ahead to the revision of the IEC 61508 standard that is due for publication in 2010.This article by Jeanne Erdmann was first published in the January 2008 edition of the IEC's E-TECH. http://www.iec.ch
IEC 61508 Product Approvals - Veering Off Course - Upon close examination it appears that the product approval process of IEC 61508(1) has veered seriously off course, possibly rendering many safety instrumented system (SIS) applications less reliable than expected or required - from SIS-TECH Solutions.
An introduction to Functional Safety and IEC 61508 - This application note is intended to provide a brief introduction to the IEC 61508 standard, and to illustrate how it is applied - from MTL.
Implementing IEC61508 In The Process Industries - Dr. Eric W. Scharpf & Dr. William M. Goble - IEC 61508 and its process-specific companion IEC 61511 are providing new codification to safety instrumented systems and their application to the process industry - from Exida.
Open IEC 61508 Certification of Products -Rainer Faller & Dr. William Goble -IEC 61508 has been in use for several years since the final parts were released in 2000. Although written from the perspective of a bespoke system, it is more commonly used to certify products for a given SIL level. Valid product certification schemes must involve the assessment of specific product design details as well as an assessment of the safety management system of the product manufacturer and the personnel competency of those professionals involved in the product creation - from Exida
State-Of-The-Art Safety Verification - Dr. Eric W. Scharpf & Dr. William M. Goble -The past few years have brought significant changes to the control safety field in both technology (i.e., fieldbus) and regulation (i.e., IEC 61508) - from Exida.
What is PFDavg.? - Dr. William M. Goble - IEC 61508 requires probabilistic evaluation of each set of equipment used to reduce risk in a safety related system - from Exida.
IEC 61508 Overview - IEC 61508 is an international standard for the “functional safety” of electrical, electronic, and programmable electronic equipment. This standard started in the mid 1980s when the International Electrotechnical Committee Advisory Committee of Safety (IEC ACOS) set up a task force to consider standardization issues raised by the use of programmable electronic systems (PES). At that time, many regulatory bodies forbade the use of any software-based equipment in safety critical applications. Work began within IEC SC65A/Working Group 10 on a standard for PES used in safety-related systems. This group merged with Working Group 9 where a standard on software safety was in progress. The combined group treated safety as a system issue - from Exida.
Position Paper on IEC61508 2010 - Definitions regarding minimum hardware fault tolerance / Architectural Constraints - from Exida.
IEC 61511 - An aid to Control of Major Hazards Regulations (COMAH) and Safety Case Regulations - C.R. Timms - It is accepted that the management of safety, like most other business management, is now a risk based approach and that is the basis of the SMS within COMAH and SCR. This is also the approach of the IEC 61511 (Functional Safety: Safety Instrumented Systems for the Process Industry Sector) standard and this paper will outline the synergy between the two Regulations and IEC 61511 - from SIL Support.
IEC 61511 and the Capital Project Process - A Protective Management Systems Approach - This paper introduces a protective management system, which builds upon the work process identified in IEC 61511. Typical capital project phases are integrated with the management system to yield one comprehensive program to efficiently manage process risk - from SIS-TECH Solutions. Finally, the paper highlights areas where internal practices or guidelines should be developed to improve program performance and cost effectiveness.
Random, Systematic, and Common Cause Failure: How Do You Manage Them? - This paper provides an overview of random, systematic, and common cause failures and clarifies the differences in their management within IEC 61511 - from SIS-TECH Solutions.
Comparison of PFD calculation -Prof. Dr.-Ing. habil. Josef Börcsök - This paper discusses the compares calculation methods - from HIMA Australia.
Sharing Control & Safety Instruments-Are your Layers Overlapping?-Dirk Schreier - Since its release as an Australian standard in July of 2004, AS61511 is rapidly being accepted and applied on Safety Instrumented Systems throughout the process industry. Principles such as independence between control and protective instruments have existed for many years; however they continue to often be overlooked even with the introduction of this standard - from HIMA Australia.
Setting the Standard - How Process Plants can benefit through Proper and Careful Adoption of the IEC 61511 Safety Standard - Dr Peter Clarke - Process industry safety standard IEC 61511 and its parent, functional safety standard IEC 61508, have been in existence for several years now, and have enjoyed widespread acceptance as an effective method for managing high levels of industrial risk. Despite this success, some may view these standards as another complex, onerous burden imposed by regulators, with little tangible benefit to the end user. However, as we will explore in this article, the reality is far different - from Exida.
IEC61511 states that SIS Users must show Competence in Functional Safety - When it comes to Safety Instrumented Systems (SIS) logic solvers, the process industry reached a consensus in specifying that the equipment be third party certified to meet IEC 61508 parts 2 and 3. Most Process plant require that SIS certification be issued by TÜV, recognizing this lab as the safety systems "Mark," even when safety standards don't mandate certification of SIS equipment by any specific testing lab.What should be the process industry consensus around the personnel responsible for the design and implementation? - from Triconex.
The following paper is from ICEweb sponsor IDC
Technologies - Specialists In Engineering Courses & Training
ALARP or SFAIRP, or Reasonably Practicable - What does it mean and how do you meet the Requirements? - Shane Daniel – This paper covers; Requirements for reducing risk, How to demonstrate ALARP, Balance, Analysing and Quantifying the Cost, Implementation, Regulatory Requirements, Performance Standards Evaluation, Critical factors for success - from the IDC Safety Control Systems Conference 2015
The Golden Rules of Risk Assessment - Frank Schrever - At its worst, the risk assessment is a bureaucratic time-waster that does nothing to make workplaces safer. On the other hand, following five golden rules mean risk assessments can be both functional and lifesaving. From Pilz and Manufacturers Monthly.
Consistent Consequence Severity Estimation -Angela Summers, PhD, PE William Vogtmann and Steven Smolen - Most risk analysis methods rely on a qualitative judgment of consequence severity, overstatement creates excessive risk reduction requirements, understatement results in inadequate risk reduction. This paper provides justification for developing semi-quantitative look-up tables to support a LOPA team's assessment of consequence severity - from SIS-TECH Solutions.
Risk Criteria, Protection Layers and Conditional Modifiers - Angela E. Summers, Ph.D. PE and William H. Hearn, PE - This paper begins with a brief introduction to risk analysis concepts to provide a foundation for a discussion of the typical analysis boundaries and associated risk criteria. Then, it discusses how the analysis boundary and risk criteria affect the consideration of protection layers, enabling conditions, and conditional modifiers - from SIS-TECH Solutions.
The following excellent papers have been generously
provided to ICEWeb with the permission of World Renowned SIS expert Dr Angela
E. Summers, Ph.D. President, SIS-TECH Solutions, LLC, 12621
Featherwood Dr., Suite 120, Houston, TX 77034 USA Phone: 281-922-8324
, Fax: 281-922-4362. For more papers and excellent links etc go to http://www.SIS-TECH.com
SIF Proof Testing Yields Process Sector Reliability Data - William H. Hearn, Patrick Skweres, A. D. Arnold, and Angela E. Summers, Ph.D. - ANSI/ISA 84 requires periodic proof testing of SIFs to demonstrate the correct operation of the loop elements along with sufficient historical documentation to support analysis of discrepancies and validation of the SIF integrity and reliability. The analysis of proof test records is an important element of the quality assurance process necessary to support continued use of installed equipment. The CCPS Process Equipment Reliability Database (PERD) project has developed failure data taxonomies which provide a structure to capture data to support chemical process data collection and analysis. SIS-TECH® has been distributing a device failure rate database for more than 10 years. This paper describes how SIS-TECH® will collect device performance data under a quality plan during periodic SIF proof testing. This data will be contributed to PERD for review and analysis so that SIL Solver® failure rates can be validated against operating environment data - from SIS-TECH Solutions.
The Safety Instrumented Function: An S-Word worth Knowing - Understand the SIF to Control Confusion, Complexity and Cost of Safety Instrumented Systems - William L. (Bill) Mostia Jr - The term "safety instrumented function" or SIF is becoming common in the world of safety instrumented systems (SISs). It is one of the increasing number of S-words--SIS, SIL, SRS, SLC, etc.--that are coming into our safety system terminology. The definition of a SIF as provided in IEC standard 61511, "Functional safety: Safety Instrumented Systems for the process industry sector," leaves a bit to be desired as a practical definition, and the application of the term leaves many people confused - from Control Global.
SIL Platform - Linked In Group - The interest in SIL (Safety Integrity
Level) in industrial applications is growing. However, people involved in this
process experience difficulties due to the relative complexity of it. Correct
interpretation of the SIL standards is of great help. The SIL Platform attempts
to achieve two objectives. The first is to provide a bulletin board to enable a
Q&A process and exchange valuable experience and knowledge. The second is to
provide input for the development of the relevant standards, such as the
IEC61508 and IEC61511.
The Application of Safety Integrity Levels (SIL) - Position Paper on the SIL Platform - This is an excellent document on SIL which gives a comprehensive outline of SIL and the specific issues related to SIL in the Process Industries. The document provides basic information about the implementation of SIL, the relevant technology and focuses specifically on the SIL verification process to establish the adequate integrity of SIL loops - Thanks to our sponsor Mokveld and the SIL Platform Group.
ALARP with Safety Instrumented Systems - C.R. Timms - This paper sets out a
methodology for setting tolerable risk levels, for various methods of Safety
Integrity Level (SIL) determination, to meet the principles as low as reasonably
practicable (ALARP). It makes proposals on how to deal with the tolerable risk
concept for safety instrumented systems (SIS) protecting against single hazards
- from SIL Support. .
"How well do you Understand Safety Integrity Level (SIL)?" - Information on what extent can a process be expected to perform safely? And, in the event of a failure, to what extent can the process be expected to fail safely? The level control experts at Magnetrol can help you understand Safety Instrumented Systems (SIS) and Safety Integrity Levels (SIL). You will have to register to get this information
When SIL Suitability is Required for Final Control Elements- Riyaz Ali - Final control elements (control valves or safety shut down valves) are the key components of any closed loop control system, whether used for a basic process control system (BPCS) or for a safety instrumented system (SIS). Financial constraints derive different constructions of valves suitable for throttling vs. on-off applications. However, due to past accidents, reliability has become a key criterion for valve selection process. Many of process industries based on their plant specific experience are tempted to use control valves for safety shut down applications, specifically smaller size valves, which may not be cost-prohibitive. This article provides clarity on when to assign the SIL suitability for valves used in different scenarios (process control vs. safety shut down) and establish criterion to assign safety integrity level (SIL) applicability for “final element” - from Emerson Process Management.
Techniques for Assigning a Target Integrity Level - Angela E. Summers, Ph.D - The new ANSI/ISA S84.01-1996 (1) Application of safety instrumented systems for the process industries, standard requires that companies assign a target safety integrity level (SIL) for all safety instrumented systems (SIS) applications. The assignment of the target SIL is a decision requiring the extension of the process hazards analysis (PHA). The assignment is based on the amount of risk reduction that is necessary to mitigate the risk associated with the process to an acceptable level. All of the SIS design, operation, and maintenance choices must then be verified against the target SIL. This paper examines the six most common techniques currently utilized throughout the process industries: Consequence Only, Modified HAZOP, Risk Matrix, Risk Graph, Quantitative Assessment, Corporate Mandated SIL - from SIS-TECH Solutions.
Viewpoint on ISA TR84.0.02 - Simplified Methods and Fault Tree Analysis - Angela E. Summers, Ph.D., P.E.- Simplified equations and fault tree analysis are two techniques that can be used to verify safety integrity level. The two methods do yield different results but both provide acceptable approximations - from SIS-TECH Solutions.
SIL Assessments -Identification of Safety Instrumented Functions-Dirk Schreier - Since its release as an Australian standard in July of 2004, AS61511 is rapidly being accepted and applied on Safety Instrumented Systems throughout the process industry. AS61511 is a performance based standard with a risk-based approach to safety. Performance based standards are by nature very open to interpretation, and therefore allow for more than just one analysis technique. Some of the techniques currently applied in industry have some shortfalls in achieving the objective of the standard. This article looks at some common problems encountered during the analysis phase of the AS61511 safety lifecycle - from HIMA Australia.
SIL Determination Techniques Report - this excellent from ACM Automation document covers;
The following excellent papers are from Exida
Assessment Levels for Safety Equipment - Dr. William M. Goble - The end user must carefully choose all instrumentation equipment used in Safety Instrumented System (SIS) applications. All such equipment must be carefully justified... IEC 61511, Functional Safety for the Process Industries, requires that equipment used in safety instrumented systems be chosen based on either IEC 61507 certification to the appropriate SIL level or justification based on "prior use" criteria.
Project Experience with IEC 61508 and its Consequence - Rainer Faller - This paper reports on the experiences with implementation of IEC 61508 in recent projects with European, North American and Japanese system vendors. The paper describes problems identified in implementing the standard and proposes a knowledge tool and a combination of software verification methods to mitigate these issues.
Real Time Operating Systems for IEC 61508 - Mike Medoff - In today’s world many potentially dangerous pieces of equipment are controlled by embedded software. This equipment includes cars, trains, airplanes, oil refineries, chemical processing plants, nuclear power plants and medical devices. As embedded software becomes more pervasive so too do the risks associated with it. As a result, the issue of software safety has become a very hot topic in recent years. The leading international standard in this area is IEC 61508: Functional safety of electrical/electronic/ programmable electronic safety-related systems. This standard is generic and not specific to any industry, but has already spun off a number of industry specific derived standards, and can be applied to any industry that does not have its own standard in place. Several industry specific standards such as EN50128 (Railway), DO-178B (Aerospace), IEC 60880 (Nuclear) and IEC 601-1-4 (Medical Equipment), are already in place. Debra Herrmann (Herrmann, 1999) has found a total of 19 standards related to software safety and reliability cut across industrial sectors and technologies. These standards’ popularity is on the rise, and more and more embedded products are being developed that conform to these standards. Since an increasing number of embedded products also use an embedded real time operating system (RTOS), it has become inevitable that products with an RTOS are being designed to conform to such standards. This creates an important question for designers: how is my RTOS going to effect my certification? This article will attempt to explore the challenges and advantages of using an RTOS in products that will undergo certification.
SIL Verification - Dr. William M. Goble - The safety lifecycle (SLC) is one of the fundamental concepts presented in the ANSI/ISA 84.01 and IEC 61508 functional safety standards.
What Does Proven In Use Imply? - Rachel Amkreutz & Iwan van Beurden - The functional safety standards, IEC 61508, IEC 61511, and ANSI/ISA 84.01 each specify the Safety Integrity Level performance parameter of Safety Instrumented Functions.
Three Important Factors in Evaluating your SIL Certified Device - William A. Schwartz and Monica L. Hochleitner - A device’s Architectural Constraints determine immediately which level of Redundancy (HFT) is appropriate for use in a Safety Function with a given SIL requirement. The interpretation of a device’s PFDavg is more complex. It does not determine the product’s Safety Integrity Level (SIL). It determines the device’s contribution to the PFDavg of the Safety Function. As such, the device’s PFDavg must be considered together with the PFDavg’s of other devices with which it will be used, to determine the SIL of the Safety Function. This article addresses these two characteristics separately.
What is the Importance of Third Party Certification and SIL rating of SIS devices? - Luis Duran - Based on the growing number of safety certified devices or systems in the automation marketplace, these are the times of Functional Safety Certification, especially in the process industries. However as basic as it might sound, is there a “one-size-fits-all” certification process? Or how useful is that “certified equipment” for your application? From the reasons that gave birth to third party certification agencies through the remaining fundamental need for their work today, the questions to answer are: what is the end user getting with the certification?; how can the end user benefit by utilizing certified equipment?; why this might be better than using “proven in use” equipment as defined by IEC61511? This paper presents a practical perspective to understanding certification and selecting and applying certified devices or systems while deploying a safety instrumented system, and highlights what else remains to be done by the implementation team and end users to fulfil the requirements of current safety standards as IEC61511 and best engineering practices - from Triconex.
Changeout of SIS - C.R. Timms - Replacement of SIS Logic Solvers Whilst the
Process Remains Operational - Clive Timms - With increasing global demand for
oil and gas driving prices higher and higher, the focus of oil and gas producers
is to maintain and maximise production from every available facility. Older
unreliable facilities are being upgraded and this often includes the replacement
of Safety Instrumented Systems (SIS) such as emergency shutdown (ESD) systems,
process shutdown (PSD) systems, Emergency Depressurisation (EDP) systems and
fire and gas (F&G) systems due to obsolescence or reliability issues.
Traditionally, the replacement of such safety critical systems is undertaken
during a plant shutdown opportunity to ensure that process integrity was
maintained and the replacement systems could be fully commissioned and validated
without the presence of the process hazards. However, in this era of high oil
and gas demand we are now seeing more and more SIS replacement projects being
undertaken whilst the process is still fully operational, and this can lead to
potential compromises during commissioning and validation of functionality
- from SIL Support.
Converting Relay-Based Logic Solver to Triple Modular Redundancy Means Safer plants at Less Cost - Keyur Vora and Ranjan Bhattacharya - When a leading Indian petrochemical plant noticed interlock operations and actuation happening six times a year due to shutdowns, they knew it was time for a change. Problems with trips in the oxidation reactor lead to huge costs in production and quality losses. Finally plant officials looked at upgrading the relay-based interlock system with triple modular redundancy (TMR) to enhance reliability and availability and reduce nuisance trips. From ISA and InTech.
: Rate of Safe
: Rate of Dangerous
: Rate of Safe
failures, detected (1/t)
: Rate of Safe failures,
: Rate of
Dangerous failures, detected
of Dangerous failures, undetected (1/t)
: Rate of
Dangerous detected failures (1/t)
: Rate of Dangerous
undetected failures (1/t)
: Emergency Shut Down
SIS or part of a SIS is considered as being fault-tolerant, if it
continues to perform its safety functions in spite of the presence of
one (or more) dangerous failures.
: Failure Mode Effect
Integrity (Pressure) Protection System
61508 : Functional
safety of electrical/electronic/ programmable electronic
61511 : Functional
safety- Safety instrumented systems for the process industry sector
Probability of Failure on Demand
: Safe Failure Fraction:
SFF = (λS+λDd)/(λS+λDd+λDu)
: Safety Instrumented
: Safety Integrity
: Safety Instrumented
: Triple Modular
Safety Terms and Acronyms Glossary - exida - This list of
functional safety terms and acronyms has been compiled from a number
of sources listed at the end including the IEC 61508, IEC 61511
(ISA84.01) standards. It is meant to provide a general reference for
engineers practicing safety lifecycle engineering in the process
industry. As such it provides both safety and related non-safety term
definitions in a clear useable form. It specifically highlights the
most important terms and acronyms from the safety lifecycle standards
with working level definitions. The reader is encouraged to pursue IEC
61508 or IEC 61511 for additional definitions and for additional
information on applying the safety lifecycle to the process industry.
Fire Safe Actuators - A paper detailing an innovative concept - from Samson Controls Pty Ltd
Burner Management Systems
Complete Burner Automation with Safety Controllers-A new solution for simple single and multi burner arrangements through to complex BMS applications, e.g. for power plants, waste incineration plants or processing plants. - Looking for more on Burner Management Systems? ICEweb's comprehensive BMS page has it! - from HIMA Australia.
Fuel storage Sites
Recommendations on the Design and Operation of Fuel Storage Sites -This 52 page report sets out recommendations to improve safety in the design and operation of fuel storage sites.
Eclipse®705 receives SIL3 Certificate from Exida - Magnetrol International, Incorporated has announced that exida, an accredited global functional safety certification company, has certified the product reliability and the engineering change processes for the Eclipse® Model 705 Guided Wave Radar Transmitter as Safety Integrity Level (SIL) 3 capable per IEC 61508. SIL certification is obtained through analysis based on quantitative data and tests indicating the length of time between failures and expected performance in the field. A Failure Mode Effect and Diagnostic Analysis (FMEDA) confirmed that the Magnetrol® Eclipse Model 705 has demonstrated a solid field use history, includes sound engineering processes, and is designed with capable self-diagnostics. Download the IEC61508 Functional Safety Assessment here.
Life Science Industries
Functional Safety in the Life Science Industries - David Hatch, Iwan van Beurden and Eric W Scharpf - This article presents an overview of functional safety within the life science industry based on international standards - from Exida
Emphasis on Safety - Rob Stockham, Moore Industries-Europe General Manager and safety expert, looks at the latest method being employed by the UK nuclear industry to access control systems in safety-related and safety-critical applications in power stations.
Overfill Protective Systems
Logic Solver for Tank Overfill Protection - The aim of this paper is to explore some of the possibilities available to the SIS designer of a tank overfill protection system for the logic solver and to show examples of straightforward system topologies and their associated safety integrity level (SIL) calculations - from our sponsor Moore Industries.
API RP 2350 Recommended Practice for Overfill Protection for Storage Tanks in Petroleum Facilities: Common Questions and Answers - In the aftermath of several tragic tank overfill incidents in recent years, the American Petroleum Institute revised its API RP 2350 recommended practice to address malfunctioning or insufficient tank level gauging. During the past few months, Magnetrol have received numerous questions about these new recommendations for overfill protection, and the answers to the most frequently asked questions are shared on this blog. See further answers in Part 2 and Part 3.
Applying Tank Farm Safety Standards for Petroleum Storage Tanks in India - S. K. Ravindran and John Joosten - Like other process industry operations, petroleum tank farms present difficult challenges for automation and safety technology. Tank farms, storage areas and loading/unloading sites all need effective safety solutions to protect personnel, assets and the environment. The consequences of incidents at these facilities can be enormous. The tank farm environment, being a hazardous area, requires continual monitoring of critical process parameters. Accurate and reliable tank level monitoring is especially important to prevent overfill situations. Some overfills are small and easily contained, but the accumulation of product from repeated overfills or a single large spill can cause significant soil and ground water contamination. Worse yet, recent catastrophic incidents at tank farms and terminals can be traced to ineffective safety technology leading to loss of level control and, ultimately, to loss of containment. Tank farm operations benefit from a holistic approach to industrial safety, which integrates advanced technology at all plant protection layers - and the people who interact with that technology - to help end-users achieve their safety objectives.This white paper describes various standards and recommendations as per international and Indian publications addressing safety in petroleum storage tank farms. It also discusses possible technologies/solutions, which can be used to comply with industry guidelines and create a safe work environment - from Honeywell.
New Tank Over Fill and Spill Protection Standard - As a direct result of the Buncefield explosion, the American Petroleum Institute's Recommended Practice 2350 is being revised and updated to help prevent future incidents. It should be noted that there are similar storage terminals spread across Canada and the world. Many are currently in the process of updating to these standards. Of particular interest, are storage facilities fed by a pipeline, or from a ship, as the potential spill risk is greater than those fed by truck or rail. The API 2350 4th edition will require most petroleum storage tanks over 5000 liters to have an independent level alarm for critical high level. Past practices of taking a high level or overfill alarm off the main tank level gauge (commonly a radar level device) are no longer allowed. A back up device is now required that can be a second transmitter (continuous level indication) or more cost effectively a point level switch. Depending on the overfill prevention category of the vessel, these switches may be mechanical or electronic. While there are several potential alarm points, here we are discussing the independent alarm required for the "High-High" alert - from Magnetrol.
Overfill Protective Systems - Complex Problem, Simple Solution - Angela E. Summers, Ph.D - Overfills have resulted in significant process safety incidents. Longford (Australia, 1998), Texas City (United States, 2005), and Buncefield (United Kingdom, 2005) can be traced to loss of level control leading to high level and ultimately to loss of containment. A tower at Longford and a fractionating column at Texas City were overfilled, allowing liquid to pass to downstream equipment that was not designed to receive it. The Buncefield incident occurred when a terminal tank was overfilled releasing hydrocarbons through its conservation vents. The causes of overfill are easy to identify; however, the risk analysis is complicated by the combination of manual and automated actions often necessary to control level and to respond to abnormal level events. This paper provides a summary of the Longford, Texas City, and Buncefield incidents from an overfill perspective and highlights 5 common factors that contributed to making these incidents possible. Fortunately, while overfill can be a complex problem, the risk reduction strategy is surprisingly simple - from SIS-TECH Solutions.
Vessel Overflow Protection Systems Seem So Simple, So Straightforward—that is until one of them fails to work properly and your plant is the six o’clock news - The underlying concept required of an automated
Using Instrumented Systems for Overpressure Protection - Dr. Angela E. Summers, PE - Industry is moving towards the use of high integrity protection systems (HIPS) to reduce flare loading and alleviate the need to upgrade existing flare systems when expanding facilities. The use of HIPS can minimize capital project costs, while meeting an evolving array of standards and regulations. This paper will discuss API and ASME standards and how these relate to ANSI/ISA S84.01-1996 and IEC 61508. It focuses on process that should be followed in implementing the engineering design of HIPS - from SIS-TECH Solutions.
Transporting Gas - with Safety First!-Automation of an ethylene pipeline - from HIMA Australia.
High Integrity Protective Systems for Reactive Processes - This paper discusses how to assess, design, and implement HIPS to effectively manage potential overpressure of equipment used for reactive processes - from SIS-TECH Solutions.
Subsea Gas Pipeline
Critical Aspects of Safety, Availability and Communication in the Control of a Subsea Gas Pipeline- Requirements and Solutions - This is a large zipped file of 2.5 Meg so will take a while to download, however it is worth it as shows safety related satellite communication - from HIMA Australia.
Statistical Signature Analysis: Modeling Complex λD(t) from Proof Test Data and the Effects on Computing PFDavg - Julia V. Bukowski - To compute PFDavg, we must first have a model for λD(t), the failure rate of the equipment in the dangerous failure mode. A dangerous failure occurs when equipment designed for prevention or mitigation of an unsafe condition cannot properly respond to the unsafe condition, i.e., the equipment fails on demand. For example, consider a PRV, which, in normal operation, is closed. Should it fail in the "stuck-shut" mode, it would be in a state of dangerous failure as it would be unable to respond to an overpressure event if one occurred - from Exida.
Software tools for SIS Lifecycle Support - C.R. Timms - Since the publication of IEC 61508 and IEC 61511 there has been a steady increase in the number of PC based software tools developed to aid compliance. These come with a wide range of both capability and price, but carefully selected tools are considered the most appropriate way forward for ensuring lifecycle support of safety instrumented systems (SIS). Software tools are not just the realm of the design engineer, and this paper draws on experiences to demonstrate the benefits that can be realised by SIS engineering practitioners and end users. This paper also discusses configuration aids for programmable logic controllers (PLC) but it does not cover PLC software or computer aided design (CAD) software - - from SIL Support.
Testing on ﬁnal Elements to Extend Maintenance Cycles - Thomas Karte
and Karl-Bernd Schärtner - In the process industry, the testing of safety
instrumented systems is an inherent part of the safety approach. Usually,
function tests are performed once a year on the entire instrumented system,
consisting of sensor, logic solver, and ﬁnal element.
Further scheduled testing routines depend on local requirements and even
involve removing valves from the plant and inspecting them in the workshop.
These common procedures have not lost their importance even in view of the IEC
61508 and IEC 61511 standards. However, these standards require a quantitative
analysis of safety equipment and SIL (Safety Integrity Level) ratings. The
probability of failure for the safety loop and its individual components need to
be calculated. The degree of coverage of the performed tests plays a key role.
As a result, maintenance cycles can be planned more ﬂexibly and even
extended in some cases. This changed approach to safety is accompanied by the
development of smart positioner diagnostics. This article discusses the
opportunities of partial-stroke testing and the risks involved - from ICEweb
Partial Stroke Testing of Block Valves - Chapter, “Partial Stroke Testing of Block Valves”, Instrument Engineers Handbook, Volume 4, Chapter 6.9 - For many operating companies, one of the most difficult parts of complying with the standards is the testing interval often required for final elements, such as emergency isolation valves or emergency block valves, this excellent chapter covers this in detail - from SIS-TECH Solutions.
Partial-Stroke Testing of Block Valves - This paper discusses the various ways that you can partial stroke test block valves and illustrates the probability of failure on demand calculations - from SIS-TECH Solutions.
Partial Valve Stroke Testing - Iwan van Beurden - The objective of a Safety Instrumented System (SIS) is to reduce the risk associated with a particular process to a level lower than or equal to the tolerable risk level - from Exida.
Achieving High SIL Ratings with Partial Stroke Testing of Valves - Operating companies can substantially increase their SIL (safety integrity level) loop rating if they adopt a rigorous maintenance and testing program on their valves. By combining partial stroke testing of valves with more frequent inspection, companies can achieve higher SIL rating without spending for additional hardware - from ACM Automation.
ANSI/ISA-TR96.05.01, Partial Stroke Testing of Automated Block Valves - from ISA -The technical report provides guidance on various criteria to consider when determining whether partial stroke testing would be beneficial and on the different methods used.Use of this technical report involves familiarity with the operation of automated block valves and with the quantitative analysis of its average probability of failure on demand (PFDAVG). Users of ANSI/ISA-TR96.05.01 will include:
- owner/operators who use automated block valves in operating environments requiring partial stroke testing;
- designers who identify automated block valve applications where it is apparent more frequent and stringent proof testing is required;
- operations and maintenance personnel who need to understand the process and results of partial stroke testing.
The following excellent documents are from SIS-TECH Solutions.
Lessons Learned While Auditing Automation Systems for PSM Compliance - Angela E. Summers, Ph.D - While reliance on instrumentation has increased at an incredible pace, resources allocated to design and manage the equipment have declined in many companies, leading to more burden and expectations being placed on fewer and fewer people. Quality instrumented system performance relies on a rigorous management system that minimizes human error and equipment failure potential. This paper focuses on safety instrumented systems and applicable process safety management requirements. Observations from assessments and audits are provided, illustrating poor performing instrumented systems, inadequate operating and maintenance procedures, recordkeeping and retention practices, and out-of-date documentation
Safety Management is a Virtue - Angela E. Summers, Ph.D - This paper discusses various challenges to sustaining safe operation of process equipment. Each challenge is introduced using a Chinese fortune cookie to remind the reader that the barriers against progress are not new but have existed from many years. In most cases, the solutions are also well known and generally require deployment of robust equipment, proven techniques, and competent resource.
Bridging the Safe Automation Gap Part 1 - Part 1 discusses safe automation on a broad perspective examining safety culture, organization and hazards analysis issues.
Bridging the Safe Automation Gap Part 2 -Part 2 focuses on instrumented systems and discusses specification, implementation, operation, maintenance, and management of change.
Bhopal: Could it Happen Again? - Angela E. Summers, Ph.D., P.E., President, SIS-TECH Solutions, LP
Mechanical Integrity of Plant Containing Hazardous Substances - A guide to
periodic examination and testing - The Health and Safety Executive (HSE)
considers maintenance of the integrity of plant containing hazardous substances
to be a fundamental element of good process safety management. To this end, we
believe this document provides a sound basis from which to develop arrangements
for the management and delivery of periodic examinations aimed at achieving
this. The guidance contained within this document should not be regarded as an
authoritative interpretation of the law, but if you follow the advice set out in
it, you will normally be doing enough to comply with health and safety law in
respect of those specific issues on which the guidance gives advice. Whilst not
being specifically related to instrumentation this comprehensive document from
EEMUA is an excellent reference for anybody working or interested in Asset
Management and Safety.
Process Safety Management Guidelines for Compliance - The major objective of process safety management (PSM) of highly hazardous chemicals is to prevent unwanted releases of hazardous chemicals especially into locations that could expose employees and others to serious hazards. An effective process safety management program requires a systematic approach to evaluating the whole chemical process. Using this approach, the process design, process technology, process changes, operational and maintenance activities and procedures, nonroutine activities and procedures, emergency preparedness plans and procedures, training programs, and other elements that affect the process are all considered in the evaluation - This is an excellent document from the US Department of Labour.
Effective Management of PSM Data in Implementing the ANSI/ISA-84.00.01 Safety Lifecycle - Carolyn Presgraves - Throughout the evolution of Process Safety Management (PSM) engineering, Operations and Maintenance personnel have participated in the identification of process hazards and the mechanisms in place to prevent those hazards. Prevention mechanisms have included both active and passive engineered systems and administrative measures such as relief valves, procedures, operator alarms, Basic Process Control Systems (BPCS) interlocks, and Safety Instrumented Systems (SISs). Process Safety Information (PSI), Mechanical Integrity (MI), Operating Procedure, and Training requirements of 29 CFR 1910.119 provide guidance for many of these prevention mechanisms. Specifically applicable to the topic of this paper and conformance with ANSI/ISA-84.00.01, PSI requirements for safety systems include complete documentation of the design basis and specification data in accordance with recognized and generally accepted good engineering practices. The MI section requires the inspection and testing of safety systems according to recognized and generally accepted good engineering practices, maintenance of testing records, and documented correction of any identified deficiencies - from the ISA.
Transmitters for Safety Instrumented Systems
- This paper outlines the requirements for sensors that meet the
requirements of IEC16511/ISA 84.00.01 - from Emerson Process Management.
Selecting Transmitters for Safety Instrumented Systems - Stephen R. Brown and Mark Menezes - Users design safety systems to mitigate the risk of identified process hazards within tolerable levels, using application-specific risk models, defined user inspection schedules, and safety data for the devices under consideration. Some suppliers provide safety data for their devices. However, supplier data, even when validated by a third party, reflects laboratory results, and can be an order of magnitude too aggressive for field devices. “Proven-in-use” data includes real-world failure causes; however it tends to be conservative, since it must cover the whole range of the category, from 20-year-old pneumatics to the latest smart technology. Moreover, proven-in-use data is often aggregated for a given technology: for example, “pressure transmitter = dangerous failure rate of once in 50 years”. This aggregate data often does not isolate failure causes, so it does not allow users to take credit for improvements in technology or user practices intended to minimize the impact of specific failures. The net result to the user can be over design, over-testing, increased spurious trips and needless capital expenditures - from IDC.
Smart Instruments in Safety Instrumented Systems - Tom Nobes - The U.K.'s largest nuclear site operator implements IEC61508 and finds the quality of instrument firmware to be variable, but improving. Thanks to ISA.
Functional Safety Expert Governance Board -The CFSE is now administered by the CFSE Governance
Board which is in turn supported by a broad consortium of companies
including Honeywell, Pilz, Siemens, TUV, Exida and other leading
safety related firms.
Personnel Functional Safety Certification - Not All Programs Are Created Equal - As production runs ever closer to equipment and facility operating limits and new plants come on line in expanding and developing economies, the pressure to design and operate systems more safely and economically is increasing. A key to meeting this goal is having competent people who are knowledgeable and experienced in applying the IEC 61508 and IEC 61511 / ISA 84 functional safety standards. To develop and measure an individual’s safety engineering competence, several personnel functional safety certification programs have been created. This paper discusses why these programs are needed and the benefits they deliver to individuals and companies alike. It will also review the characteristics and differences of the various certification programs on the market today, things to watch out for, and some important questions to ask when selecting a certification program- from CFSE.
Why should Process Safety Engineers be Certified? - The typical answer to this question is initially very defensive. Certified to what? By whom? Who mandates certification of plant personnel? Why? What does this buy me? - from Triconex.
Playing it Safe - How Information Management Technology is essential to meet more stringent Process Safety and Regulatory Compliance - Process Safety and Compliance are universal issues across all the world’s plant industries and individual regulatory authorities are increasingly collaborating to share ideas and to normalise globally consistent, best-practice requirements. These authorities have recognised the potential of Information Management technologies for supporting safe and compliant operations and we can expect to see their use progressively being encouraged, expected and mandated as regulations advance. But the issue is not only one of maintaining regulatory compliance. The US Centre for Chemical Safety claims that an average offshore incident costs an Owner Operator $80 million, so there is a serious economic incentive involved as well.This paper examines current capabilities, opportunities and likely future directions in the application of technology. For convenience, reference will be made to new offshore regulations emerging in the USA, as these are likely to set benchmarks for global regulatory standardisation - from ICEweb Sponsor AVEVA.
The following papers are from ICEweb sponsor IDC
Technologies - Specialists In Engineering Courses & Training
Management of Functional Safety - Gaps in the Operation Phase - Andy Yam - According to the IEC 61511 standard, the purpose of having a Functional Safety Management (FSM) system during the safety lifecycle is to identify the management activities that are necessary to ensure that the functional safety objectives of the safety instrumented system are met. These activities are separate from the health and safety measures in the workplace. As per the safety lifecycle model in this standard, management of functional safety is a requirement throughout the lifecycle of the plant, including during the conceptual, implementation and operational phases. In the ensuing years after the release of the functional safety standards, a lot of emphasis has been placed on meeting the requirements during the conceptual and implementation phases. However, it is equally important that the Safety Instrumented System (SIS) is operated and maintained in compliance with the standards, especially considering that plants typically are operated for up to 30 years as compared to the Conceptual and Realization Phases, which may last a couple of years. This paper looks at some common gaps in operation and the strategies and activities required for compliance - from the IDC Safety Control Systems Conference 2015
Functional Safety and Ageing Assets - Shane Higgins and Lyn Fernie – HIMA Australia - When designing a new facility, functional safety standards can be adopted at relatively low cost in order to reduce risks as low as reasonably practicable (ALARP), provided that standards are correctly specified and adopted from the earliest stages of a project. Practical ways to implement the standards for ageing assets are not immediately evident. The question often arises whether an existing plant or installation should be expected to comply with the same base standards as new assets. The functional safety standards provide a mechanism to determine an integrity requirement for a safety-related system based on the risk posed by hazardous scenarios. To enable a decision as to whether a retrofit is reasonably practicable, it is necessary to consider all the available options, assess the reduction in risk (benefit) provided by any new or modified safety functions/systems, and weigh that up against the cost of such improvements - from the IDC Safety Control Systems Conference
A Generally Accepted Good Practice Approach to Functional Safety Management - David Nassehi- Senior Functional Safety Engineer, CFSE, PMP- Plexal Group - The Project Management Institute (PMI) Project Management Body of Knowledge (PMBOK) GUIDE (ANSI/PMI99-001-2008/IEEE1490-2011) presents a set of standard guidelines for project management and identifies the project management body of knowledge that is generally recognized as good practice. It is process-based and the approach is consistent with ISO 9000. It describes the project management life cycle and the project life cycle. This paper compares AS IEC-61511 lifecycle and Functional Safety Management requirements with the PMBOK guidelines, identifies the approaches which are in line with both and suggests strategies to embed in the project lifecycle which improves Functional Safety (FS) objectives throughout the safety lifecycle to achieve integrated functional safety and project management - from the IDC Safety Control Systems Conference 2015
The following links are from the 61508
What is a Functional Safety System? - A short description.
What is IEC 61508? - A short description.
Competence Guidelines - The crucial component in the management of functional safety is the competence of all those with a role to play throughout the safety system lifecycle. Clause 6 of IEC 61508 Part 1 specifies the requirements for the management of functional safety including reference to the need for those involved in any part of the safety system lifecycle to have the necessary competence.
What’s it all about? - Functional Safety Management within your reach - Whether you are working to IEC61511 on a process industry application or simply using BS EN 61508, the master standard for safety instrumented systems, Functional Safety Management is a basic requirement of the standard. It is required in IEC61508 part 1 clause 6 and IEC61511 part 1 clause 5.
What is Functional Safety Management? - This document gives a concise overview about Functional Safety Management Systems,
FREE downloadable Functional Safety Management Declaration -Describes what to do in three simple steps.
Getting advice and assistance
Includes details on the Functional Safety Management Declaration form, CASS Functional Safety Management Declaration
Lodging your Functional Safety Management Declaration
- download here in MS Word 97/2000 format (“.doc”)
- download here in ISO 26300 file format (“.odt”)
Help pages (in pdf format):
Help for Part 1 – download here.
Help for Part 2 – download here.
Help for Part 3 – download here.