3.10 SIF Proof Testing Yields Process Sector Reliability Data - William H. Hearn, Patrick Skweres, A. D. Arnold, and Angela E. Summers, Ph.D. - ANSI/ISA 84 requires periodic proof testing of SIFs to demonstrate the correct operation of the loop elements along with sufficient historical documentation to support analysis of discrepancies and validation of the SIF integrity and reliability. The analysis of proof test records is an important element of the quality assurance process necessary to support continued use of installed equipment. The CCPS Process Equipment Reliability Database (PERD) project has developed failure data taxonomies which provide a structure to capture data to support chemical process data collection and analysis. SIS-TECH® has been distributing a device failure rate database for more than 10 years. This paper describes how SIS-TECH® will collect device performance data under a quality plan during periodic SIF proof testing. This data will be contributed to PERD for review and analysis so that SIL Solver® failure rates can be validated against operating environment data.

3.10 Overfill Protective Systems - Complex Problem, Simple Solution - Angela E. Summers, Ph.D - Overfills have resulted in significant process safety incidents. Longford (Australia, 1998), Texas City (United States, 2005), and Buncefield (United Kingdom, 2005) can be traced to loss of level control leading to high level and ultimately to loss of containment. A tower at Longford and a fractionating column at Texas City were overfilled, allowing liquid to pass to downstream equipment that was not designed to receive it. The Buncefield incident occurred when a terminal tank was overfilled releasing hydrocarbons through its conservation vents. The causes of overfill are easy to identify; however, the risk analysis is complicated by the combination of manual and automated actions often necessary to control level and to respond to abnormal level events. This paper provides a summary of the Longford, Texas City, and Buncefield incidents from an overfill perspective and highlights 5 common factors that contributed to making these incidents possible. Fortunately, while overfill can be a complex problem, the risk reduction strategy is surprisingly simple.

3.10 Lessons Learned While Auditing Automation Systems for PSM Compliance - Angela E. Summers, Ph.D - While reliance on instrumentation has increased at an incredible pace, resources allocated to design and manage the equipment have declined in many companies, leading to more burden and expectations being placed on fewer and fewer people. Quality instrumented system performance relies on a rigorous management system that minimizes human error and equipment failure potential. This paper focuses on safety instrumented systems and applicable process safety management requirements. Observations from assessments and audits are provided, illustrating poor performing instrumented systems, inadequate operating and maintenance procedures, recordkeeping and retention practices, and out-of-date documentation.

Partial Stroke Testing of Block Valves - Chapter, “Partial Stroke Testing of Block Valves”, Instrument Engineers Handbook, Volume 4, Chapter 6.9 - For many operating companies, one of the most difficult parts of complying with the standards is the testing interval often required for final elements, such as emergency isolation valves or emergency block valves, this excellent chapter covers this in detail.

Improve Facility SIS Performance and Reliability
Angela E. Summers, Ph.D., P.E, President, SIS-TECH Solutions, LP and Bryan A. Zachary, Operations Manager

Introduction to Layer of Protection Analysis
This paper provides an overview of the LOPA process, highlighting the key considerations

High Integrity Protective Systems for Reactive Processes
This paper discusses how to assess, design, and implement HIPS to effectively manage potential overpressure of equipment used for reactive processes.

Perspectives on ANSI/ISA 84.00.01-2004 (IEC61511)-An Emerging International Consensus Standard
Angela E. Summers, Ph.D., P.E., President, SIS-TECH Solutions, LP

Estimation and evaluation of common cause failures in SIS
Angela E. Summers, Ph.D., Kimberly A. Ford, and Glenn Raney

Is your SIS "grandfathered" under ANSI/ISA S84.01-2004?
Kimberly A. Ford and Angela E. Summers, Ph.D., P.E.

Techniques for assigning a target integrity level
Angela E. Summers, Ph.D.

Viewpoint on ISA TR84.0.02 - simplified methods and fault tree analysis
Angela E. Summers, Ph.D., P.E.- Simplified equations and fault tree analysis are two techniques that can be used to verify safety integrity level. The two methods do yield different results but both provide acceptable approximations. 

SIS Technical Papers - Exida.com provides links and excellent technical information as follows on Safety Instrumented Systems;

Statistical Signature Analysis: Modeling Complex λD(t) from Proof Test Data and the Effects on Computing PFDavg - Julia V. Bukowski - To compute PFDavg, we must first have a model for λD(t), the failure rate of the equipment in the dangerous failure mode. A dangerous failure occurs when equipment designed for prevention or mitigation of an unsafe condition cannot properly respond to the unsafe condition, i.e., the equipment fails on demand. For example, consider a PRV, which, in normal operation, is closed. Should it fail in the "stuck-shut" mode, it would be in a state of dangerous failure as it would be unable to respond to an overpressure event if one occurred.

Final Elements and the IEC 61508 and IEC 61511 Functional Safety Standards Book - This book reviews and explains the application of the IEC 61508 and IEC 61511 functional safety standards as they apply to final control elements. The overall safety lifecycle and reliability requirements are reviewed with special focus on the challenges encountered when dealing with complex electro-mechanical subsystems. Throughout the book requirements for designing and implementing reliable and effective safety instrumented functions are covered in a clear step by step manner.

61508 and 61511; What Is an Operations Company Supposed to Do? - Eric Scharpf - The typical first reaction from the process operations side of the table when confronted with a new standard is, "How much will this cost and how much extra paperwork will it involve?".... IEC 61508 and 61511, the standards covering the design and use of a safety instrumented system to reduce process plant accidents, are no exception to this initial reaction.

Accurate Failure Metrics for Mechanical Instruments -Dr. William M. Goble -Probabilistic calculations done to verify the integrity of a Safety Instrumented System design require failure rate data and failure mode data of all equipment including the mechanical devices.

Assessment Levels for Safety Equipment - Dr. William M. Goble - The end user must carefully choose all instrumentation equipment used in Safety Instrumented System (SIS) applications. All such equipment must be carefully justified... IEC 61511, Functional Safety for the Process Industries, requires that equipment used in safety instrumented systems be chosen based on either IEC 61507 certification to the appropriate SIL level or justification based on "prior use" criteria.

Common Cause Simulation - Dr. William M. Goble - Fault tolerant systems have been designed for safety critical applications including the protection of potentially dangerous industrial processes.

Development of a Mechanical Component Failure Database -Dr. William Goble & Julia Bukowski - In this paper, they present a methodology to derive component failure rate data for mechanical components used in automation systems based on warranty and field failure rate data as well as expert opinion.

Estimating The Beta Factor - Dr. William M. Goble - A Safety Instrumented System (SIS) is often designed to help protect an industrial process against potentially dangerous hazards. These systems often use redundant equipment to achieve the needed levels of protection. If the design was done to meet requirements of IEC 61511 or IEC 61508, probabilistic evaluation is done to verify that the design achieves risk reduction goals.

Evolution of European Standards - Rainer Faller - Slide show presentation of his Rockwell Automation 2002 speech

FMEDA - Accurate Product Failure Metrics - John C. Grebe and Dr. William Goble - The letters FMEDA form an acronym for "Failure Modes Effects and Diagnostic Analysis." The name was given by one of the authors in 1994 to describe a systematic analysis technique that had been in development since 1998 to obtain subsystem / product level failure rates, failure modes and diagnostic capability.

Functional Safety Terms and Acronyms Glossary - exida - This list of functional safety terms and acronyms has been compiled from a number of sources listed at the end including the IEC 61508, IEC 61511 (ISA84.01) standards. It is meant to provide a general reference for engineers practicing safety lifecycle engineering in the process industry. As such it provides both safety and related non-safety term definitions in a clear useable form. It specifically highlights the most important terms and acronyms from the safety lifecycle standards with working level definitions. The reader is encouraged to pursue IEC 61508 or IEC 61511 for additional definitions and for additional information on applying the safety lifecycle to the process industry.

Getting Failure Rate Data - Dr. William M. Goble - Safety verification calculations for each safety instrumented function are a key concept in functional safety standards like ISA 84.01 and IEC 61511.

IEC 61508 Overview - exida - IEC 61508 is an international standard for the “functional safety” of electrical, electronic, and programmable electronic equipment. This standard started in the mid 1980s when the International Electrotechnical Committee Advisory Committee of Safety (IEC ACOS) set up a task force to consider standardization issues raised by the use of programmable electronic systems (PES). At that time, many regulatory bodies forbade the use of any software-based equipment in safety critical applications. Work began within IEC SC65A/Working Group 10 on a standard for PES used in safety-related systems. This group merged with Working Group 9 where a standard on software safety was in progress. The combined group treated safety as a system issue.

IEC61511 Standard For Functional Safety - exida - IEC 61511 has been developed as a Process Sector implementation of the international standard IEC 61508: "Functional safety of electrical / electronic / programmable electronic safety-related systems."

Implementing IEC61508 In The Process Industries - Dr. Eric W. Scharpf & Dr. William M. Goble - IEC 61508 and its process-specific companion IEC 61511 are providing new codification to safety instrumented systems and their application to the process industry.

Mechanical Database Verification Report -Julia Bukowski - The purpose of this document is to report on exida's successful efforts to validate statistically certain random equipment failure rate data used in a mechanical parts failure rate and failure mode database and, by extension, to validate the techniques used to derive the data. To accomplish this, a Failure Modes, Effects, and Diagnostic Analysis (FMEDA) is initially used to predict the useful- life failure rate for the fail-to-open condition of a particular pressure relief valve (PRV) using the failure rates from the mechanical parts database. Next, this prediction is statistically tested against three independent data sets consisting of proof test data for PRV provided by Fortune 500 operating companies. The data sets all meet the intent of the quality assurance of proof test data as documented by the Center for Chemical Process Safety (CCPS) Process Equipment Reliability Database (PERD) initiative.

Mechanical Failure Rate Data for Low Demand Applications - exida - The use of IEC 61508 [1] and IEC 61511 [2] has increased rapidly in the past several years. Along with the adoption of the standards has come an increase in the need for accurate reliability data for devices used in Safety Instrumented Systems (SIS), both electronic and mechanical. While the methodology of determining failure rates for electronic equipment is fairly well accepted and applied, the same can not be said for mechanical equipment. Several methods are currently being utilized for generating failure rates for mechanical components. These methods vary in their approach and often lead to dramatically different failure rates which can lead to significant differences when calculating the reliability of a safety instrumented function (SIF). Some methods can result in dangerously optimistic failure rate numbers.

Mechanical FMEDA Presentation - Slide show presentation by Dr. William M. Goble

Modeling & Analyzing The Effects Of Periodic Inspection On The Performance Of Safety-Critical Systems - Julia V. Bukowski - This paper presents a method for incorporating into Markov models of safety-critical systems, periodic inspections and repairs which occur deterministically in time.

Open IEC 61508 Certification of Products -Rainer Faller & Dr. William Goble -IEC 61508 has been in use for several years since the final parts were released in 2000. Although written from the perspective of a bespoke system, it is more commonly used to certify products for a given SIL level. Valid product certification schemes must involve the assessment of specific product design details as well as an assessment of the safety management system of the product manufacturer and the personnel competency of those professionals involved in the product creation.

Partial Valve Stroke Testing - Iwan van Beurden - The objective of a Safety Instrumented System (SIS) is to reduce the risk associated with a particular process to a level lower than or equal to the tolerable risk level.

PFDavg Calculations For Redundant Systems With Incomplete Testing - Harry Cheddie - A common definition of a Safety Instrumented Function (SIF) as defined in Functional Safety Standards is "Function to be implemented by a Safety Instrumented System (SIS) to mitigate or prevent a specific hazardous event."

PLC vs Safety PLC - Dr. William M. Goble - Safety Programmable Logic Controllers (PLCs) are special purpose machines that are used to provide critical control and safety applications for automation users. These controllers are normally an integral part of a safety instrumented system (SIS) which are used to detect potentially dangerous process situations.

Project Experience with IEC 61508 and its Consequence - Rainer Faller -  This paper reports on the experiences with implementation of IEC 61508 in recent projects with European, North American and Japanese system vendors. The paper describes problems identified in implementing the standard and proposes a knowledge tool and a combination of software verification methods to mitigate these issues.

Real Time Operating Systems for IEC 61508 - Mike Medoff - In today’s world many potentially dangerous pieces of equipment are controlled by embedded software. This equipment includes cars, trains, airplanes, oil refineries, chemical processing plants, nuclear power plants and medical devices. As embedded software becomes more pervasive so too do the risks associated with it. As a result, the issue of software safety has become a very hot topic in recent years. The leading international standard in this area is IEC 61508: Functional safety of electrical/electronic/ programmable electronic safety-related systems. This standard is generic and not specific to any industry, but has already spun off a number of industry specific derived standards, and can be applied to any industry that does not have its own standard in place. Several industry specific standards such as EN50128 (Railway), DO-178B (Aerospace), IEC 60880 (Nuclear) and IEC 601-1-4 (Medical Equipment), are already in place. Debra Herrmann (Herrmann, 1999) has found a total of 19 standards related to software safety and reliability cut across industrial sectors and technologies. These standards’ popularity is on the rise, and more and more embedded products are being developed that conform to these standards. Since an increasing number of embedded products also use an embedded real time operating system (RTOS), it has become inevitable that products with an RTOS are being designed to conform to such standards. This creates an important question for designers: how is my RTOS going to effect my certification? This article will attempt to explore the challenges and advantages of using an RTOS in products that will undergo certification.

SIL Verification - Dr. William M. Goble - The safety lifecycle (SLC) is one of the fundamental concepts presented in the ANSI/ISA 84.01 and IEC 61508 functional safety standards.

Software - Stress Vs. Strength - Dr. William M. Goble - Considering the components used in the current control systems, hardware failure cause have been widely studied.

Software Safety Technique - Dr. William M. Goble - There is a strong trend toward the use of programmable electronics in safety instrumented systems. yet some users still avoid software-based systems.

State-Of-The-Art Safety Verification - Dr. Eric W. Scharpf & Dr. William M. Goble -The past few years have brought significant changes to the control safety field in both technology (i.e., fieldbus) and regulation (i.e., IEC 61508).

What Does Proven In Use Imply? - Rachel Amkreutz & Iwan van Beurden - The functional safety standards, IEC 61508, IEC 61511, and ANSI/ISA 84.01 each specify the Safety Integrity Level performance parameter of Safety Instrumented Functions.

What is PFDavg.? - Dr. William M. Goble - IEC 61508 requires probabilistic evaluation of each set of equipment used to reduce risk in a safety related system.

The Grandfather Clause and existing equipment - Dr. William Goble - International safety standards permit users to utilise a ‘Proven in Prior Use’ methodology to justify  SIS equipment ie., A Grandfather Clause ; but can users take on the responsibility? - Following a recent internally initiated audit of your facility’s SIS, you realized your systems do not meet the “grandfather clause” requirements described in ANSI/ISA 84.01.00. Now you face the task of bringing those systems into conformance with international safety standards. One of the questions your SIS team raised is, “Do our installed transmitters meet the ‘prior use’ requirements described in Section 11.5.3 of IEC 61511-1 – Requirements for the selection of components and subsystems based on prior use?” From the ISA and InTech.

Canadian Company ACM Automation provides some excellent articles and technical papers covering:-
HAZOP Budgeting Tool - How long will my HAZOP take?
Achieving High SIL Ratings with Partial Stroke Testing of Valves

SIL Determination Techniques Report, this excellent document covers;

• SIL Determination and the Safety Life Cycle
• SIL determination Techniques
• ALARP and Tolerable Risk Concept
• Semi-Quantitative Method – Fault Tree and Event Tree Analysis
• Safety Layer Matrix
• Calibrated Risk Graph
• Layer of Protection Analysis (LOPA)
• Evaluating the SIL Determination Options
• Process Industry Observations
• SIL Program Benefits

3.10 SafetyBase.com is a site that is full of some excellent information about Boiler Management Systems, Machine and Process Safety. You’ll be able to share ideas with colleagues across the country, stay current with compliance requirements, and read the latest case studies, white papers, and articles that can help you keep your people safe and your process moving.

3.10 Center for Chemical Process Safety - The Global Community Committed to Process Safety - CCPS is a not-for-profit, corporate membership organization within AIChE that identifies and addresses process safety needs within the chemical, pharmaceutical, and petroleum industries. CCPS brings together manufacturers, government agencies, consultants, academia and insurers to lead the way in improving industrial process safety.

11.09Toolbox Talks - This excellent page from the 61508 Association gives you the essential toolbox tips in just a few sheets that will help your team to all be “singing from the same hymn sheet” which covers:
• Directors
• Senior Management
• Purchaser
• Project Manager
• Project Engineer
• Inspection and QA
• Operations
• Maintenance
• Service Engineer
• What is Functional Safety Management
• Proven in use / Prior use claims
• Functional Safety Management cross-reference
between IEC61508 and IEC61511

What is a Functional Safety System? A short description.
What is Conformity assessment? - Conformity Assessment is defined as "activity that provides demonstration that specified requirements relating to a product, process, system, person or body are fulfilled."
What is CASS? - Accredited Certification for Safety Systems -  to IEC 61508 and Related Standards - CASS is a scheme for assessing the compliance of safety related systems with the requirements of IEC 61508 and associated standards. It provides a systematic approach to be used by certification bodies and others when assessing compliance at all stages from the specification of safety requirements through the design, development and manufacture of system components to integration, commissioning, operation and maintenance. At each stage CASS takes the conformity assessor through the logical steps of defining the scope of the assessment, the target of evaluation, the requirements to be met and the process of demonstrating and recording conformity.
Legacy Systems - Basic Principles for Safety - Engineered systems are relied upon for safety in a wide range of work environments. There is however, a general lack of awareness of the exact role played by such systems, and whether adequate safety is, in fact, being achieved. This is particularly true of systems that have been in place for many years. This document describes how to assess the capability of so called Legacy Systems, focussing on how electrical, electronic, or programmable devices achieve adequate safety in conjunction with other technologies such as mechanical systems and operational expectations.
SIL-Loops to the Rescue - Poor Process Design shouldn’t have to Hide behind Safety Loops - Clive de Salis -You’ve probably never thought of it this way but it really is true: To have an SIL-rated loop is a failure. An SIL-3 safety loop means that the layers of safety that we as chemical engineers have put in place in the process design are inadequate to such an extent that the risk of the fatality is 1000 timesthe wrong side of tolerable. The failure, herefore, is a failure of the chemical engineer to design a process that has sufficient layers of safety to not require an SIL-rated loop.
SIL Certs can Seriously Impair Plant Safety - Clive de Salis -  Process operators are investing in certificates and experts - that the IEC standards do not require - at the expense of actual functional safety management. IEC61508 and particularly the process industry application of it in IEC61511 is gaining ground strongly for high integrity safety instrumented systems. However, the majority of industry is still naively asking for certification that the standard does not require, and has never needed, whilst ignoring its basic essentials. How long can this really go on for?
The 61508 Association provides additional articles to promote the benefits of IEC 61508 and accredited certification.

3.10  An Introduction to Inherently Safer Design - Inherently safer design (ISD) is a philosophy for addressing safety issues in the design and operation of chemical processes and manufacturing plants. When considering ISD, the designer tries to manage process risk by eliminating or significantly reducing hazards. Thanks to Centre for Chemical Process Safety.

Functional Safety and Safety Integrity Levels - An application note from Bentley Nevada.