- The document discusses how the demand rate and mode of operation of a safety instrumented function (SIF) impacts its design, verification, and maintenance according to industry standards. - A SIF is considered "low demand" if its demand rate is less than once per year, it cannot directly initiate a hazardous event on its own, and the demand interval is at least twice the proof test interval. - The expected demand rate of a SIF, which is the frequency at which process conditions will require it to operate, is important to consider throughout the safety lifecycle but can be difficult to precisely estimate.

1. 1
IMPACTS OF DEMAND RATES ON SIF/SIS DESIGN
AND MECHANICAL INTEGRITY
Geoffrey Barnard, P.E., CFSE
aeSolutions
Houston, TX
KEYWORDS
Safety Instrumented Systems (SIS), Layer of Protection Analysis (LOPA), Safety Integrity Level
(SIL) Determination, Safety Integrity Level (SIL) Verification, Demand Rate, Demand Mode,
Continuous Mode
ABSTRACT
IEC 61508 and IEC 61511 (ANSI/ISA 84) impose certain requirements for design and
verification of Safety Instrumented Functions (SIFs) based on the assigned Safety Integrity Level
(SIL), as well as the expected Demand Rate and Mode of Operation. It is often said that SIFs in
Process Industry applications overwhelmingly fall into a Low Demand Mode of operation, but
what exactly does this mean? What assumptions lead to this belief, and when do these
assumptions hold true?
This paper examines the differences between Low Demand, High Demand, and Continuous
Mode SIFs, and provides examples and practical guidance for SIL Determination, conceptual
design, SIL Verification, and long-term Mechanical Integrity considerations for each.
INTRODUCTION
When the risk of a particular hazard cannot be reduced sufficiently through other means, a Safety
Instrumented Function (SIF) is often specified to close the gap. As many of us are all too
familiar, IEC 61511 (ANSI/ISA 84) places certain requirements on the design, operation, and
maintenance of Safety Instrumented Functions (SIFs) based on their Safety Integrity Level (SIL).
The required SIL of a SIF is determined within the context of the hazardous outcome it is
intended to prevent, the tolerability of such an outcome, the other available protection layers that
prevent the hazardous outcome, and the frequency of events or conditions that may lead to the
hazard in the first place.

2. 2
Layer of Protection Analysis (LOPA) is a widely used methodology for SIL determination
because its semi-quantitative nature lends itself to establishing quantitative integrity targets; a
critical step in the Safety Instrumented System (SIS) design process upon which many other
assumptions will be based. When speaking of Safety Integrity Levels and SIL determination
many of us jump immediately to average Probability of Failure on Demand (PFDavg). The terms
have become nearly synonymous in the industry. However, reading carefully in the standard we
find that this term is valid only in the case of Demand Mode SIFs.
A majority of technical resources on the subject of SIS refer to the fact that process industry SIFs
fall overwhelmingly into a Demand Mode, or Low Demand Mode of Operation. Does the
ubiquity of such a prediction lead to its own accomplishment? With so much depending on this
initial phase of the process, it is critical to understand this assumption, when it is valid, and how
to adjust the process when it is not valid. The following sections will explore the meaning of a
Demand on a safeguard, as well as impacts the frequency of demands has on SIL determination,
conceptual design, SIL verification, and long-term Mechanical Integrity of a SIF.
DEMANDS
A Demand is placed on a safeguard when process conditions require the safeguard to function in
order to prevent a hazard. In a simple example, a pressure relief valve on a vessel experiences a
demand when the vessel pressure exceeds the set pressure of the relief valve. When the relief
valve lifts, the vessel is protected from overpressure. If the relief valve fails to lift, it can be said
to have failed dangerously and the vessel is now at risk of overpressure if further action is not
taken.
On the other hand, if the relief valve lifts below the set pressure it could be said to have failed
spuriously. In this case, the relief valve took action unnecessarily when the vessel was not at risk
and therefore no demand took place.
SIF demands can be explained in much the same way. When a hazardous condition is present
that a SIF sensor is designed to detect, and the SIF action is required to prevent the progression
to a hazardous event, a demand has been placed on that SIF.
Often times within an SIS many additional actions must take place to safely shutdown all related
process equipment. Not all of these actions must take place to prevent the first or most
immediate hazard but may be done to avoid secondary hazards or conditions that may place
demands on other SIFs or safeguards. If a SIF (or a final element of a SIF) is activated by
another SIF internally to the logic solver, or manually by an operator, this would generally not be
considered a demand.
In the example below, Pressure Vessel V-100 operates with a normal liquid level of 50%
controlled by basic process control loop LC-100. Transfer Pump P-200 sends excess liquid to

3. 3
Atmospheric Storage Tank T-300. Should a failure occur in the process equipment or the
process control loop resulting in a loss of liquid level, high pressure gas may escape through the
transfer line, resulting in the rupture of T-300 with the potential for injury or toxic exposure to
plant personnel.
Figure 1 – Example System 1 Piping & Instrumentation Diagram
In one particular scenario, control loop LC-100 malfunctions, allowing LV-100 to go wide-open
leading to a decrease in level in V-100. If the level reaches the low trip point of SIF-1, a demand
is placed on SIF-1 which must close XV-101 to prevent the hazardous event.
One may also notice that upon closure of XV-101 a new hazard is created. Blocked suction of
the Transfer Pump P-200 may lead to cavitation, seal failure, and potential for toxic exposure to
plant personnel. SIF-2 will shut off the pump when the discharge flow drops below a threshold
indicating that continued operation will lead to damage. Rather than allowing the automatic
closure of XV-101 to induce a secondary hazard, SIF-1 should be specified with a secondary
action to stop pump P-200. Whenever possible it is a good practice to coordinate such actions to
avoid secondary hazards and avoid placing unnecessary demands on other safeguards and
protection layers, preventing hazards before the hazardous conditions arise.
DEMAND RATE
IEC 61511 (ANSI/ISA 84) requires consideration of potential Sources of Demand and probable
Demand Rates of SIFs during the Hazard and Risk Assessment [1, clause 8.2.1], Allocation of
Safety Functions to Protection Layers [1, clauses 9.2.3, 9.2.4], development of the Safety
Requirements Specification (SRS) [1, clause 10.3.1], Design and Engineering [1, clauses
11.2.10, 11.3.2, 11.3.3, 11.9], Operation and Maintenance [1, clause 16.2.2], and Modification

4. 4
[1, clause 17.1.1]. What exactly are sources of demand, and why are demand rates important to
so many stages of the safety lifecycle?
Sources of Demand for a particular SIF may be relatively easy to identify. When a SIF is
specified as a protection layer against a hazardous event, each of the causes or initiating events
that lead to this hazardous event would be among the SIF sources of demand. Specific causes of
all credible hazard scenarios or conditions should be considered as part of the Hazard and Risk
Assessment and documented as sources of demand in the SRS.
The Demand Rate of a SIF is the total frequency from all sources of demand upon which
hazardous process conditions will call for the SIF to act. While we often estimate initiating
event frequencies as part of the SIL determination process, the actual demand rate of a SIF may
be much more difficult to predict.
Often times a SIF may be one of several Independent Protection Layers (IPLs), each capable of
preventing a particular hazardous event. Unless the SIF is the first or only layer to act in
response to each initiating event, simply summing the initiating event frequencies is likely to
over-estimate the actual demand rate the SIF will experience. When other IPLs are designed to
complete their respective actions first, demands experienced by the SIF can be expected to
decrease dramatically.
Figure 2 – Sequenced IPL Response Times
Figure 3 – Non-Sequenced IPL Response Times
Initiating Event Hazardous Event
Initiating Event Hazardous Event

5. 5
In order to more precisely estimate a SIFs demand rate one could consider the sequence of IPLs
in each hazard scenario by multiplying the initiating event frequency by the PFD of any IPL
designed to complete action prior to initiation of the SIF. Analysts should be cautioned that this
may require substantial effort very early in the design process. Without careful consideration of
process dynamics and the available response times of each IPL within the context of the overall
process safety time, results may under-estimate the actual demand rate the SIF will experience.
𝐸𝑠𝑡𝑖𝑚𝑎𝑡𝑒𝑑 𝑆𝐼𝐹 𝐷𝑒𝑚𝑎𝑛𝑑 𝑅𝑎𝑡𝑒 =
∑[𝐼𝑛𝑖𝑡𝑖𝑎𝑡𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 ×
∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 𝑐𝑜𝑚𝑝𝑙𝑒𝑡𝑖𝑛𝑔 𝑎𝑐𝑡𝑖𝑜𝑛 𝑝𝑟𝑖𝑜𝑟 𝑡𝑜 𝑆𝐼𝐹 𝑖𝑛𝑖𝑡𝑖𝑎𝑡𝑖𝑜𝑛]
Equation 1 – Estimated SIF Demand Rate with consideration of response times and process safety time
It is easy to imagine how attempts to precisely estimate SIF demand rates on paper can be quite
problematic. Absent sufficient operating history to directly measure SIF demand rates,
reasonable and conservative assumptions will need to be made. Like all data assumed
throughout the design and analysis process, SIF demands should be tracked and investigated so
actual operating history can be used to validate that SIF design criteria is sufficiently
conservative, and that all sources of demand have been anticipated and analyzed.
Though often overlooked, expected and actual SIF demand rates are of critical importance to the
basis of SIF design and mechanical integrity. Improperly estimating demands can lead to
misapplication of the SIL determination process, improper design and SIL verification,
inappropriate maintenance intervals, and ultimately SIFs that do not adequately protect against
the given hazards.
NOTES ON SIF MODES OF OPERATION
Before beginning a more detailed exploration of SIF Modes of Operation, it is important to note
that definitions in the current version of IEC 61511 [1] defer from that of the parent standard,
IEC 61508 [2], leaving only a distinction between Demand Mode (protection layer) and
Continuous Mode (safety critical control). Development of the second edition of IEC 61511 [3]
is currently underway, drafts of which feature Modes of Operation defined in more close
alignment with the second edition of IEC 61508 published in 2010. For clarity, this document
applies the current state-of-the-industry approach defining three modes of operation, but with
specific references to applicable clauses of the current edition of IEC 61511 expected to remain
in effect through at least 2014.

6. 6
LOW DEMAND MODE
In order to be considered in a Low Demand Mode of Operation, the SIF must meet three basic
criteria:
 SIF dangerous failure does not initiate a hazard scenario without subsequent
failure in the process or BPCS [1, Part 1 clause 3.2.43.1], and;
 Demand rate no greater than once per year [1, Part 1 clause 3.2.43.2], and;
 Demand interval at least twice the proof test interval [4, Annex I].
First, the SIF acts only as a safeguard. The process is normally capable of being operated within
its safe upper and lower limits without the SIF; the SIF only exists to reduce the frequency of a
hazardous event initiated by some sort of failure of process equipment, failure of the BPCS, or
failure of a human to follow intended procedures. A dangerous failure of the SIF has no impact
on the process or the BPCS and cannot be the cause of a hazard scenario. SIFs that do not meet
this requirement should be considered to operate in Continuous Mode.
Second, the expected demand rate of the SIF is infrequent; once per year or less. Although the
one-year threshold may seem somewhat arbitrary, a SIF experiencing such frequent demands
would suggest that the process may not be adequately controlled to begin with. In such cases the
actual hazard frequency will be more closely related to the dangerous failure frequency of the
SIF; meaning it would normally be most appropriate to consider the SIF to operate in High
Demand Mode.
The third requirement for Low Demand SIFs is that the expected demand rate is infrequent
relative to the proof test interval. In other words, a dangerous failure of the SIF is more likely to
be uncovered by a proof test than a demand. If this condition is not met, proof testing should not
be considered effective in uncovering dangerous failures, and SIL determination and SIL
verification in terms of PFDavg (where proof test interval is a key component) are no longer
applicable. For this reason, when the demand interval is less than twice the proof-test interval it
would generally be more appropriate to consider the SIF to operate in the High Demand Mode.
Though undoubtedly your company’s or client’s risk management policies and LOPA/SIL
determination procedures will vary, the typical approach to SIL determination and SIL
verification that most process industry analysts are familiar with is that of Low Demand Mode.
This process begins with the estimation of the initiating event frequency of a particular hazard,
and the allocation of non-SIF protection layers that reduce the frequency of the outcome. When
compared against the tolerability of such an outcome (most often expressed in terms of a
Tolerable Event Frequency in events per year), any remaining gap in risk reduction may be
assigned to a SIF.

7. 7
𝑀𝑖𝑡𝑖𝑔𝑎𝑡𝑒𝑑 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 𝑦𝑒𝑎𝑟) =
𝐼𝑛𝑖𝑡𝑖𝑎𝑡𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 𝑦𝑒𝑎𝑟) × ∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 ×
∏ 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠 𝑜𝑓 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡𝑠 𝑜𝑟 𝐶𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛𝑠 × 𝑆𝐼𝐹 𝑃𝐹𝐷 𝑎𝑣𝑔
Equation 2 –Mitigated Event Frequency for Low Demand SIFs
𝑇𝑎𝑟𝑔𝑒𝑡 𝑆𝐼𝐹 𝑃𝐹𝐷 𝑎𝑣𝑔 =
𝑇𝑜𝑙𝑒𝑟𝑎𝑏𝑙𝑒 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 𝑦𝑒𝑎𝑟)
𝐼𝑛𝑖𝑡𝑖𝑎𝑡𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 × ∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 × ∏ 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠
Equation 3 – Target PFDavg for Low Demand SIFs
Once the target PFDavg and Safety Integrity Level has been determined, design of the SIF may
proceed with the appropriate architectural constraints according to IEC 61511 [1] Part 1 Tables 5
and 6, or IEC 61508 [2] Part 2 Tables 2 and 3. For SIFs operating in Low Demand Mode, SIL
verification may consider automatic diagnostics for reducing the effective dangerous failure rates
of individual devices, and periodic proof testing and repair may be considered for reducing
PFDavg. For further guidance on the basics of Low Demand Mode SIL verification, refer to IEC
61508 [2] Part 6 Annex B, or ISA Technical Report TR84.00.02 [6] Parts 1 through 5.
Low Demand Mode Example:
Consider again the example system in Figure 1. The LOPA Team identified one credible
initiating event that could lead to the hazardous event of loss of level in V-100 and gas blow-by
to T-300; LV-100 malfunctioning open – BPCS failure frequency no less than 1x10-5
per hour,
approximately 0.1 per year, or once in 10 years. According to the requirements above, such a
demand rate allows SIF-1 to operate in Demand Mode [1], or Low Demand Mode [2, 3] with a
maximum proof test interval of 5 years.
Based on the consequence severity of the storage tank rupture, the example plant risk
management policy dictates the Mitigated Event Frequency must not exceed a Tolerable Event
Frequency of 1x10-3
events per year. The LOPA team has also assumed a probability of
occupancy of 0.1 for the area surrounding T-300 as the only enabling condition for this scenario.
1 × 10−3
per year
[1 × 10−1per year] × [1 × 10−1]
= 1.0 × 10−1
Applying Equation 3, the PFDavg of SIF-1 must be less than 1.0x10-1
; SIL 1 according to IEC
61511 [1] Part 1 Table 3 for Demand Mode SIFs and thus not requiring hardware fault tolerance
per IEC 61511 [1] Part 1 Table 6.

8. 8
SIL Target PFDavg Target Risk Reduction SIL Minimum HFT
1 ≥10−2
to <10−1
>10 to ≤100 1 0
2 ≥10−3
to <10−2
>100 to ≤1000 2 1
3 ≥10−4
to <10−3
>1000 to ≤10,000 3 2
4 ≥10−5
to <10−4
>10,000 to ≤100,000 4 (see IEC 61508)
Table 1 – Low Demand Mode Safety Integrity Table 2 – Minimum Fault Tolerance
from IEC 61511-1:2003 Table 3 from IEC 61511-1:2003 Table 6
Using simplex components throughout, the following failure rates were collected:
 Remote Diaphragm Seals and Capillaries: 3x10-7
dangerous failures per hour
 Differential Pressure Transmitter: 8x10-7
dangerous failures per hour
 Logic Solver System: 9x10-8
dangerous failures per hour
 Solenoid Valve: 6x10-7
dangerous failures per hour
 Ball Valve and Actuator: 2x10-6
dangerous failures per hour
𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑃𝐹𝐷 𝑎𝑣𝑔 = ∑
𝑆𝑢𝑏𝑠𝑦𝑠𝑡𝑒𝑚 𝐷𝑎𝑛𝑔𝑒𝑟𝑜𝑢𝑠 𝐹𝑎𝑖𝑙𝑢𝑟𝑒 𝑅𝑎𝑡𝑒𝑠 × 𝑃𝑟𝑜𝑜𝑓 𝑇𝑒𝑠𝑡 𝐼𝑛𝑡𝑒𝑟𝑣𝑎𝑙𝑠
2
Equation 4 – Simplified Achieved PFDavg for Low Demand SIFs
[
1.1 × 10−6
per hour × 43,800 hours
2
] + [
9 × 10−8
× 43,800
2
] + [
2.6 × 10−6
× 43,800
2
] = 8.30 × 10−2
Using the simplest form of the PFDavg equation and assuming only end-to-end proof testing, the
SIF achieves a PFDavg of 8.30x10-2
at a 5-year proof test interval; within the constraints for a
Low Demand SIF in this scenario.
HIGH DEMAND MODE
In order to be considered in a High Demand Mode of Operation, the SIF must meet only one
basic requirement:
 SIF dangerous failure does not initiate a hazard scenario without subsequent
failure in the process or BPCS [1, clause 3.2.43.1].
As with Low Demand Mode, the SIF must act only as a safeguard and its dangerous failure
cannot be the cause of a hazard scenario. SIFs that do not meet this requirement should be
considered to operate in Continuous Mode. Assuming the above requirement is satisfied, a SIF
should be considered in High Demand Mode if either of the two remaining Low Demand Mode
criteria is violated; that is if the SIF has:

9. 9
 Demand rate greater than once per year [1, Part 1 clause 3.2.43.2], or;
 Demand interval less than twice the proof test interval [4, Annex I].
High Demand Mode requires a significant shift away from the typical assumptions applied to the
design and verification of Low Demand Mode SIFs. Before proceeding with the design of a
High Demand Mode SIF it is recommended that the process first be re-examined for the
practicality of employing an inherently safer process design with a lower initiating event
frequency [4, Annex J].
As SIF demands increase relative to the proof test interval there is a transition where the product
of demand rate and PFDavg no longer reasonably approximates the hazard frequency. In some
instances, the estimated hazard frequency can exceed the overall dangerous failure frequency of
the SIF – something that is impossible in reality. As such, High Demand and Continuous Mode
SIFs are verified against a target Frequency of Dangerous Failure (FDF) [1], or average
Probability of Dangerous Failure per Hour (PFH) [2], with the understanding that the hazard
frequency cannot be greater than the SIF dangerous failure frequency.
Figure 4 – Estimated Hazard Frequency (with 1 year test interval)
More importantly, when demands occur as often as or more often than proof tests, such testing
should not be considered effective in uncovering dangerous failures prior to a demand. When
the basis for using PFDavg (of which proof test interval is a key component) as a measure of risk
reduction has been violated, the actual hazard frequency will be much more directly related to
the SIF dangerous failure frequency. For this reason, it may be more appropriate to consider
SIFs that are demanded more often than twice the proof test interval to operate in the High
Demand Mode.

10. 10
To determine the required safety integrity of a High Demand Mode SIF in terms of PFH the
normal LOPA process must be modified and the sequence of IPLs must be considered. When a
SIF genuinely operates in the High Demand Mode it is likely because one or more initiating
events occur very frequently and there are no other effective protection layers that can prevent
the hazard prior to activation of the SIF*
. If this is true a dangerous SIF failure is not the
initiating event itself, however we may replace the initiating event frequency with the SIF PFH.
This is the same process used with Continuous Mode SIFs, and is the reason why the standards
make little distinction between High Demand and Continuous Modes of Operation.
Non-SIF IPLs that are designed to act only after a SIF failure, and any scenario enablers and
conditional modifiers (all probabilities) may be applied against the Tolerable Event Frequency in
events per hour. Because the overall hazardous event frequency from any and all sources of
demand (initiating events) cannot exceed the dangerous failure frequency of the SIF, we solve
for the maximum tolerable SIF dangerous failure frequency.
𝑀𝑖𝑡𝑖𝑔𝑎𝑡𝑒𝑑 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 ℎ𝑜𝑢𝑟) =
𝑆𝐼𝐹 𝑃𝐹𝐻 × ∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 𝑎𝑐𝑡𝑖𝑛𝑔 𝑎𝑓𝑡𝑒𝑟 𝑆𝐼𝐹 ×
∏ 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠 𝑜𝑓 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡𝑠 𝑜𝑟 𝐶𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛𝑠
Equation 5 – Mitigated Event Frequency for High Demand & Continuous Mode SIFs
𝑇𝑎𝑟𝑔𝑒𝑡 𝑆𝐼𝐹 𝑃𝐹𝐻 =
𝑇𝑜𝑙𝑒𝑟𝑎𝑏𝑙𝑒 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 ℎ𝑜𝑢𝑟)
∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 × ∏ 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠
Equation 6 – Target PFH for High Demand & Continuous Mode SIFs
Using Table 4 of IEC 61511 [1] we can determine the SIL of the SIF in High Demand or
Continuous Mode and proceed with a design with the appropriate architectural constraints
according to IEC 61511 [1] Tables 5 and 6, or IEC 61508 [2] Part 2 Tables 2 and 3.
Recalling that it is the total demand rate that is of interest when determining the SIF Mode of
Operation, not simply the initiating event frequency of each scenario in isolation, it is possible
that no single cause-consequence scenario will force a SIF into a High Demand Mode on its
own. It is important to allot time near the conclusion of the SIL determination process to
examine overall SIF demand rates and possibly re-evaluate scenarios where a SIF is found to be
operating in the High Demand Mode.
When verifying the PFH target of High Demand SIFs the usual SIL verification process and
assumptions must be modified as well. Because dangerous failures in High Demand Mode SIFs
are more likely to be uncovered by a demand than a proof test, proof testing is considered largely
ineffective. Although test interval is a variable considered in the verification of fault tolerant
architectures, it is not a mechanism for significantly reducing PFH.
* If a non-SIF IPL is effective in preventing a high frequency hazard prior to activation of the SIF, this IPL should
be considered to operate in the High Demand Mode and the SIF would likely fall into the Low Demand Mode.
See reference [8] Appendix F for further details on the treatment of IPLs with high initiating event frequencies.

11. 11
Automatic diagnostics may be credited in High Demand Mode SIFs when the system is
configured to move to the safe state in response to a detected dangerous failure, provided the
diagnostic interval is significantly less than the expected demand rate (factor of 100 or more [2,
Part 2 clause 7.4.5.3]). Diagnostics used to initiate repair rather than immediate safe action may
be considered in High Demand Mode applications when fault tolerant redundancy is employed.
In these cases, achieved safety integrity is much more sensitive to Mean Time To Restore
(MTTR) than in a similar PFDavg calculation where this factor typically has very low sensitivity.
Achieved PFH equations can be found in IEC 61508 [2] Part 6 Annex B.
High Demand Mode Example:
A batch reactor undergoes a 4 hour manual cleaning process following the completion of each
batch, once every 28 to 32 hours, up to 250 times per year. At the conclusion of the cleaning
operation, all valves and manways must be closed and reactor purged with nitrogen prior to
restarting the process as the reactants form a highly flammable vapor. An investigation team has
been formed following an incident where a manway was not fully sealed and a significant
quantity of flammable vapor was released into the reactor enclosure. This is the second such
incident in a matter of weeks. The team concludes that existing procedures are adequate but not
effective enough in preventing human error, and recommends the addition of an automated
pressure test to ensure all valves and manways are sealed prior to charging the reactor.
A SIF is designed such that the two fail-closed reactant charge valves are to remain de-energized
and closed until the test pressure is satisfied and held for at least three minutes. A successful test
allows the process to proceed by energizing the charge valve solenoids, releasing them to BPCS
control. A failure aborts the sequence until all equipment can be inspected and retested.
Based on the consequence severity, the example plant risk management policy dictates the
Mitigated Event Frequency must not exceed a Tolerable Event Frequency of 1x10-3
events per
year. The LOPA team has also assumed a probability of occupancy of 0.1 for the reactor
enclosure and a probability of ignition of 0.5. The human error frequency is estimated to be
1x10-2
per opportunity with eight manual valves and manways involved in the procedure.
1 × 10−3
per year
250 batches per year × 8 valves × [1 × 10−2error frequency] × [1 × 10−1PFD] × 0.5 × 0.1
= 1.0 × 10−3
Following the normal process for Low Demand Mode SIL determination leads to a surprising
result. The SIF would be in the SIL 3 range with a PFDavg target less than 1x10-3
; a risk
reduction factor target greater than 1,000.
Re-examining the scenario, the team recognizes that the estimated Demand Rate of 20 per year
places the SIF into the High Demand Mode. Because the hazard cannot occur at a frequency

12. 12
higher than the failure frequency of the SIF, the team determines the PFH target of the SIF as if it
were the initiating event.
1 × 10−3
per year
0.5 × 0.1 × approx 10,000 hours per year
= 2.0 × 10−6
Applying Equation 6, the PFH of the permissive SIF must be less than 2.0x10-6
; within the SIL 1
range according to IEC 61511 [1] Part 1 Table 4 for High Demand/Continuous Mode SIFs and
thus not requiring hardware fault tolerance per IEC 61511 [1] Part 1 Table 6.
SIL Target FDF/PFH (per hour) SIL Minimum HFT
1 ≥10−6
to <10−5
1 0
2 ≥10−7
to <10−6
2 1
3 ≥10−8
to <10−7
3 2
4 ≥10−9
to <10−8
4 (see IEC 61508)
Table 3 – High Demand & Continuous Mode Table 2 – Minimum Fault Tolerance
Safety Integrity from IEC 61511-1:2003 Table 4 from IEC 61511-1:2003 Table 6
The system will be designed with a single pressure transmitter, a single logic solver, and two
solenoid valves, both required to de-energize. Valves and Actuators are not included as any
dangerous failure allowing measurable leakage will be detected by the pressure test and sequence
will not proceed. The following failure rates were collected:
 Remote Diaphragm Seal and Capillary: 3x10-7
dangerous failures per hour
 Differential Pressure Transmitter: 8x10-7
dangerous failures per hour
 Logic Solver System: 9x10-8
dangerous failures per hour
 Solenoid Valve: 6x10-7
dangerous failures per hour
𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑆𝐼𝐹 𝑃𝐹𝐻 = ∑ 𝑆𝑢𝑏𝑠𝑦𝑠𝑡𝑒𝑚 𝑃𝐹𝐻
Equation 7 – Achieved PFH for High Demand and Continuous Mode SIFs
𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑃𝐹𝐻1oo1 = 𝜆 𝐷
Equation 8 – Simplified Achieved PFH for 1oo1 High Demand and Continuous Mode Subsystems
𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑃𝐹𝐻2oo2 = 2𝜆 𝐷
Equation 9 – Simplified Achieved PFH for 2oo2 High Demand and Continuous Mode Subsystems
[1.1 × 10−7] + [9 × 10−8] + [1.2 × 10−6] = 1.4 × 10−6
per hour

13. 13
Using simplified failure assumptions the SIF achieves an overall dangerous failure frequency of
1.4x10-6
per hour, less than the failure frequency target and within the requirements for a SIL 1
High Demand Mode SIF.
CONTINUOUS MODE
A dangerous failure of any SIF or SIF component that may initiate a hazard scenario without
subsequent failure in the process or BPCS must be considered to operate in the Continuous Mode
[1, clause 3.2.43.1].
Upon first thought, some may wonder if a SIF that can initiate its own hazard scenario, or any
other hazard scenario for that matter, should be considered a safety function at all. While many
simple examples of Continuous Mode SIFs are actually better examples of poor design or
inadequate separation of control and safety, there are rare but legitimate applications where
Independent Protection Layers are ineffective or impractical to install. In such cases a basic
process control loop (normally limited to an initiating event frequency no less than 10-5
per hour)
may be implemented in the SIS and managed as a Safety Instrumented Control Function [1], or
what ANSI/ISA 84.91 would describe as a Safety Critical Control [5]. Designing and managing
a control loop as a Continuous Mode SIF allows for the reduction of the initiating event
frequency (SIF Frequency of Dangerous Failure) to a tolerable level.
Obviously a design that places the competing priorities of control and safety in a single system
should be approached with caution. Just as with High Demand Mode SIFs, it is strongly
recommended that alternatives in process design be considered before proceeding with the
design of a Continuous Mode SIF. Overall hazardous event frequency can generally be reduced
much more simply through multiple diverse protection layers that are completely independent of
the initiating event. After due diligence has been done, if a Continuous Mode SIF is found to be
the best option there are additional rules and considerations for design and verification.
To determine the required safety integrity of a Continuous Mode SIF the normal LOPA process
must be modified. Considering that the hazardous condition is always present, there are no
sources of demand or a demand rate to record. This is because a Continuous Mode SIF does not
act as a protection layer, but rather as the initiating event itself.
Non-SIF IPLs that are designed to act only after a SIF failure, and any scenario enablers and
conditional modifiers (all probabilities) may be applied against the Tolerable Event Frequency in
events per hour. Because the overall hazardous event frequency cannot exceed the dangerous
failure frequency of the SIF, we solve for the maximum tolerable SIF dangerous failure
frequency.

14. 14
𝑀𝑖𝑡𝑖𝑔𝑎𝑡𝑒𝑑 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 ℎ𝑜𝑢𝑟) =
𝑆𝐼𝐹 𝑃𝐹𝐻 × ∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 𝑎𝑐𝑡𝑖𝑛𝑔 𝑎𝑓𝑡𝑒𝑟 𝑆𝐼𝐹 ×
∏ 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠 𝑜𝑓 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡𝑠 𝑜𝑟 𝐶𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛𝑠
Equation 5 – Mitigated Event Frequency for High Demand & Continuous Mode SIFs
𝑇𝑎𝑟𝑔𝑒𝑡 𝑆𝐼𝐹 𝑃𝐹𝐻 =
𝑇𝑜𝑙𝑒𝑟𝑎𝑏𝑙𝑒 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 ℎ𝑜𝑢𝑟)
∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 × ∏ 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠
Equation 6 – Target PFH for High Demand & Continuous Mode SIFs
Using Table 4 of IEC 61511 [1] we can determine the SIL of the SIF in High Demand or
Continuous Mode and proceed with a design with the appropriate architectural constraints
according to IEC 61511 [1] Tables 5 and 6, or IEC 61508 [2] Part 2 Tables 2 and 3.
SIL verification of Continuous Mode SIFs is performed in much the same way as with High
Demand SIFs but with additional restrictions. The dangerous failure of a Continuous Mode SIF
will be self-revealing, directly and often immediately initiating the hazard scenario. Automatic
diagnostics may only be considered in very limited circumstances involving fault tolerant
redundancy, or when the sum of the diagnostic interval and SIF response time is less than the
process safety time [2, Part 2 clause 7.4.5.3]. This restriction may limit the effectiveness of
diagnostics in many situations. For this reason, it is often said that diagnostics may not be
credited in the verification of Continuous Mode SIF integrity.
Test interval is considered in the verification of fault tolerant architectures, but again is not a
mechanism for significantly reducing PFH. Achieved PFH equations can be found in IEC 61508
[2] Part 6 Annex B.
Continuous Mode Example:
A centrifugal compressor is equipped with a performance controller that executes a series of
complex control routines at very high speed, keeping the compressor operating at maximum
efficiency in a wide range of load conditions. Among other things, the control system
continuously modulates a recycle valve that allows a portion of the discharge to flow back to the
compressor’s suction. In the event that the compressor operating point approaches the surge line,
the controller will open the recycle valve to prevent catastrophic damage to the compressor. Due
to the quantity of measurements, the complexity of the control routines, and the speed at which
the evaluations must be made, it is common to combine compressor performance control and
certain complex protective functions in a single logic solver system.
The example plant risk management policy considers catastrophic compressor failure to be
tolerable at a frequency no more than 1x10-4
events per year as the compressor enclosure is
occupied as much as 2 hours per day. The LOPA team has determined that the normal range of
operating conditions can induce compressor surge without a failure in the process, meaning the

15. 15
dangerous failure of anti-surge control function itself is an initiating event. An independent
machinery protection system is capable of shutting down the steam turbine via the trip and
throttle valve by measuring shaft displacement at the thrust bearing, however this is not an SIS
system and its probability of failure on demand can be no less than 1.0x10-1
. The team
determines that another automated system would be impractical to install and would not be
effective in all scenarios. For this reason the surge control will be considered to be a Continuous
Mode SIF, and the performance controller hardware will be designed and managed as an SIS.
1 × 10−4
per year
[1 × 10−1] × [1 × 10−1] × approx 10,000 hours per year
= 1.0 × 10−6
per hour
Applying Equation 6, the target probability of failure is less than 1.0x10-6
per hour, or SIL 2
according to IEC 61511 [1] Part 1 Table 4 for Continuous Mode SIFs. SIL 2 will require fault
tolerance in each subsystem according to IEC 61511 [1] Part 1 Table 6, or sufficiently high safe
failure fraction according to IEC 61508 [2] Part 2 Tables 2 and 3.
SIL Target FDF/PFH (per hour) SIL Minimum HFT
1 ≥10−6
to <10−5
1 0
2 ≥10−7
to <10−6
2 1
3 ≥10−8
to <10−7
3 2
4 ≥10−9
to <10−8
4 (see IEC 61508)
Table 3 – High Demand & Continuous Mode Table 2 – Minimum Fault Tolerance
Safety Integrity from IEC 61511-1:2003 Table 4 from IEC 61511-1:2003 Table 6
Type A Safe
Failure Fraction
Hardware Fault Tolerance Type B Safe
Failure Fraction
Hardware Fault Tolerance
0 1 2 0 1 2
< 60% SIL 1 SIL 2 SIL 3 < 60% N/A SIL 1 SIL 2
60% – < 90% SIL 2 SIL 3 SIL 4 60% – < 90% SIL 1 SIL 2 SIL 3
90% – < 99% SIL 3 SIL 4 SIL 4 90% – < 99% SIL 2 SIL 3 SIL 4
≥ 99% SIL 3 SIL 4 SIL 4 ≥ 99% SIL 3 SIL 4 SIL 4
Table 4 – Architectural Constraints on Type A Table 5 – Architectural Constraints on Type B
Safety-Related Subsystems Safety-Related Subsystems
from IEC 61508-2:2010 Table 2 from IEC 61508-2:2010 Table 3
The system will be designed with 1oo2 voted flow sensors (Type B, SFF > 60%, 10% Beta), a
single logic solver (Type B, SFF > 90%), and single valve assembly (Type A, SFF > 60%) with a
5 year test interval. The following failure rates were collected:
 Impulse Lines: 4x10-7
dangerous failures per hour

16. 16
 Differential Pressure Transmitter: 8x10-7
dangerous failures per hour
 Logic Solver System: 9x10-8
dangerous failures per hour
 Digital Valve Controller: 4x10-7
dangerous failures per hour
 Anti-Surge Valve and Actuator: 3x10-7
dangerous failures per hour
𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑆𝐼𝐹 𝑃𝐹𝐻 = ∑ 𝑆𝑢𝑏𝑠𝑦𝑠𝑡𝑒𝑚 𝑃𝐹𝐻
Equation 7 – Achieved PFH for High Demand and Continuous Mode SIFs
𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑃𝐹𝐻1oo2 = 2[(1 − 𝛽)𝜆 𝐷]2
[
𝑇𝑒𝑠𝑡 𝐼𝑛𝑡𝑒𝑟𝑣𝑎𝑙
2
] + 𝛽𝜆 𝐷
Equation 10 – Simplified Achieved PFH for 1oo2 High Demand and Continuous Mode Subsystems
[1.71 × 10−7] + [9 × 10−8] + [7 × 10−7] = 9.61 × 10−7
per hour
Using very simplified failure assumptions the SIF achieves an overall dangerous failure
frequency of 9.61x10-7
per hour, less than the failure frequency target and within the
requirements for a SIL 2 Continuous Mode SIF.
DEVICE SELECTION AND MECHANICAL INTEGRITY
A Mechanical Integrity program is a fundamental element of an overall process safety
management system. Long-term safety depends on continuous and proactive inspection,
preventive maintenance, and functional testing, promoting the ongoing performance of
equipment involved in the processing and storage of hazardous materials. SIS and SIF
Mechanical Integrity planning begins in the design phase with proper device selection, the
specification of appropriate inspection and testing intervals, the development of specific
inspection and testing procedures, and training for the personnel carrying out these procedures
over the life of the plant.
Due to the prevalence of Low Demand Mode SIFs, the majority of IEC 61508 certified
instruments may provide failure rate data appropriate only for Low Demand applications.
Selection of instrumentation in more frequent or continuous use presents a challenge for High
Demand and Continuous Mode SIFs, particularly with final elements, as the failure
characteristics and the definition of useful life will most certainly be different. Always consult
Safety Manuals and other manufacturer documentation for any devices under consideration to
ensure they are intended for use in the required service, and that all of the manufacturer’s
requirements can be addressed in the design and mechanical integrity plan. When certified
devices are not available, a prove-in-use justification should carefully consider differences in
application and frequency of operation.
In Low Demand SIFs, aside from the dangerous failure rate itself, proof test interval is the
variable that has the largest impact on achieved safety integrity. For this reason the SIL

17. 17
verification frequently becomes the deciding factor in how often each device must be tested and
what on-line testing facilities must be included in the design. Unlike Low Demand Mode SIFs,
such an interval is not always considered in the PFH calculation for High Demand and
Continuous Mode SIFs. This does not suggest, however, that High Demand and Continuous
Mode devices are free to operate indefinitely without preventive maintenance. Periodic
inspection, functional testing, and restoration to new or like-new condition must be regarded as
basic requirements for SIFs of all operating modes, and all devices must be operated within their
useful life where random failures can be assumed to occur at a constant rate. Keep in mind that
Low Demand Mode assumes that dangerous failures are more likely to be uncovered by a proof
test than a Demand (i.e. mean demand interval is at least twice the proof test interval). If online
testing and repair cannot take place according the assumptions made during the analysis phase,
the SIF Mode of Operation may need to be reconsidered.
Finally, as demands are more likely to arise Mean Time To Restore (MTTR) becomes a much
more critical variable in the achieved safety integrity. Not only may the quantity of spare parts
need to be adjusted to ensure timely replacement of faulty devices, but so may the training of
maintenance personnel and the methods for identification of priorities.
For further information and recommended practices regarding SIS Mechanical Integrity, refer to
ISA Technical Report TR84.00.03 [7].
KEY TAKE-AWAYS
 Demand Rate must be estimated prior to determination of target safety integrity; the
determination method and the measure of safety integrity change as demand rate
increases.
 PFDavg cannot be converted to PFH, or vice-versa. These metrics are completely
unrelated as different assumptions and variables are involved in both the
determination of integrity target and verification of achieved integrity.
 Achieved PFH in the High Demand Mode is not necessarily equal to achieved PFH in
the Continuous Mode. Different assumptions and variables may be involved in the
verification of achieved integrity.
 Purely qualitative SIL determination methodologies may not adequately address SIF
Demand Rates.
 The LOPA methodology based on the Event Tree analysis technique is capable of
addressing the sequence of protection layer demands, providing a mechanism for
greater precision in demand rate assessments. The sequence of IPLs may be
considered in Demand Rate assessments if sufficient data is available to support
estimation of the overall process safety time and the available response time allocated
to each protection layer.

18. 18
 SIL determination techniques do not readily account for dependencies between
initiating events and protection layers. Failure to fully separate BPCS and SIS
instrumentation may inadvertently place a SIF into the Continuous Mode [1, Part 1
clauses 11.2.10; 3.2.43.2].
 Demand Rates should be monitored and analyzed to validate assumptions made
during the Hazard and Risk Assessment and SIL determination stages. Investigating
the causes and frequencies of safety system demands is key in the continuous
improvement of a safety management system. [1, Part 1 clause 5.2.5]
 The meanings of Low Demand, High Demand, and Continuous Modes of SIF
Operation must be understood by process risk analysts, design engineers, unit
operators, and maintenance personnel.
 Just as with Safety Integrity Level, the Mode of Operation is applied to the SIF in its
entirety and not individual components.
 Safety Instrumented Functions are completely customized for each application; there
can be no single collection of predetermined requirements. Design constraints and
mechanical integrity practices must be determined in the context of the process and
the process risk, of which Demand Rate is a key consideration.
CONCLUSIONS
Many of us more readily associate Safety Integrity Levels with the severities of the particular
consequences SIFs are designed to prevent. This is of course only half of the equation as risk is
the product of consequence severity and likelihood. Hazard scenarios may require risk reduction
not only due to high consequence severity, but also due to a high frequency of occurrence. The
ratio of demand interval and proof test interval are of critical importance to assigning the
appropriate SIF Mode of Operation and determining the applicable measure of safety integrity.
Ever-increasing safety and economic targets place competing pressures on plants and projects to
design SIFs that provide for greater risk reduction, extended proof test intervals, and tighter
integration with the BPCS. While the overwhelming majority of SIFs are assumed to be
operating in the Low Demand Mode of Operation, the criteria that allow this to be true cannot be
overlooked in favor of expedience or convenience.
Improperly estimating demand rates can result in incorrect specification and verification of
safety integrity; the basis for many subsequent decisions in the SIS design process. Long term
mechanical integrity may also suffer due to improperly selected field devices and inappropriate
maintenance practices, ultimately resulting in over-confidence that risk tolerance targets are
being achieved and sustained over time. To combat these effects, careful and conservative
demand rate estimation should take a more prominent role in the determination of SIF integrity
requirements.

19. 19
REFERENCES
[1] IEC 61511:2003. Functional safety – Safety instrumented systems for the process
industry sector, Parts 1–3. Geneva: International Electrotechnical Commission. 2003.
or
ANSI/ISA-84.00.01-2004 (IEC 61511 Mod). Functional Safety: Safety Instrumented
Systems for the Process Industry Sector, Parts 1–3. Research Triangle Park:
Instrumentation, Systems, and Automation Society. 2004.
[2] IEC 61508:2010. Functional safety of electrical/electronic/programmable electronic
safety-related systems, Parts 1–7, Edition 2.0. Geneva: International Electrotechnical
Commission. 2010.
[3] Committee Draft IEC 61511 edition 2. Functional safety – Safety instrumented systems
for the process industry sector, Parts 1–3. Geneva: International Electrotechnical
Commission. 2012.
[4] ISA-TR84.00.04-2011. Guidelines for the Implementation of ANSI/ISA-84.00.01-2004
(IEC 61511 Mod). Research Triangle Park: International Society of Automation. 2011.
[5] ANSI/ISA-84.91.01-2012. Identification and Mechanical Integrity of Safety Controls,
Alarms, and Interlocks in the Process Industry. Research Triangle Park: International
Society of Automation. 2012.
[6] ISA-TR84.00.02-2002. Safety Instrumented Functions (SIF) - Safety Integrity Level
(SIL) Evaluation Techniques. Research Triangle Park: International Society of
Automation. 2002.
[7] ISA-TR84.00.03-2011. Mechanical Integrity of Safety Instrumented Systems (SIS).
Research Triangle Park: International Society of Automation. 2011.
[8] Layer of Protection Analysis: Simplified Process Risk Assessment. New York: Center
for Chemical Process Safety of the American Institute of Chemical Engineers, 2001.
[9] Henley, Ernest J. and Hiromitsu Kumamoto. Reliability Engineering and Risk
Assessment. New York: Prentice-Hall. 1981.