- The document discusses how the demand rate and mode of operation of a safety instrumented function (SIF) impacts its design, verification, and maintenance according to industry standards.
- A SIF is considered "low demand" if its demand rate is less than once per year, it cannot directly initiate a hazardous event on its own, and the demand interval is at least twice the proof test interval.
- The expected demand rate of a SIF, which is the frequency at which process conditions will require it to operate, is important to consider throughout the safety lifecycle but can be difficult to precisely estimate.
SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...Emerson Exchange
This document discusses using a digital valve controller to improve diagnostics and testing of safety instrumented system (SIS) final control elements. Traditional testing methods are difficult and costly. A digital valve controller allows for partial stroke testing online which improves reliability while reducing costs. It also enables solenoid valve health monitoring and diagnostic capabilities. Field experience from Ras Gas in Qatar demonstrated benefits like reduced labor and improved predictive maintenance through signature-based testing and continuous monitoring.
Pressure Relief Valve Sizing for Single Phase FlowVikram Sharma
This presentation file provides a quick refresher to pressure relief valve sizing for single phase flow. The calculation guideline is as per API Std 520.
Juan Pablo Hernández presented information on control valve sizing for compressible fluids. Control valves are used to meet process conditions and product quality specifications. Three methods for sizing control valves were compared: hand made calculations, Fisher software, and Aspen Hysys simulation. All three methods produced similar results for the example case of sizing a control valve for superheated steam. However, the Fisher software was identified as the preferred method due to providing reliable sizing in less time compared to hand calculations.
Valves operation and functions complete guideElsayed Amer
Eng. El Sayed Amer is a senior process and production engineer at Suez Oil Co. He has worked as a drilling and completion engineer for Weatherford drilling international. He is also an instructor for oil and gas courses. He is a member of several professional engineering organizations and certified in process modeling and reservoir simulation software. He has expertise in valves technology and operations in the process industry.
Shared Field Instruments in SIS: Incidents Caused by Poor Design and Recommen...Kenexis
Even though the ISA 84 standard for Safety Instrumented Systems has been in use since 1996, there is still a lot of confusion about a key attribute of good SIS design – specifically separation of basic process control systems (BPCS) and safety instrumented systems (SIS). It could be argued that newer versions of SIS standards have further complicated the issue be specifically allowing combined safety and BPCS applications, given that certain requirements are met. The objective of the standard is not to enforce a complete separation between the systems but to either:
1) prevent a single point of failure from both creating a demand to the SIS to activate while simultaneously preventing the SIS from performing its critical action; or,
2) ensure that the frequency of this sort of single point of failure is low enough that tolerable risk goals are not violated.
The requirements for when sharing BPCS and SIS equipment is acceptable that are presented in the most recent version of the SIS functional safety standard (i.e., ISA 84.00.01-2004 – IEC 61511 Mod) are complex, confusing, and often misunderstood or simply ignored. Understanding when sharing is acceptable is and when it is not is further complicated by the fact that it is a multi-disciplinary effort, requiring knowledge not only of the instrumentation itself, but also of the process to which the equipment is connected. In fact, knowledge of the process and how it responds to BPCS failures is much more important. Verification that sharing BPCS and SIS equipment is acceptable thus requires a detailed analysis of all of the failure modes of the shared equipment along with an assessment of how each of those failure modes affects the process under control.
This document provides a running procedure for installing a Transformer R7 wellhead system. It includes 11 stages of the installation process with detailed steps for each stage. The stages include site preparation, installing the casing head, installing additional components like the drilling adapter, testing the BOP stack, running casing, installing the packoff and casing head cap, and installing the tubing spool. Dimensional drawings and a bill of materials are provided.
This document discusses pressure relief systems, which are critical in the chemical process industries to safely handle overpressurization. It describes causes of overpressurization, types of safety valves and rupture disks used for relief, and components of open and closed pressure relief systems. Open systems vent non-hazardous gases to the atmosphere, while closed systems route flammable gases through flare headers and knockout drums to be burned in a flare stack. The document provides example calculations for sizing relief valves, piping, and other components to ensure systems can safely relieve pressure without resealing valves.
SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...Emerson Exchange
This document discusses using a digital valve controller to improve diagnostics and testing of safety instrumented system (SIS) final control elements. Traditional testing methods are difficult and costly. A digital valve controller allows for partial stroke testing online which improves reliability while reducing costs. It also enables solenoid valve health monitoring and diagnostic capabilities. Field experience from Ras Gas in Qatar demonstrated benefits like reduced labor and improved predictive maintenance through signature-based testing and continuous monitoring.
Pressure Relief Valve Sizing for Single Phase FlowVikram Sharma
This presentation file provides a quick refresher to pressure relief valve sizing for single phase flow. The calculation guideline is as per API Std 520.
Juan Pablo Hernández presented information on control valve sizing for compressible fluids. Control valves are used to meet process conditions and product quality specifications. Three methods for sizing control valves were compared: hand made calculations, Fisher software, and Aspen Hysys simulation. All three methods produced similar results for the example case of sizing a control valve for superheated steam. However, the Fisher software was identified as the preferred method due to providing reliable sizing in less time compared to hand calculations.
Valves operation and functions complete guideElsayed Amer
Eng. El Sayed Amer is a senior process and production engineer at Suez Oil Co. He has worked as a drilling and completion engineer for Weatherford drilling international. He is also an instructor for oil and gas courses. He is a member of several professional engineering organizations and certified in process modeling and reservoir simulation software. He has expertise in valves technology and operations in the process industry.
Shared Field Instruments in SIS: Incidents Caused by Poor Design and Recommen...Kenexis
Even though the ISA 84 standard for Safety Instrumented Systems has been in use since 1996, there is still a lot of confusion about a key attribute of good SIS design – specifically separation of basic process control systems (BPCS) and safety instrumented systems (SIS). It could be argued that newer versions of SIS standards have further complicated the issue be specifically allowing combined safety and BPCS applications, given that certain requirements are met. The objective of the standard is not to enforce a complete separation between the systems but to either:
1) prevent a single point of failure from both creating a demand to the SIS to activate while simultaneously preventing the SIS from performing its critical action; or,
2) ensure that the frequency of this sort of single point of failure is low enough that tolerable risk goals are not violated.
The requirements for when sharing BPCS and SIS equipment is acceptable that are presented in the most recent version of the SIS functional safety standard (i.e., ISA 84.00.01-2004 – IEC 61511 Mod) are complex, confusing, and often misunderstood or simply ignored. Understanding when sharing is acceptable is and when it is not is further complicated by the fact that it is a multi-disciplinary effort, requiring knowledge not only of the instrumentation itself, but also of the process to which the equipment is connected. In fact, knowledge of the process and how it responds to BPCS failures is much more important. Verification that sharing BPCS and SIS equipment is acceptable thus requires a detailed analysis of all of the failure modes of the shared equipment along with an assessment of how each of those failure modes affects the process under control.
This document provides a running procedure for installing a Transformer R7 wellhead system. It includes 11 stages of the installation process with detailed steps for each stage. The stages include site preparation, installing the casing head, installing additional components like the drilling adapter, testing the BOP stack, running casing, installing the packoff and casing head cap, and installing the tubing spool. Dimensional drawings and a bill of materials are provided.
This document discusses pressure relief systems, which are critical in the chemical process industries to safely handle overpressurization. It describes causes of overpressurization, types of safety valves and rupture disks used for relief, and components of open and closed pressure relief systems. Open systems vent non-hazardous gases to the atmosphere, while closed systems route flammable gases through flare headers and knockout drums to be burned in a flare stack. The document provides example calculations for sizing relief valves, piping, and other components to ensure systems can safely relieve pressure without resealing valves.
Australian Pipeline Valve (APV) complies with API-6A technical specifications for oil and gas valves. The document provides an overview of API-6A standards including:
a) Pressure and temperature ratings for APV valves from 2000psi to 15,000psi and ratings L to Y.
b) Material classes from AA to HH and Product Specification Levels 1 to 4.
c) Charts showing minimum PSL requirements based on factors like pressure, H2S exposure.
d) Descriptions of trim types for applications like sour gas, water, and temperature ranges.
Production optimization using gas lift techniqueJarjis Mohammed
After completed the drilling, set the tubing and completed the well successfully, Petroleum engineers realize that the hydrocarbon fluid won't lift up from bottom hole to the surface by its reservoir drives which are mainly gas cap or water drive. Simply the gas lift technique is to reduce the density of hydrocarbon fluid inside the well to lift it to the surface by injecting compressed gas.
The document discusses the process of installing and testing a wellhead flange. It involves leveling the flange, attaching it to the casing via welding or other connections, testing the welds, running casing and setting the hanger, testing the blowout preventers with a wear bushing, and continuing drilling operations while following proper procedures to install subsequent casing, tubing, and the tree assembly. Safety testing is conducted throughout the process.
Production tubing is installed in oil and gas wells to allow hydrocarbons to flow from the reservoir to the surface while protecting the casing from reservoir fluids. Tubing is specified based on its size, length, grade, and connection type. Common tubing sizes range from 2-3/8" to 4-1/2" in diameter. Tubing joints are typically 20-48 feet in length. Tubing grade depends on the application and is chosen based on strength, corrosion resistance, and availability. Connections can be either upset or non-upset threaded types.
This document summarizes API STD 521 Part-I, which provides guidance on overpressure protection for refinery equipment. It discusses overpressure causes and protection philosophies. It also lists the minimum recommended contents for relief system designs and flare header calculations. These include analyzing overpressure causes, operating conditions, relief device sizing, and documentation of simulation inputs and outputs. Various overpressure causes are outlined, such as closed outlets, absorbent or cooling failures, accumulation of non-condensables, abnormal heat input, explosions, and depressurizing. Protection measures against these causes like relief valves, rupture disks, and explosion prevention are also mentioned.
The document summarizes the basics of pressure relief devices, including why they are required, common components, classification and types. It provides examples of relief scenarios and causes of overpressure. The key steps in relief device sizing calculations are outlined. An example calculation is shown for checking the adequacy of installed relief devices for a reactor system during an emergency relief scenario involving an external fire.
This document provides information on wireline equipment used to lower tools into wells. It describes typical wireline units, pressure control equipment like stuffing boxes, lubricators, tool traps, wireline blowout preventers (BOPs), and their components and functions. The goal of the pressure control equipment is to allow tools to enter the well while containing pressure and preventing leaks.
Well Testing Surface safety Valve (SSV), Well Test Valves - WOM Groupwomgroup
WOM offers Well Testing Surface safety Valve (SSV) with hydraulic, pneumatic actuator & crossovers with union or hub end connections for easy connections on field.
The document provides information on various wellbore equipment manufactured by Parveen including:
- Measuring line stuffing boxes that seal around wirelines and incorporate a blow out plug for safety.
- Line wipers used to wipe wirelines when removed from wells.
- Grease injection control heads that inject grease to create a seal around braided lines.
- Lubricator risers that allow wirelines to be raised above wellhead valves.
- Blowout preventers available in manual or hydraulic models in various configurations to provide protection during wireline operations.
Safety is the most important factor in designing a process system. Some undesired conditions might happen leading to damage in a system. Control systems might be installed to prevent such conditions, but a second safety device is also needed. One kind of safety device which is commonly used in the processing industry is the relief valve. A relief valve is a type of valve to control or limit the pressure in a system by allowing the pressurised fluid to flow out from the system.
The document discusses pressure relief devices. It covers objectives which include understanding relief events, pressure relief devices, codes and standards, terminology, types of pressure relief valves, sizing, rupture disks, and inspection/testing. It describes relief events as processes to prevent overpressure. Pressure relief devices include pressure relief valves, rupture disks, and pressure/vacuum relief valves, which safeguard against over/under pressure hazards. Codes and standards for selection and sizing are also discussed.
This document provides information about side sliding doors (SSDs), including:
1) SSDs are also known as sliding sleeves that provide controlled communication between the tubing and casing annulus.
2) SSDs can be used for applications like fluid displacement, well killing, gas lifting, and chemical injection by opening or closing ports between the annulus and tubing.
3) SSD sleeves can be shifted using wireline methods, coiled tubing methods, pressure darts, or differential pressure application to the annulus.
This document discusses well intervention techniques using coiled tubing. It describes coiled tubing as continuously-milled tubular product that is straightened before insertion into the wellbore. The main types of well intervention discussed are pumping, slickline, snubbing, workover, and coiled tubing. It provides details on the components and functions of a coiled tubing unit, including the reel, injector head, control cabin, power pack, blowout preventer, stripper, and bottom hole assembly.
MTI Field Guide to Inspection of FRP Pipes Osama Lari
This document provides guidance on inspecting fiber reinforced plastic (FRP) equipment and piping. It describes common types of damage such as mechanical cracks, chemical deterioration, environmental exposure, and fabrication defects. The document outlines how to prepare for an FRP inspection, including reviewing equipment history, safety considerations, and training. It also includes pictorial examples of different damage types to aid visual identification. The goal is to help inspectors perform FRP equipment assessments even without prior experience in the material.
We are all familiar with the production systems through which reservoir fluids flow to reach our processing facilities. This is a journey characterized by complex multiphase flow phenomena that govern pressure and temperature changes along the way. A monumental amount of research and development work has been invested towards better understanding multiphase flow behavior over the past fifty years. Yet, many challenges remain as we strive to optimize ever more complex production systems fraught with difficult flow assurance issues. Just how good is the science? And more importantly, how does this impact our bottom line? This lecture will discuss key concepts of multiphase flow leading to the current “state-of-the-art” models used today. Looking towards the future, the science must be advanced to address areas of greatest uncertainty and align with trends in field development strategies. Recommendations will be presented covering the top 5 areas of research necessary for these purposes. The economic impact of multiphase operations will be illustrated using two examples that provide insight towards maximizing asset value.
Mack Shippen is a Principal Engineer with Schlumberger in Houston, where he is responsible for the global business of the PIPESIM multiphase flow simulation software. He has extensive experience in well and network simulation studies, ranging from flow assurance to dynamic coupling of reservoir and surface simulation models. He has served on a number of SPE committees and chaired the SPE Reprint Series on Offshore Multiphase Production Operations. He holds BS and MS degrees in Petroleum Engineering from Texas A&M University, where his research focused on multiphase flow modelling.
The document provides information about pressure relief devices and safety valve testing procedures. It discusses what pressure relief devices are, common types like safety valves and pressure relief valves, and their key characteristics such as set pressure, overpressure tolerance, and blowdown percentage. It also outlines safety valve testing procedures like verifying the set pressure, repeatability testing, seat tightness testing, shell testing, and bellows integrity testing. Specifications for testing tolerances on set pressure at different temperature ranges are also presented.
The document discusses various components used in surface wellhead systems, including casing heads, casing spools, tubing heads, tubing hangers, valves, and trees. It describes the purpose and features of different types of casing hangers, casing spools, tubing heads, tubing head adapters, valves, and trees. The document is a presentation about surface wellhead components provided by Amr Haggag.
The document discusses various scenarios that could lead to overpressure in vessels and equipment and the procedures to calculate the size of pressure safety valves (PSVs) to prevent overpressure. It describes scenarios like closed outlets, external fires, failure of automatic controls, hydraulic expansion, heat exchanger tube ruptures, power failures, and more. It provides methods to calculate the relief rates needed for PSVs using equations, charts, and procedures outlined in design codes like ASME and API standards. The goal is to size PSVs correctly to ensure accumulated pressure stays below the maximum allowable to maintain safety.
1) The document discusses various types of offshore oil and gas production facilities including fixed platforms, tension leg platforms, semi-submersibles, and FPSOs.
2) It provides details on the key components and processes involved in offshore drilling and production such as wellheads, christmas trees, separation, compression, and storage.
3) FPSOs are described as floating facilities that perform processing of production fluids to separate oil, gas, and water and include storage tanks for offloading to tankers.
This document explains Safety Integrity Levels (SIL) which are used to quantify safety requirements for Safety Instrumented Systems. It discusses what SIL is, the four SIL levels and their required reliability, how SIL ratings are determined through a risk assessment process, and how hazards are protected against through a layered approach. The document also outlines the SIL life cycle including design, realization, and operation phases, how equipment failures can occur, and how a Safety Instrumented Function's performance is quantified through its Probability of Failure on Demand. It provides information on how components like actuators can be certified as "suitable for use" at a given SIL level and the role of proof and diagnostic testing.
Safety is an important consideration in process design. Safety integrity level (or SIL) is often used to describe process safety requirements. However, there are often misconceptions or misunder- standings surrounding SIL. While the general subject, functional safety and SIL, can be highly technical, the general ideas can be distilled down to a few readily understandable concepts. In this paper, we will discuss what SIL is, why it is important, what certification means, and the implications and benefits of that certification to the end user.
Australian Pipeline Valve (APV) complies with API-6A technical specifications for oil and gas valves. The document provides an overview of API-6A standards including:
a) Pressure and temperature ratings for APV valves from 2000psi to 15,000psi and ratings L to Y.
b) Material classes from AA to HH and Product Specification Levels 1 to 4.
c) Charts showing minimum PSL requirements based on factors like pressure, H2S exposure.
d) Descriptions of trim types for applications like sour gas, water, and temperature ranges.
Production optimization using gas lift techniqueJarjis Mohammed
After completed the drilling, set the tubing and completed the well successfully, Petroleum engineers realize that the hydrocarbon fluid won't lift up from bottom hole to the surface by its reservoir drives which are mainly gas cap or water drive. Simply the gas lift technique is to reduce the density of hydrocarbon fluid inside the well to lift it to the surface by injecting compressed gas.
The document discusses the process of installing and testing a wellhead flange. It involves leveling the flange, attaching it to the casing via welding or other connections, testing the welds, running casing and setting the hanger, testing the blowout preventers with a wear bushing, and continuing drilling operations while following proper procedures to install subsequent casing, tubing, and the tree assembly. Safety testing is conducted throughout the process.
Production tubing is installed in oil and gas wells to allow hydrocarbons to flow from the reservoir to the surface while protecting the casing from reservoir fluids. Tubing is specified based on its size, length, grade, and connection type. Common tubing sizes range from 2-3/8" to 4-1/2" in diameter. Tubing joints are typically 20-48 feet in length. Tubing grade depends on the application and is chosen based on strength, corrosion resistance, and availability. Connections can be either upset or non-upset threaded types.
This document summarizes API STD 521 Part-I, which provides guidance on overpressure protection for refinery equipment. It discusses overpressure causes and protection philosophies. It also lists the minimum recommended contents for relief system designs and flare header calculations. These include analyzing overpressure causes, operating conditions, relief device sizing, and documentation of simulation inputs and outputs. Various overpressure causes are outlined, such as closed outlets, absorbent or cooling failures, accumulation of non-condensables, abnormal heat input, explosions, and depressurizing. Protection measures against these causes like relief valves, rupture disks, and explosion prevention are also mentioned.
The document summarizes the basics of pressure relief devices, including why they are required, common components, classification and types. It provides examples of relief scenarios and causes of overpressure. The key steps in relief device sizing calculations are outlined. An example calculation is shown for checking the adequacy of installed relief devices for a reactor system during an emergency relief scenario involving an external fire.
This document provides information on wireline equipment used to lower tools into wells. It describes typical wireline units, pressure control equipment like stuffing boxes, lubricators, tool traps, wireline blowout preventers (BOPs), and their components and functions. The goal of the pressure control equipment is to allow tools to enter the well while containing pressure and preventing leaks.
Well Testing Surface safety Valve (SSV), Well Test Valves - WOM Groupwomgroup
WOM offers Well Testing Surface safety Valve (SSV) with hydraulic, pneumatic actuator & crossovers with union or hub end connections for easy connections on field.
The document provides information on various wellbore equipment manufactured by Parveen including:
- Measuring line stuffing boxes that seal around wirelines and incorporate a blow out plug for safety.
- Line wipers used to wipe wirelines when removed from wells.
- Grease injection control heads that inject grease to create a seal around braided lines.
- Lubricator risers that allow wirelines to be raised above wellhead valves.
- Blowout preventers available in manual or hydraulic models in various configurations to provide protection during wireline operations.
Safety is the most important factor in designing a process system. Some undesired conditions might happen leading to damage in a system. Control systems might be installed to prevent such conditions, but a second safety device is also needed. One kind of safety device which is commonly used in the processing industry is the relief valve. A relief valve is a type of valve to control or limit the pressure in a system by allowing the pressurised fluid to flow out from the system.
The document discusses pressure relief devices. It covers objectives which include understanding relief events, pressure relief devices, codes and standards, terminology, types of pressure relief valves, sizing, rupture disks, and inspection/testing. It describes relief events as processes to prevent overpressure. Pressure relief devices include pressure relief valves, rupture disks, and pressure/vacuum relief valves, which safeguard against over/under pressure hazards. Codes and standards for selection and sizing are also discussed.
This document provides information about side sliding doors (SSDs), including:
1) SSDs are also known as sliding sleeves that provide controlled communication between the tubing and casing annulus.
2) SSDs can be used for applications like fluid displacement, well killing, gas lifting, and chemical injection by opening or closing ports between the annulus and tubing.
3) SSD sleeves can be shifted using wireline methods, coiled tubing methods, pressure darts, or differential pressure application to the annulus.
This document discusses well intervention techniques using coiled tubing. It describes coiled tubing as continuously-milled tubular product that is straightened before insertion into the wellbore. The main types of well intervention discussed are pumping, slickline, snubbing, workover, and coiled tubing. It provides details on the components and functions of a coiled tubing unit, including the reel, injector head, control cabin, power pack, blowout preventer, stripper, and bottom hole assembly.
MTI Field Guide to Inspection of FRP Pipes Osama Lari
This document provides guidance on inspecting fiber reinforced plastic (FRP) equipment and piping. It describes common types of damage such as mechanical cracks, chemical deterioration, environmental exposure, and fabrication defects. The document outlines how to prepare for an FRP inspection, including reviewing equipment history, safety considerations, and training. It also includes pictorial examples of different damage types to aid visual identification. The goal is to help inspectors perform FRP equipment assessments even without prior experience in the material.
We are all familiar with the production systems through which reservoir fluids flow to reach our processing facilities. This is a journey characterized by complex multiphase flow phenomena that govern pressure and temperature changes along the way. A monumental amount of research and development work has been invested towards better understanding multiphase flow behavior over the past fifty years. Yet, many challenges remain as we strive to optimize ever more complex production systems fraught with difficult flow assurance issues. Just how good is the science? And more importantly, how does this impact our bottom line? This lecture will discuss key concepts of multiphase flow leading to the current “state-of-the-art” models used today. Looking towards the future, the science must be advanced to address areas of greatest uncertainty and align with trends in field development strategies. Recommendations will be presented covering the top 5 areas of research necessary for these purposes. The economic impact of multiphase operations will be illustrated using two examples that provide insight towards maximizing asset value.
Mack Shippen is a Principal Engineer with Schlumberger in Houston, where he is responsible for the global business of the PIPESIM multiphase flow simulation software. He has extensive experience in well and network simulation studies, ranging from flow assurance to dynamic coupling of reservoir and surface simulation models. He has served on a number of SPE committees and chaired the SPE Reprint Series on Offshore Multiphase Production Operations. He holds BS and MS degrees in Petroleum Engineering from Texas A&M University, where his research focused on multiphase flow modelling.
The document provides information about pressure relief devices and safety valve testing procedures. It discusses what pressure relief devices are, common types like safety valves and pressure relief valves, and their key characteristics such as set pressure, overpressure tolerance, and blowdown percentage. It also outlines safety valve testing procedures like verifying the set pressure, repeatability testing, seat tightness testing, shell testing, and bellows integrity testing. Specifications for testing tolerances on set pressure at different temperature ranges are also presented.
The document discusses various components used in surface wellhead systems, including casing heads, casing spools, tubing heads, tubing hangers, valves, and trees. It describes the purpose and features of different types of casing hangers, casing spools, tubing heads, tubing head adapters, valves, and trees. The document is a presentation about surface wellhead components provided by Amr Haggag.
The document discusses various scenarios that could lead to overpressure in vessels and equipment and the procedures to calculate the size of pressure safety valves (PSVs) to prevent overpressure. It describes scenarios like closed outlets, external fires, failure of automatic controls, hydraulic expansion, heat exchanger tube ruptures, power failures, and more. It provides methods to calculate the relief rates needed for PSVs using equations, charts, and procedures outlined in design codes like ASME and API standards. The goal is to size PSVs correctly to ensure accumulated pressure stays below the maximum allowable to maintain safety.
1) The document discusses various types of offshore oil and gas production facilities including fixed platforms, tension leg platforms, semi-submersibles, and FPSOs.
2) It provides details on the key components and processes involved in offshore drilling and production such as wellheads, christmas trees, separation, compression, and storage.
3) FPSOs are described as floating facilities that perform processing of production fluids to separate oil, gas, and water and include storage tanks for offloading to tankers.
This document explains Safety Integrity Levels (SIL) which are used to quantify safety requirements for Safety Instrumented Systems. It discusses what SIL is, the four SIL levels and their required reliability, how SIL ratings are determined through a risk assessment process, and how hazards are protected against through a layered approach. The document also outlines the SIL life cycle including design, realization, and operation phases, how equipment failures can occur, and how a Safety Instrumented Function's performance is quantified through its Probability of Failure on Demand. It provides information on how components like actuators can be certified as "suitable for use" at a given SIL level and the role of proof and diagnostic testing.
Safety is an important consideration in process design. Safety integrity level (or SIL) is often used to describe process safety requirements. However, there are often misconceptions or misunder- standings surrounding SIL. While the general subject, functional safety and SIL, can be highly technical, the general ideas can be distilled down to a few readily understandable concepts. In this paper, we will discuss what SIL is, why it is important, what certification means, and the implications and benefits of that certification to the end user.
Regulatory modifications have raised important issues in design and use of industrial safety systems. Certain changes in IEC 61508, now being widely implemented, mean that designers and users who desire full compliance must give new consideration to topics such as SIL levels and the transition to new methodologies.
LOPA (Layers of Protection Analysis) is a technique used to evaluate risks from accident scenarios by estimating the likelihood and consequences of accidents, and determining if sufficient safety measures exist. It involves identifying scenarios, determining initiating event frequencies, identifying independent protection layers (IPLs) and their probability of failure, estimating risks, and comparing to a company's tolerable risk criteria. The key steps are: 1) identifying scenarios, 2) determining initiating event frequencies, 3) identifying IPLs and their failure probabilities, 4) estimating scenario risks, and 5) comparing risks to tolerability criteria.
The combustion process has always been considered having the potential for a hazardous event which could lead to personnel injury or loss of production. To mitigate this risk, the process industry is now implementing Safety Instrumented Systems which can identify hazardous operating conditions and correctly respond in such a way to bring the combustion process back to a safe operating condition or implement an automatically controlled shutdown sequence to reduce the risk of operator error causing a catastrophic event. Oxygen and combustible flue gas analyzers are now being utilized in these combustion Safety Instrumented Systems (SIS) to identify hazardous operating conditions and automatically return the process to a safe state. The standards of IEC 61511 and API RP 556 will be reviewed as they apply to flue gas analyzers, as well as the process variables of the oxygen and combustible analyzer available for implementation into the SIS system for combustion monitoring, and the resultant actions required to return the process to a safe condition.
This document discusses Safety Integrity Level (SIL) and how it is used to quantify safety in industrial processes. It provides background on the development of international safety standards and defines key terms like SIL, Safety Instrumented Functions (SIF), Probability of Failure on Demand (PFD), and Safe Failure Fraction (SFF). The document explains how hazards analysis is used to determine target SIL levels for safety systems and instrumentation. It also outlines methods for evaluating SIL, including Failure Modes and Effects Analysis (FMEDA) and proven in use testing. Overall, the document provides a comprehensive overview of applying SIL standards to ensure safety in industrial control systems.
Reliability Instrumented System | Arrelic Insights Arrelic
An approach that strays from the conventional, coupled with
consistency, enables us to contribute to the company's overall
growth and success.
This Insights talks about RIS Process and applications
This document provides an introduction to Layer of Protection Analysis (LOPA) and Safety Instrumented Systems (SIS). LOPA is a semi-quantitative risk assessment tool that is used to evaluate existing high risks and identify Independent Protection Layers (IPLs) to reduce risk. SIS are one type of IPL that are designed and maintained according to international standards to reliably take a process to a safe state. The document outlines the LOPA process, criteria for IPLs, and the safety lifecycle for designing, implementing, and maintaining SIS as an IPL of last resort to reduce risk to an acceptable level.
The article discusses writing a Safety Requirement Specification (SRS), which is the last stage of the analysis phase for a Safety Instrumented System (SIS) lifecycle. It outlines the key components of an SRS, including input information, functional requirements, and safety integrity requirements for each safety instrumented function. The article provides examples of the types of details to include in an SRS, such as the safe state of the process, sources of demand on the system, target safety integrity levels, and requirements for resetting the system. Developing a thorough SRS according to the findings of the hazard and risk assessment is important, as it forms the input for the design and realization phase of the SIS lifecycle.
The document discusses three standards related to safety integrity levels (SIL): IEC 61508, IEC 61511, and ANSI/ISA S84.01. It provides an overview of each standard, including their parts and scope. The key points are that IEC 61508 and 61511 define SIL on a scale from 1 to 4 based on reliability requirements for safety instrumented systems (SIS), while ANSI/ISA S84.01 was developed in parallel and also adopted by ANSI. The document then discusses various methods for assigning SILs to safety instrumented functions, including consequence-based, risk matrix, layered risk matrix, and layer of protection analysis (LOPA).
There are four SILs — SIL 1, SIL 2, SIL 3, and SIL 4. The higher the SIL, the greater the risk of failure. And the greater the risk of failure, the stricter the safety requirements
Safety instrumented systems (SIS) are designed to respond to hazardous conditions in industrial plants. An SIS monitors for conditions that could lead to hazards and responds by taking actions to prevent or mitigate hazards. Examples include high fuel gas pressure shutting off main valves or high reactor temperature opening a coolant valve. Standards like ISA 84.01 and IEC 61508/61511 provide guidelines for engineering practices to ensure SIS integrity through their lifecycle from planning and design to operations and maintenance. A key aspect is assessing risk and assigning a safety integrity level to guide system reliability design.
Technical Paper for ASPF 2012 - Choosing the right SISAlvin CJ Chin
This document discusses choosing the right safety instrumented system (SIS) for process plants. It notes that plant owners must balance safety, profitability, and minimizing downtime. The best SIS options minimize unnecessary shutdowns during maintenance and upgrades while still providing high safety (SIL3) protection. Well-designed standalone SIS that permit online maintenance and upgrades without shutting down the entire plant can save millions of dollars in avoided downtime costs each day. The document advocates that plant owners directly select the most suitable SIS rather than relying only on engineering contractors.
This document discusses the impacts of process safety time on layer of protection analysis (LOPA). It defines process safety time (PST) as the time between an initiating event and hazardous event. PST is determined by identifying the process variable associated with the hazard, its value at initiating/hazardous events, and estimated rate of change. Independent protection layer (IPL) response time (IRT) and process lag time (PLT) must be considered. For an IPL to be effective, IRT + PLT must be less than PST. The maximum setpoint (MSP) or maximum allowable response time (MART) can then be specified based on PST, IRT, PLT, and
This document discusses Safety Instrumented Systems (SIS) and methods for determining risk reduction requirements. An SIS monitors industrial processes for dangerous conditions and executes actions to prevent or mitigate hazardous events. The document describes various methods to determine the necessary level of risk reduction for a given process, including risk graphs and Layer of Protection Analysis, both of which consider the consequences, frequency, possibility of avoidance, and probability of occurrence of an event. The determined risk reduction requirement is characterized by a Safety Integrity Level (SIL) on a scale of 1 to 4. An SIS provides risk reduction by successfully performing its safety functions, with its effectiveness measured by its probability of failure on demand (PFD).
Methods of determining_safety_integrity_levelMowaten Masry
This document discusses two popular methods for determining safety integrity level (SIL) requirements - risk graph methods and layer of protection analysis (LOPA). It outlines some advantages of both, but also limitations, particularly of risk graph methods. Specifically, it notes that risk graphs can produce a wide range of possible residual risk levels from a single hazard assessment. The document recommends calibrating risk graphs conservatively and only using them when the mean residual risk is a small portion of the overall risk target, to avoid underestimating required risk reduction. It also discusses how to account for backup mechanical protections like relief valves when assessing instrumented safety functions using a risk graph.
Depending on the nature of the task, the level of safety management training required will vary from general safety familiarization to expert level for safety specialists, for example:
a) Corporate safety training for all staff,
b) Training aimed at management’s safety responsibilities,
c) Training for operational personnel (such as pilots, maintenance engineers, dispatchers / FOO’s and personnel with apron or ramp duties), and
d) Training for aviation safety specialists (such as the Safety Management System and Flight Data Analysts).
The scope of SMS training must be appropriate to each individual’s roles and responsibilities within the operation. Training should follow a building-block approach. As part of the ICAO requirements, an operator must provide training to its operational personnel (including cabin crew), managers and supervisors, senior managers, and the accountable executive for the SMS.
Training should address the specific role that cabin crew members play in the operation. This includes, but is not limited to training with regards to:
a) Unit 1 SMS fundamentals and overview of the operator’s SMS;
b) Unit 2 Safety policy;
c) Unit 3 Hazard identification and reporting; and
d) Unit 4 Safety Communication.
e) Unit 5 Review of Company Safety Management
f) Unit 6 Review of Safety Reporting
The base content comes from many sources but all aligned to the ICAO syllabus requirements, and created for an international operational airline.
If you are a startup airline, or looking to align courses with your specific operational standards, please take a look and check out
pghclearningsolutions@gmail.com leave a message and I will contact you where we can discuss your requirements, send you examples and if required, download my editable masters which you can customize to meet your own specific operational training requirements.
Depending on the nature of the task, the level of safety management training required will vary from general safety familiarization to expert level for safety specialists, for example:
a) Corporate safety training for all staff,
b) Training aimed at management’s safety responsibilities,
c) Training for operational personnel (such as pilots, maintenance engineers, dispatchers / FOO’s and personnel with apron or ramp duties), and
d) Training for aviation safety specialists (such as the Safety Management System and Flight Data Analysts).
The scope of SMS training must be appropriate to each individual’s roles and responsibilities within the operation. Training should follow a building-block approach. As part of the ICAO requirements, an operator must provide training to its operational personnel (including cabin crew), managers and supervisors, senior managers, and the accountable executive for the SMS.
Training should address the specific role that cabin crew members play in the operation. This includes, but is not limited to training with regards to:
a) Unit 1 SMS fundamentals and overview of the operator’s SMS;
b) Unit 2 Safety policy;
c) Unit 3 Hazard identification and reporting; and
d) Unit 4 Safety Communication.
e) Unit 5 Review of Company Safety Management
f) Unit 6 Review of Safety Reporting
The base content comes from many sources but all aligned to the ICAO syllabus requirements, and created for an international operational airline.
If you are a startup airline, or looking to align courses with your specific operational standards, please take a look and check out
pghclearningsolutions@gmail.com leave a message and I will contact you where we can discuss your requirements, send you examples and if required, download my editable masters which you can customize to meet your own specific operational training requirements.
Reliability Centered Maintenance (RCM) is a process that determines the best policies for managing asset functions and failures. It considers all asset management options like condition monitoring, scheduled restoration, and scheduled discard. RCM provides the optimal mix of reactive, time-based, condition-based, and proactive maintenance practices. When applied to commercial airlines in the 1970s, RCM reduced equipment-related crashes from 40 to 0.3 per million take-offs.
Caught in Numbers, Lost in Focus: What it Means to Manage Safety in Global Sh...Nippin Anand
Have you ever wondered about how safety gets measured and how it became one with the ‘science’ of management (granted there is such a term as management science). What is the relationship between occupational health and safety and technical safety? How reliable is compliance as a measure of safety and how could we possibly distinguish between quality and safety?
Caught in Numbers, Lost in Focus: What it Means to Manage Safety in Global Sh...
Barnard Impacts of Demand Rates
1. 1
IMPACTS OF DEMAND RATES ON SIF/SIS DESIGN
AND MECHANICAL INTEGRITY
Geoffrey Barnard, P.E., CFSE
aeSolutions
Houston, TX
KEYWORDS
Safety Instrumented Systems (SIS), Layer of Protection Analysis (LOPA), Safety Integrity Level
(SIL) Determination, Safety Integrity Level (SIL) Verification, Demand Rate, Demand Mode,
Continuous Mode
ABSTRACT
IEC 61508 and IEC 61511 (ANSI/ISA 84) impose certain requirements for design and
verification of Safety Instrumented Functions (SIFs) based on the assigned Safety Integrity Level
(SIL), as well as the expected Demand Rate and Mode of Operation. It is often said that SIFs in
Process Industry applications overwhelmingly fall into a Low Demand Mode of operation, but
what exactly does this mean? What assumptions lead to this belief, and when do these
assumptions hold true?
This paper examines the differences between Low Demand, High Demand, and Continuous
Mode SIFs, and provides examples and practical guidance for SIL Determination, conceptual
design, SIL Verification, and long-term Mechanical Integrity considerations for each.
INTRODUCTION
When the risk of a particular hazard cannot be reduced sufficiently through other means, a Safety
Instrumented Function (SIF) is often specified to close the gap. As many of us are all too
familiar, IEC 61511 (ANSI/ISA 84) places certain requirements on the design, operation, and
maintenance of Safety Instrumented Functions (SIFs) based on their Safety Integrity Level (SIL).
The required SIL of a SIF is determined within the context of the hazardous outcome it is
intended to prevent, the tolerability of such an outcome, the other available protection layers that
prevent the hazardous outcome, and the frequency of events or conditions that may lead to the
hazard in the first place.
2. 2
Layer of Protection Analysis (LOPA) is a widely used methodology for SIL determination
because its semi-quantitative nature lends itself to establishing quantitative integrity targets; a
critical step in the Safety Instrumented System (SIS) design process upon which many other
assumptions will be based. When speaking of Safety Integrity Levels and SIL determination
many of us jump immediately to average Probability of Failure on Demand (PFDavg). The terms
have become nearly synonymous in the industry. However, reading carefully in the standard we
find that this term is valid only in the case of Demand Mode SIFs.
A majority of technical resources on the subject of SIS refer to the fact that process industry SIFs
fall overwhelmingly into a Demand Mode, or Low Demand Mode of Operation. Does the
ubiquity of such a prediction lead to its own accomplishment? With so much depending on this
initial phase of the process, it is critical to understand this assumption, when it is valid, and how
to adjust the process when it is not valid. The following sections will explore the meaning of a
Demand on a safeguard, as well as impacts the frequency of demands has on SIL determination,
conceptual design, SIL verification, and long-term Mechanical Integrity of a SIF.
DEMANDS
A Demand is placed on a safeguard when process conditions require the safeguard to function in
order to prevent a hazard. In a simple example, a pressure relief valve on a vessel experiences a
demand when the vessel pressure exceeds the set pressure of the relief valve. When the relief
valve lifts, the vessel is protected from overpressure. If the relief valve fails to lift, it can be said
to have failed dangerously and the vessel is now at risk of overpressure if further action is not
taken.
On the other hand, if the relief valve lifts below the set pressure it could be said to have failed
spuriously. In this case, the relief valve took action unnecessarily when the vessel was not at risk
and therefore no demand took place.
SIF demands can be explained in much the same way. When a hazardous condition is present
that a SIF sensor is designed to detect, and the SIF action is required to prevent the progression
to a hazardous event, a demand has been placed on that SIF.
Often times within an SIS many additional actions must take place to safely shutdown all related
process equipment. Not all of these actions must take place to prevent the first or most
immediate hazard but may be done to avoid secondary hazards or conditions that may place
demands on other SIFs or safeguards. If a SIF (or a final element of a SIF) is activated by
another SIF internally to the logic solver, or manually by an operator, this would generally not be
considered a demand.
In the example below, Pressure Vessel V-100 operates with a normal liquid level of 50%
controlled by basic process control loop LC-100. Transfer Pump P-200 sends excess liquid to
3. 3
Atmospheric Storage Tank T-300. Should a failure occur in the process equipment or the
process control loop resulting in a loss of liquid level, high pressure gas may escape through the
transfer line, resulting in the rupture of T-300 with the potential for injury or toxic exposure to
plant personnel.
Figure 1 – Example System 1 Piping & Instrumentation Diagram
In one particular scenario, control loop LC-100 malfunctions, allowing LV-100 to go wide-open
leading to a decrease in level in V-100. If the level reaches the low trip point of SIF-1, a demand
is placed on SIF-1 which must close XV-101 to prevent the hazardous event.
One may also notice that upon closure of XV-101 a new hazard is created. Blocked suction of
the Transfer Pump P-200 may lead to cavitation, seal failure, and potential for toxic exposure to
plant personnel. SIF-2 will shut off the pump when the discharge flow drops below a threshold
indicating that continued operation will lead to damage. Rather than allowing the automatic
closure of XV-101 to induce a secondary hazard, SIF-1 should be specified with a secondary
action to stop pump P-200. Whenever possible it is a good practice to coordinate such actions to
avoid secondary hazards and avoid placing unnecessary demands on other safeguards and
protection layers, preventing hazards before the hazardous conditions arise.
DEMAND RATE
IEC 61511 (ANSI/ISA 84) requires consideration of potential Sources of Demand and probable
Demand Rates of SIFs during the Hazard and Risk Assessment [1, clause 8.2.1], Allocation of
Safety Functions to Protection Layers [1, clauses 9.2.3, 9.2.4], development of the Safety
Requirements Specification (SRS) [1, clause 10.3.1], Design and Engineering [1, clauses
11.2.10, 11.3.2, 11.3.3, 11.9], Operation and Maintenance [1, clause 16.2.2], and Modification
4. 4
[1, clause 17.1.1]. What exactly are sources of demand, and why are demand rates important to
so many stages of the safety lifecycle?
Sources of Demand for a particular SIF may be relatively easy to identify. When a SIF is
specified as a protection layer against a hazardous event, each of the causes or initiating events
that lead to this hazardous event would be among the SIF sources of demand. Specific causes of
all credible hazard scenarios or conditions should be considered as part of the Hazard and Risk
Assessment and documented as sources of demand in the SRS.
The Demand Rate of a SIF is the total frequency from all sources of demand upon which
hazardous process conditions will call for the SIF to act. While we often estimate initiating
event frequencies as part of the SIL determination process, the actual demand rate of a SIF may
be much more difficult to predict.
Often times a SIF may be one of several Independent Protection Layers (IPLs), each capable of
preventing a particular hazardous event. Unless the SIF is the first or only layer to act in
response to each initiating event, simply summing the initiating event frequencies is likely to
over-estimate the actual demand rate the SIF will experience. When other IPLs are designed to
complete their respective actions first, demands experienced by the SIF can be expected to
decrease dramatically.
Figure 2 – Sequenced IPL Response Times
Figure 3 – Non-Sequenced IPL Response Times
Initiating Event Hazardous Event
Initiating Event Hazardous Event
5. 5
In order to more precisely estimate a SIFs demand rate one could consider the sequence of IPLs
in each hazard scenario by multiplying the initiating event frequency by the PFD of any IPL
designed to complete action prior to initiation of the SIF. Analysts should be cautioned that this
may require substantial effort very early in the design process. Without careful consideration of
process dynamics and the available response times of each IPL within the context of the overall
process safety time, results may under-estimate the actual demand rate the SIF will experience.
𝐸𝑠𝑡𝑖𝑚𝑎𝑡𝑒𝑑 𝑆𝐼𝐹 𝐷𝑒𝑚𝑎𝑛𝑑 𝑅𝑎𝑡𝑒 =
∑[𝐼𝑛𝑖𝑡𝑖𝑎𝑡𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 ×
∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 𝑐𝑜𝑚𝑝𝑙𝑒𝑡𝑖𝑛𝑔 𝑎𝑐𝑡𝑖𝑜𝑛 𝑝𝑟𝑖𝑜𝑟 𝑡𝑜 𝑆𝐼𝐹 𝑖𝑛𝑖𝑡𝑖𝑎𝑡𝑖𝑜𝑛]
Equation 1 – Estimated SIF Demand Rate with consideration of response times and process safety time
It is easy to imagine how attempts to precisely estimate SIF demand rates on paper can be quite
problematic. Absent sufficient operating history to directly measure SIF demand rates,
reasonable and conservative assumptions will need to be made. Like all data assumed
throughout the design and analysis process, SIF demands should be tracked and investigated so
actual operating history can be used to validate that SIF design criteria is sufficiently
conservative, and that all sources of demand have been anticipated and analyzed.
Though often overlooked, expected and actual SIF demand rates are of critical importance to the
basis of SIF design and mechanical integrity. Improperly estimating demands can lead to
misapplication of the SIL determination process, improper design and SIL verification,
inappropriate maintenance intervals, and ultimately SIFs that do not adequately protect against
the given hazards.
NOTES ON SIF MODES OF OPERATION
Before beginning a more detailed exploration of SIF Modes of Operation, it is important to note
that definitions in the current version of IEC 61511 [1] defer from that of the parent standard,
IEC 61508 [2], leaving only a distinction between Demand Mode (protection layer) and
Continuous Mode (safety critical control). Development of the second edition of IEC 61511 [3]
is currently underway, drafts of which feature Modes of Operation defined in more close
alignment with the second edition of IEC 61508 published in 2010. For clarity, this document
applies the current state-of-the-industry approach defining three modes of operation, but with
specific references to applicable clauses of the current edition of IEC 61511 expected to remain
in effect through at least 2014.
6. 6
LOW DEMAND MODE
In order to be considered in a Low Demand Mode of Operation, the SIF must meet three basic
criteria:
SIF dangerous failure does not initiate a hazard scenario without subsequent
failure in the process or BPCS [1, Part 1 clause 3.2.43.1], and;
Demand rate no greater than once per year [1, Part 1 clause 3.2.43.2], and;
Demand interval at least twice the proof test interval [4, Annex I].
First, the SIF acts only as a safeguard. The process is normally capable of being operated within
its safe upper and lower limits without the SIF; the SIF only exists to reduce the frequency of a
hazardous event initiated by some sort of failure of process equipment, failure of the BPCS, or
failure of a human to follow intended procedures. A dangerous failure of the SIF has no impact
on the process or the BPCS and cannot be the cause of a hazard scenario. SIFs that do not meet
this requirement should be considered to operate in Continuous Mode.
Second, the expected demand rate of the SIF is infrequent; once per year or less. Although the
one-year threshold may seem somewhat arbitrary, a SIF experiencing such frequent demands
would suggest that the process may not be adequately controlled to begin with. In such cases the
actual hazard frequency will be more closely related to the dangerous failure frequency of the
SIF; meaning it would normally be most appropriate to consider the SIF to operate in High
Demand Mode.
The third requirement for Low Demand SIFs is that the expected demand rate is infrequent
relative to the proof test interval. In other words, a dangerous failure of the SIF is more likely to
be uncovered by a proof test than a demand. If this condition is not met, proof testing should not
be considered effective in uncovering dangerous failures, and SIL determination and SIL
verification in terms of PFDavg (where proof test interval is a key component) are no longer
applicable. For this reason, when the demand interval is less than twice the proof-test interval it
would generally be more appropriate to consider the SIF to operate in the High Demand Mode.
Though undoubtedly your company’s or client’s risk management policies and LOPA/SIL
determination procedures will vary, the typical approach to SIL determination and SIL
verification that most process industry analysts are familiar with is that of Low Demand Mode.
This process begins with the estimation of the initiating event frequency of a particular hazard,
and the allocation of non-SIF protection layers that reduce the frequency of the outcome. When
compared against the tolerability of such an outcome (most often expressed in terms of a
Tolerable Event Frequency in events per year), any remaining gap in risk reduction may be
assigned to a SIF.
7. 7
𝑀𝑖𝑡𝑖𝑔𝑎𝑡𝑒𝑑 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 𝑦𝑒𝑎𝑟) =
𝐼𝑛𝑖𝑡𝑖𝑎𝑡𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 𝑦𝑒𝑎𝑟) × ∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 ×
∏ 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠 𝑜𝑓 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡𝑠 𝑜𝑟 𝐶𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛𝑠 × 𝑆𝐼𝐹 𝑃𝐹𝐷 𝑎𝑣𝑔
Equation 2 –Mitigated Event Frequency for Low Demand SIFs
𝑇𝑎𝑟𝑔𝑒𝑡 𝑆𝐼𝐹 𝑃𝐹𝐷 𝑎𝑣𝑔 =
𝑇𝑜𝑙𝑒𝑟𝑎𝑏𝑙𝑒 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 𝑦𝑒𝑎𝑟)
𝐼𝑛𝑖𝑡𝑖𝑎𝑡𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 × ∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 × ∏ 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠
Equation 3 – Target PFDavg for Low Demand SIFs
Once the target PFDavg and Safety Integrity Level has been determined, design of the SIF may
proceed with the appropriate architectural constraints according to IEC 61511 [1] Part 1 Tables 5
and 6, or IEC 61508 [2] Part 2 Tables 2 and 3. For SIFs operating in Low Demand Mode, SIL
verification may consider automatic diagnostics for reducing the effective dangerous failure rates
of individual devices, and periodic proof testing and repair may be considered for reducing
PFDavg. For further guidance on the basics of Low Demand Mode SIL verification, refer to IEC
61508 [2] Part 6 Annex B, or ISA Technical Report TR84.00.02 [6] Parts 1 through 5.
Low Demand Mode Example:
Consider again the example system in Figure 1. The LOPA Team identified one credible
initiating event that could lead to the hazardous event of loss of level in V-100 and gas blow-by
to T-300; LV-100 malfunctioning open – BPCS failure frequency no less than 1x10-5
per hour,
approximately 0.1 per year, or once in 10 years. According to the requirements above, such a
demand rate allows SIF-1 to operate in Demand Mode [1], or Low Demand Mode [2, 3] with a
maximum proof test interval of 5 years.
Based on the consequence severity of the storage tank rupture, the example plant risk
management policy dictates the Mitigated Event Frequency must not exceed a Tolerable Event
Frequency of 1x10-3
events per year. The LOPA team has also assumed a probability of
occupancy of 0.1 for the area surrounding T-300 as the only enabling condition for this scenario.
1 × 10−3
per year
[1 × 10−1per year] × [1 × 10−1]
= 1.0 × 10−1
Applying Equation 3, the PFDavg of SIF-1 must be less than 1.0x10-1
; SIL 1 according to IEC
61511 [1] Part 1 Table 3 for Demand Mode SIFs and thus not requiring hardware fault tolerance
per IEC 61511 [1] Part 1 Table 6.
8. 8
SIL Target PFDavg Target Risk Reduction SIL Minimum HFT
1 ≥10−2
to <10−1
>10 to ≤100 1 0
2 ≥10−3
to <10−2
>100 to ≤1000 2 1
3 ≥10−4
to <10−3
>1000 to ≤10,000 3 2
4 ≥10−5
to <10−4
>10,000 to ≤100,000 4 (see IEC 61508)
Table 1 – Low Demand Mode Safety Integrity Table 2 – Minimum Fault Tolerance
from IEC 61511-1:2003 Table 3 from IEC 61511-1:2003 Table 6
Using simplex components throughout, the following failure rates were collected:
Remote Diaphragm Seals and Capillaries: 3x10-7
dangerous failures per hour
Differential Pressure Transmitter: 8x10-7
dangerous failures per hour
Logic Solver System: 9x10-8
dangerous failures per hour
Solenoid Valve: 6x10-7
dangerous failures per hour
Ball Valve and Actuator: 2x10-6
dangerous failures per hour
𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑃𝐹𝐷 𝑎𝑣𝑔 = ∑
𝑆𝑢𝑏𝑠𝑦𝑠𝑡𝑒𝑚 𝐷𝑎𝑛𝑔𝑒𝑟𝑜𝑢𝑠 𝐹𝑎𝑖𝑙𝑢𝑟𝑒 𝑅𝑎𝑡𝑒𝑠 × 𝑃𝑟𝑜𝑜𝑓 𝑇𝑒𝑠𝑡 𝐼𝑛𝑡𝑒𝑟𝑣𝑎𝑙𝑠
2
Equation 4 – Simplified Achieved PFDavg for Low Demand SIFs
[
1.1 × 10−6
per hour × 43,800 hours
2
] + [
9 × 10−8
× 43,800
2
] + [
2.6 × 10−6
× 43,800
2
] = 8.30 × 10−2
Using the simplest form of the PFDavg equation and assuming only end-to-end proof testing, the
SIF achieves a PFDavg of 8.30x10-2
at a 5-year proof test interval; within the constraints for a
Low Demand SIF in this scenario.
HIGH DEMAND MODE
In order to be considered in a High Demand Mode of Operation, the SIF must meet only one
basic requirement:
SIF dangerous failure does not initiate a hazard scenario without subsequent
failure in the process or BPCS [1, clause 3.2.43.1].
As with Low Demand Mode, the SIF must act only as a safeguard and its dangerous failure
cannot be the cause of a hazard scenario. SIFs that do not meet this requirement should be
considered to operate in Continuous Mode. Assuming the above requirement is satisfied, a SIF
should be considered in High Demand Mode if either of the two remaining Low Demand Mode
criteria is violated; that is if the SIF has:
9. 9
Demand rate greater than once per year [1, Part 1 clause 3.2.43.2], or;
Demand interval less than twice the proof test interval [4, Annex I].
High Demand Mode requires a significant shift away from the typical assumptions applied to the
design and verification of Low Demand Mode SIFs. Before proceeding with the design of a
High Demand Mode SIF it is recommended that the process first be re-examined for the
practicality of employing an inherently safer process design with a lower initiating event
frequency [4, Annex J].
As SIF demands increase relative to the proof test interval there is a transition where the product
of demand rate and PFDavg no longer reasonably approximates the hazard frequency. In some
instances, the estimated hazard frequency can exceed the overall dangerous failure frequency of
the SIF – something that is impossible in reality. As such, High Demand and Continuous Mode
SIFs are verified against a target Frequency of Dangerous Failure (FDF) [1], or average
Probability of Dangerous Failure per Hour (PFH) [2], with the understanding that the hazard
frequency cannot be greater than the SIF dangerous failure frequency.
Figure 4 – Estimated Hazard Frequency (with 1 year test interval)
More importantly, when demands occur as often as or more often than proof tests, such testing
should not be considered effective in uncovering dangerous failures prior to a demand. When
the basis for using PFDavg (of which proof test interval is a key component) as a measure of risk
reduction has been violated, the actual hazard frequency will be much more directly related to
the SIF dangerous failure frequency. For this reason, it may be more appropriate to consider
SIFs that are demanded more often than twice the proof test interval to operate in the High
Demand Mode.
10. 10
To determine the required safety integrity of a High Demand Mode SIF in terms of PFH the
normal LOPA process must be modified and the sequence of IPLs must be considered. When a
SIF genuinely operates in the High Demand Mode it is likely because one or more initiating
events occur very frequently and there are no other effective protection layers that can prevent
the hazard prior to activation of the SIF*
. If this is true a dangerous SIF failure is not the
initiating event itself, however we may replace the initiating event frequency with the SIF PFH.
This is the same process used with Continuous Mode SIFs, and is the reason why the standards
make little distinction between High Demand and Continuous Modes of Operation.
Non-SIF IPLs that are designed to act only after a SIF failure, and any scenario enablers and
conditional modifiers (all probabilities) may be applied against the Tolerable Event Frequency in
events per hour. Because the overall hazardous event frequency from any and all sources of
demand (initiating events) cannot exceed the dangerous failure frequency of the SIF, we solve
for the maximum tolerable SIF dangerous failure frequency.
𝑀𝑖𝑡𝑖𝑔𝑎𝑡𝑒𝑑 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 ℎ𝑜𝑢𝑟) =
𝑆𝐼𝐹 𝑃𝐹𝐻 × ∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 𝑎𝑐𝑡𝑖𝑛𝑔 𝑎𝑓𝑡𝑒𝑟 𝑆𝐼𝐹 ×
∏ 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠 𝑜𝑓 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡𝑠 𝑜𝑟 𝐶𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛𝑠
Equation 5 – Mitigated Event Frequency for High Demand & Continuous Mode SIFs
𝑇𝑎𝑟𝑔𝑒𝑡 𝑆𝐼𝐹 𝑃𝐹𝐻 =
𝑇𝑜𝑙𝑒𝑟𝑎𝑏𝑙𝑒 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 ℎ𝑜𝑢𝑟)
∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 × ∏ 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠
Equation 6 – Target PFH for High Demand & Continuous Mode SIFs
Using Table 4 of IEC 61511 [1] we can determine the SIL of the SIF in High Demand or
Continuous Mode and proceed with a design with the appropriate architectural constraints
according to IEC 61511 [1] Tables 5 and 6, or IEC 61508 [2] Part 2 Tables 2 and 3.
Recalling that it is the total demand rate that is of interest when determining the SIF Mode of
Operation, not simply the initiating event frequency of each scenario in isolation, it is possible
that no single cause-consequence scenario will force a SIF into a High Demand Mode on its
own. It is important to allot time near the conclusion of the SIL determination process to
examine overall SIF demand rates and possibly re-evaluate scenarios where a SIF is found to be
operating in the High Demand Mode.
When verifying the PFH target of High Demand SIFs the usual SIL verification process and
assumptions must be modified as well. Because dangerous failures in High Demand Mode SIFs
are more likely to be uncovered by a demand than a proof test, proof testing is considered largely
ineffective. Although test interval is a variable considered in the verification of fault tolerant
architectures, it is not a mechanism for significantly reducing PFH.
* If a non-SIF IPL is effective in preventing a high frequency hazard prior to activation of the SIF, this IPL should
be considered to operate in the High Demand Mode and the SIF would likely fall into the Low Demand Mode.
See reference [8] Appendix F for further details on the treatment of IPLs with high initiating event frequencies.
11. 11
Automatic diagnostics may be credited in High Demand Mode SIFs when the system is
configured to move to the safe state in response to a detected dangerous failure, provided the
diagnostic interval is significantly less than the expected demand rate (factor of 100 or more [2,
Part 2 clause 7.4.5.3]). Diagnostics used to initiate repair rather than immediate safe action may
be considered in High Demand Mode applications when fault tolerant redundancy is employed.
In these cases, achieved safety integrity is much more sensitive to Mean Time To Restore
(MTTR) than in a similar PFDavg calculation where this factor typically has very low sensitivity.
Achieved PFH equations can be found in IEC 61508 [2] Part 6 Annex B.
High Demand Mode Example:
A batch reactor undergoes a 4 hour manual cleaning process following the completion of each
batch, once every 28 to 32 hours, up to 250 times per year. At the conclusion of the cleaning
operation, all valves and manways must be closed and reactor purged with nitrogen prior to
restarting the process as the reactants form a highly flammable vapor. An investigation team has
been formed following an incident where a manway was not fully sealed and a significant
quantity of flammable vapor was released into the reactor enclosure. This is the second such
incident in a matter of weeks. The team concludes that existing procedures are adequate but not
effective enough in preventing human error, and recommends the addition of an automated
pressure test to ensure all valves and manways are sealed prior to charging the reactor.
A SIF is designed such that the two fail-closed reactant charge valves are to remain de-energized
and closed until the test pressure is satisfied and held for at least three minutes. A successful test
allows the process to proceed by energizing the charge valve solenoids, releasing them to BPCS
control. A failure aborts the sequence until all equipment can be inspected and retested.
Based on the consequence severity, the example plant risk management policy dictates the
Mitigated Event Frequency must not exceed a Tolerable Event Frequency of 1x10-3
events per
year. The LOPA team has also assumed a probability of occupancy of 0.1 for the reactor
enclosure and a probability of ignition of 0.5. The human error frequency is estimated to be
1x10-2
per opportunity with eight manual valves and manways involved in the procedure.
1 × 10−3
per year
250 batches per year × 8 valves × [1 × 10−2error frequency] × [1 × 10−1PFD] × 0.5 × 0.1
= 1.0 × 10−3
Following the normal process for Low Demand Mode SIL determination leads to a surprising
result. The SIF would be in the SIL 3 range with a PFDavg target less than 1x10-3
; a risk
reduction factor target greater than 1,000.
Re-examining the scenario, the team recognizes that the estimated Demand Rate of 20 per year
places the SIF into the High Demand Mode. Because the hazard cannot occur at a frequency
12. 12
higher than the failure frequency of the SIF, the team determines the PFH target of the SIF as if it
were the initiating event.
1 × 10−3
per year
0.5 × 0.1 × approx 10,000 hours per year
= 2.0 × 10−6
Applying Equation 6, the PFH of the permissive SIF must be less than 2.0x10-6
; within the SIL 1
range according to IEC 61511 [1] Part 1 Table 4 for High Demand/Continuous Mode SIFs and
thus not requiring hardware fault tolerance per IEC 61511 [1] Part 1 Table 6.
SIL Target FDF/PFH (per hour) SIL Minimum HFT
1 ≥10−6
to <10−5
1 0
2 ≥10−7
to <10−6
2 1
3 ≥10−8
to <10−7
3 2
4 ≥10−9
to <10−8
4 (see IEC 61508)
Table 3 – High Demand & Continuous Mode Table 2 – Minimum Fault Tolerance
Safety Integrity from IEC 61511-1:2003 Table 4 from IEC 61511-1:2003 Table 6
The system will be designed with a single pressure transmitter, a single logic solver, and two
solenoid valves, both required to de-energize. Valves and Actuators are not included as any
dangerous failure allowing measurable leakage will be detected by the pressure test and sequence
will not proceed. The following failure rates were collected:
Remote Diaphragm Seal and Capillary: 3x10-7
dangerous failures per hour
Differential Pressure Transmitter: 8x10-7
dangerous failures per hour
Logic Solver System: 9x10-8
dangerous failures per hour
Solenoid Valve: 6x10-7
dangerous failures per hour
𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑆𝐼𝐹 𝑃𝐹𝐻 = ∑ 𝑆𝑢𝑏𝑠𝑦𝑠𝑡𝑒𝑚 𝑃𝐹𝐻
Equation 7 – Achieved PFH for High Demand and Continuous Mode SIFs
𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑃𝐹𝐻1oo1 = 𝜆 𝐷
Equation 8 – Simplified Achieved PFH for 1oo1 High Demand and Continuous Mode Subsystems
𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑃𝐹𝐻2oo2 = 2𝜆 𝐷
Equation 9 – Simplified Achieved PFH for 2oo2 High Demand and Continuous Mode Subsystems
[1.1 × 10−7] + [9 × 10−8] + [1.2 × 10−6] = 1.4 × 10−6
per hour
13. 13
Using simplified failure assumptions the SIF achieves an overall dangerous failure frequency of
1.4x10-6
per hour, less than the failure frequency target and within the requirements for a SIL 1
High Demand Mode SIF.
CONTINUOUS MODE
A dangerous failure of any SIF or SIF component that may initiate a hazard scenario without
subsequent failure in the process or BPCS must be considered to operate in the Continuous Mode
[1, clause 3.2.43.1].
Upon first thought, some may wonder if a SIF that can initiate its own hazard scenario, or any
other hazard scenario for that matter, should be considered a safety function at all. While many
simple examples of Continuous Mode SIFs are actually better examples of poor design or
inadequate separation of control and safety, there are rare but legitimate applications where
Independent Protection Layers are ineffective or impractical to install. In such cases a basic
process control loop (normally limited to an initiating event frequency no less than 10-5
per hour)
may be implemented in the SIS and managed as a Safety Instrumented Control Function [1], or
what ANSI/ISA 84.91 would describe as a Safety Critical Control [5]. Designing and managing
a control loop as a Continuous Mode SIF allows for the reduction of the initiating event
frequency (SIF Frequency of Dangerous Failure) to a tolerable level.
Obviously a design that places the competing priorities of control and safety in a single system
should be approached with caution. Just as with High Demand Mode SIFs, it is strongly
recommended that alternatives in process design be considered before proceeding with the
design of a Continuous Mode SIF. Overall hazardous event frequency can generally be reduced
much more simply through multiple diverse protection layers that are completely independent of
the initiating event. After due diligence has been done, if a Continuous Mode SIF is found to be
the best option there are additional rules and considerations for design and verification.
To determine the required safety integrity of a Continuous Mode SIF the normal LOPA process
must be modified. Considering that the hazardous condition is always present, there are no
sources of demand or a demand rate to record. This is because a Continuous Mode SIF does not
act as a protection layer, but rather as the initiating event itself.
Non-SIF IPLs that are designed to act only after a SIF failure, and any scenario enablers and
conditional modifiers (all probabilities) may be applied against the Tolerable Event Frequency in
events per hour. Because the overall hazardous event frequency cannot exceed the dangerous
failure frequency of the SIF, we solve for the maximum tolerable SIF dangerous failure
frequency.
14. 14
𝑀𝑖𝑡𝑖𝑔𝑎𝑡𝑒𝑑 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 ℎ𝑜𝑢𝑟) =
𝑆𝐼𝐹 𝑃𝐹𝐻 × ∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 𝑎𝑐𝑡𝑖𝑛𝑔 𝑎𝑓𝑡𝑒𝑟 𝑆𝐼𝐹 ×
∏ 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠 𝑜𝑓 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡𝑠 𝑜𝑟 𝐶𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛𝑠
Equation 5 – Mitigated Event Frequency for High Demand & Continuous Mode SIFs
𝑇𝑎𝑟𝑔𝑒𝑡 𝑆𝐼𝐹 𝑃𝐹𝐻 =
𝑇𝑜𝑙𝑒𝑟𝑎𝑏𝑙𝑒 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 ℎ𝑜𝑢𝑟)
∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 × ∏ 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠
Equation 6 – Target PFH for High Demand & Continuous Mode SIFs
Using Table 4 of IEC 61511 [1] we can determine the SIL of the SIF in High Demand or
Continuous Mode and proceed with a design with the appropriate architectural constraints
according to IEC 61511 [1] Tables 5 and 6, or IEC 61508 [2] Part 2 Tables 2 and 3.
SIL verification of Continuous Mode SIFs is performed in much the same way as with High
Demand SIFs but with additional restrictions. The dangerous failure of a Continuous Mode SIF
will be self-revealing, directly and often immediately initiating the hazard scenario. Automatic
diagnostics may only be considered in very limited circumstances involving fault tolerant
redundancy, or when the sum of the diagnostic interval and SIF response time is less than the
process safety time [2, Part 2 clause 7.4.5.3]. This restriction may limit the effectiveness of
diagnostics in many situations. For this reason, it is often said that diagnostics may not be
credited in the verification of Continuous Mode SIF integrity.
Test interval is considered in the verification of fault tolerant architectures, but again is not a
mechanism for significantly reducing PFH. Achieved PFH equations can be found in IEC 61508
[2] Part 6 Annex B.
Continuous Mode Example:
A centrifugal compressor is equipped with a performance controller that executes a series of
complex control routines at very high speed, keeping the compressor operating at maximum
efficiency in a wide range of load conditions. Among other things, the control system
continuously modulates a recycle valve that allows a portion of the discharge to flow back to the
compressor’s suction. In the event that the compressor operating point approaches the surge line,
the controller will open the recycle valve to prevent catastrophic damage to the compressor. Due
to the quantity of measurements, the complexity of the control routines, and the speed at which
the evaluations must be made, it is common to combine compressor performance control and
certain complex protective functions in a single logic solver system.
The example plant risk management policy considers catastrophic compressor failure to be
tolerable at a frequency no more than 1x10-4
events per year as the compressor enclosure is
occupied as much as 2 hours per day. The LOPA team has determined that the normal range of
operating conditions can induce compressor surge without a failure in the process, meaning the
15. 15
dangerous failure of anti-surge control function itself is an initiating event. An independent
machinery protection system is capable of shutting down the steam turbine via the trip and
throttle valve by measuring shaft displacement at the thrust bearing, however this is not an SIS
system and its probability of failure on demand can be no less than 1.0x10-1
. The team
determines that another automated system would be impractical to install and would not be
effective in all scenarios. For this reason the surge control will be considered to be a Continuous
Mode SIF, and the performance controller hardware will be designed and managed as an SIS.
1 × 10−4
per year
[1 × 10−1] × [1 × 10−1] × approx 10,000 hours per year
= 1.0 × 10−6
per hour
Applying Equation 6, the target probability of failure is less than 1.0x10-6
per hour, or SIL 2
according to IEC 61511 [1] Part 1 Table 4 for Continuous Mode SIFs. SIL 2 will require fault
tolerance in each subsystem according to IEC 61511 [1] Part 1 Table 6, or sufficiently high safe
failure fraction according to IEC 61508 [2] Part 2 Tables 2 and 3.
SIL Target FDF/PFH (per hour) SIL Minimum HFT
1 ≥10−6
to <10−5
1 0
2 ≥10−7
to <10−6
2 1
3 ≥10−8
to <10−7
3 2
4 ≥10−9
to <10−8
4 (see IEC 61508)
Table 3 – High Demand & Continuous Mode Table 2 – Minimum Fault Tolerance
Safety Integrity from IEC 61511-1:2003 Table 4 from IEC 61511-1:2003 Table 6
Type A Safe
Failure Fraction
Hardware Fault Tolerance Type B Safe
Failure Fraction
Hardware Fault Tolerance
0 1 2 0 1 2
< 60% SIL 1 SIL 2 SIL 3 < 60% N/A SIL 1 SIL 2
60% – < 90% SIL 2 SIL 3 SIL 4 60% – < 90% SIL 1 SIL 2 SIL 3
90% – < 99% SIL 3 SIL 4 SIL 4 90% – < 99% SIL 2 SIL 3 SIL 4
≥ 99% SIL 3 SIL 4 SIL 4 ≥ 99% SIL 3 SIL 4 SIL 4
Table 4 – Architectural Constraints on Type A Table 5 – Architectural Constraints on Type B
Safety-Related Subsystems Safety-Related Subsystems
from IEC 61508-2:2010 Table 2 from IEC 61508-2:2010 Table 3
The system will be designed with 1oo2 voted flow sensors (Type B, SFF > 60%, 10% Beta), a
single logic solver (Type B, SFF > 90%), and single valve assembly (Type A, SFF > 60%) with a
5 year test interval. The following failure rates were collected:
Impulse Lines: 4x10-7
dangerous failures per hour
16. 16
Differential Pressure Transmitter: 8x10-7
dangerous failures per hour
Logic Solver System: 9x10-8
dangerous failures per hour
Digital Valve Controller: 4x10-7
dangerous failures per hour
Anti-Surge Valve and Actuator: 3x10-7
dangerous failures per hour
𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑆𝐼𝐹 𝑃𝐹𝐻 = ∑ 𝑆𝑢𝑏𝑠𝑦𝑠𝑡𝑒𝑚 𝑃𝐹𝐻
Equation 7 – Achieved PFH for High Demand and Continuous Mode SIFs
𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑃𝐹𝐻1oo2 = 2[(1 − 𝛽)𝜆 𝐷]2
[
𝑇𝑒𝑠𝑡 𝐼𝑛𝑡𝑒𝑟𝑣𝑎𝑙
2
] + 𝛽𝜆 𝐷
Equation 10 – Simplified Achieved PFH for 1oo2 High Demand and Continuous Mode Subsystems
[1.71 × 10−7] + [9 × 10−8] + [7 × 10−7] = 9.61 × 10−7
per hour
Using very simplified failure assumptions the SIF achieves an overall dangerous failure
frequency of 9.61x10-7
per hour, less than the failure frequency target and within the
requirements for a SIL 2 Continuous Mode SIF.
DEVICE SELECTION AND MECHANICAL INTEGRITY
A Mechanical Integrity program is a fundamental element of an overall process safety
management system. Long-term safety depends on continuous and proactive inspection,
preventive maintenance, and functional testing, promoting the ongoing performance of
equipment involved in the processing and storage of hazardous materials. SIS and SIF
Mechanical Integrity planning begins in the design phase with proper device selection, the
specification of appropriate inspection and testing intervals, the development of specific
inspection and testing procedures, and training for the personnel carrying out these procedures
over the life of the plant.
Due to the prevalence of Low Demand Mode SIFs, the majority of IEC 61508 certified
instruments may provide failure rate data appropriate only for Low Demand applications.
Selection of instrumentation in more frequent or continuous use presents a challenge for High
Demand and Continuous Mode SIFs, particularly with final elements, as the failure
characteristics and the definition of useful life will most certainly be different. Always consult
Safety Manuals and other manufacturer documentation for any devices under consideration to
ensure they are intended for use in the required service, and that all of the manufacturer’s
requirements can be addressed in the design and mechanical integrity plan. When certified
devices are not available, a prove-in-use justification should carefully consider differences in
application and frequency of operation.
In Low Demand SIFs, aside from the dangerous failure rate itself, proof test interval is the
variable that has the largest impact on achieved safety integrity. For this reason the SIL
17. 17
verification frequently becomes the deciding factor in how often each device must be tested and
what on-line testing facilities must be included in the design. Unlike Low Demand Mode SIFs,
such an interval is not always considered in the PFH calculation for High Demand and
Continuous Mode SIFs. This does not suggest, however, that High Demand and Continuous
Mode devices are free to operate indefinitely without preventive maintenance. Periodic
inspection, functional testing, and restoration to new or like-new condition must be regarded as
basic requirements for SIFs of all operating modes, and all devices must be operated within their
useful life where random failures can be assumed to occur at a constant rate. Keep in mind that
Low Demand Mode assumes that dangerous failures are more likely to be uncovered by a proof
test than a Demand (i.e. mean demand interval is at least twice the proof test interval). If online
testing and repair cannot take place according the assumptions made during the analysis phase,
the SIF Mode of Operation may need to be reconsidered.
Finally, as demands are more likely to arise Mean Time To Restore (MTTR) becomes a much
more critical variable in the achieved safety integrity. Not only may the quantity of spare parts
need to be adjusted to ensure timely replacement of faulty devices, but so may the training of
maintenance personnel and the methods for identification of priorities.
For further information and recommended practices regarding SIS Mechanical Integrity, refer to
ISA Technical Report TR84.00.03 [7].
KEY TAKE-AWAYS
Demand Rate must be estimated prior to determination of target safety integrity; the
determination method and the measure of safety integrity change as demand rate
increases.
PFDavg cannot be converted to PFH, or vice-versa. These metrics are completely
unrelated as different assumptions and variables are involved in both the
determination of integrity target and verification of achieved integrity.
Achieved PFH in the High Demand Mode is not necessarily equal to achieved PFH in
the Continuous Mode. Different assumptions and variables may be involved in the
verification of achieved integrity.
Purely qualitative SIL determination methodologies may not adequately address SIF
Demand Rates.
The LOPA methodology based on the Event Tree analysis technique is capable of
addressing the sequence of protection layer demands, providing a mechanism for
greater precision in demand rate assessments. The sequence of IPLs may be
considered in Demand Rate assessments if sufficient data is available to support
estimation of the overall process safety time and the available response time allocated
to each protection layer.
18. 18
SIL determination techniques do not readily account for dependencies between
initiating events and protection layers. Failure to fully separate BPCS and SIS
instrumentation may inadvertently place a SIF into the Continuous Mode [1, Part 1
clauses 11.2.10; 3.2.43.2].
Demand Rates should be monitored and analyzed to validate assumptions made
during the Hazard and Risk Assessment and SIL determination stages. Investigating
the causes and frequencies of safety system demands is key in the continuous
improvement of a safety management system. [1, Part 1 clause 5.2.5]
The meanings of Low Demand, High Demand, and Continuous Modes of SIF
Operation must be understood by process risk analysts, design engineers, unit
operators, and maintenance personnel.
Just as with Safety Integrity Level, the Mode of Operation is applied to the SIF in its
entirety and not individual components.
Safety Instrumented Functions are completely customized for each application; there
can be no single collection of predetermined requirements. Design constraints and
mechanical integrity practices must be determined in the context of the process and
the process risk, of which Demand Rate is a key consideration.
CONCLUSIONS
Many of us more readily associate Safety Integrity Levels with the severities of the particular
consequences SIFs are designed to prevent. This is of course only half of the equation as risk is
the product of consequence severity and likelihood. Hazard scenarios may require risk reduction
not only due to high consequence severity, but also due to a high frequency of occurrence. The
ratio of demand interval and proof test interval are of critical importance to assigning the
appropriate SIF Mode of Operation and determining the applicable measure of safety integrity.
Ever-increasing safety and economic targets place competing pressures on plants and projects to
design SIFs that provide for greater risk reduction, extended proof test intervals, and tighter
integration with the BPCS. While the overwhelming majority of SIFs are assumed to be
operating in the Low Demand Mode of Operation, the criteria that allow this to be true cannot be
overlooked in favor of expedience or convenience.
Improperly estimating demand rates can result in incorrect specification and verification of
safety integrity; the basis for many subsequent decisions in the SIS design process. Long term
mechanical integrity may also suffer due to improperly selected field devices and inappropriate
maintenance practices, ultimately resulting in over-confidence that risk tolerance targets are
being achieved and sustained over time. To combat these effects, careful and conservative
demand rate estimation should take a more prominent role in the determination of SIF integrity
requirements.
19. 19
REFERENCES
[1] IEC 61511:2003. Functional safety – Safety instrumented systems for the process
industry sector, Parts 1–3. Geneva: International Electrotechnical Commission. 2003.
or
ANSI/ISA-84.00.01-2004 (IEC 61511 Mod). Functional Safety: Safety Instrumented
Systems for the Process Industry Sector, Parts 1–3. Research Triangle Park:
Instrumentation, Systems, and Automation Society. 2004.
[2] IEC 61508:2010. Functional safety of electrical/electronic/programmable electronic
safety-related systems, Parts 1–7, Edition 2.0. Geneva: International Electrotechnical
Commission. 2010.
[3] Committee Draft IEC 61511 edition 2. Functional safety – Safety instrumented systems
for the process industry sector, Parts 1–3. Geneva: International Electrotechnical
Commission. 2012.
[4] ISA-TR84.00.04-2011. Guidelines for the Implementation of ANSI/ISA-84.00.01-2004
(IEC 61511 Mod). Research Triangle Park: International Society of Automation. 2011.
[5] ANSI/ISA-84.91.01-2012. Identification and Mechanical Integrity of Safety Controls,
Alarms, and Interlocks in the Process Industry. Research Triangle Park: International
Society of Automation. 2012.
[6] ISA-TR84.00.02-2002. Safety Instrumented Functions (SIF) - Safety Integrity Level
(SIL) Evaluation Techniques. Research Triangle Park: International Society of
Automation. 2002.
[7] ISA-TR84.00.03-2011. Mechanical Integrity of Safety Instrumented Systems (SIS).
Research Triangle Park: International Society of Automation. 2011.
[8] Layer of Protection Analysis: Simplified Process Risk Assessment. New York: Center
for Chemical Process Safety of the American Institute of Chemical Engineers, 2001.
[9] Henley, Ernest J. and Hiromitsu Kumamoto. Reliability Engineering and Risk
Assessment. New York: Prentice-Hall. 1981.