Вы находитесь на странице: 1из 11


RJ (Dick) Perry – Safety Systems Consultant

It has been some 15 years since the introduction of the Functional Safety Management standards of
IEC 61508 and 61511, with most international organisations and operating facilities now fully up to
speed on the implementation of these safety standards. They allow a more flexible approach in
assessing the protection requirements based on applicable Risk, as opposed to the previous
prescriptive standards of the past and allow the safety design review team to determine “how safe is
safe”. It was the renowned process safety specialist Trevor Kletz that once said, “Most accidents are
not due to a lack of knowledge, but failure to use the knowledge we already have”. The functional
safety management covers a number of steps or phases during the project execution and are
described in the Functional Safety Lifecycle Model, see Figure 1. This technical paper briefly
describes some of these phases applicable to hazard analysis and SIL determination. It should be
noted that all IEC (International Electrotechnical Commission) referenced standards have also been
adopted as South African National Standards (SANS).

Figure 1 Functional Safety Lifecycle

The use of collective knowledge is attempted at the Hazard and Operability (HAZOP) review, where
knowledgeable persons from all engineering disciplines associated with the project, follow a set
procedure to review the overall design and check for any design or operational flaws, in questioning
changes from normal state that could reveal unsafe process design or operating practice, in

Page 1 of 11
accordance with IEC 61882 Hazard and Operability Studies – Application Guide. This is followed by
a Safety Integrity review which assigns a safety design level which is proportional to the identified risk
for process and equipment protection requirements. This risk analysis is a mandatory requirement of
the RSA OHS Act 85 of 1993 – Major Hazard Installation Regulations for new or modified
installations, and is also required to be reviewed every 5 years. Below is the typical risk assessment
activity sequence showing required inputs and resultant outputs:


P&ID‟s Hazop Study Hazop Report
Control & Safeguarding Narrative P&ID‟s Updated
Cause & Effect Diagrams Instrument & Alarm List Updated
Instrument & Alarm List
Hazardous Area Classification

Alarm Philosophy Alarm Rationalisation Alarm List Updated

General SRS SIL Assignment SIL Assignment Report

Clients Risk Matrix

SIF Architecture SIL Assessment SIL Assessment Report

SIS Equipment Failure Data

Design & Procurement SIS Installation FAT/SAT & Maintenance

The primary objective of a Hazop is to identify hazardous deviations from design intent in the process
itself or associated process equipment and operability, then recommend corrective actions. This is
normally achieved by a team of knowledgeable persons of different disciplines, on large projects
these will normally consist of the Owners and Engineering Contractors Project Engineer and possible
Process Licensor or Package Vendor, Process or Chemical Engineer, Piping Engineer, Mechanical
Engineer, Control Systems Engineer, SHE Engineer, Operating Supervisor, Maintenance Supervisor
and any other specialist that may be required for short periods. The Hazop is conducted and
recorded in a well proven and structured way using a set of the approved P&ID‟s, taking one Node at
a time and systematically examines all relevant sections of the design, asking specific „guide word‟
consequence questions related to the process variables such as more pressure and less flow, also
included is operability such as start-up/shutdown and maintenance type questions, refer to Table 1 for
typical deviation types.

Deviation Type Guide Word Example for Process Example for Control System
Negative No No part of the design intention Loss of measurement or control
None is achieved. Pump stops. signal
Quantative More Increase in pressure. Measurement reads high.
Modification Less Decrease in pressure. Measurement read low.
Quantative As Well As Impurities present. Spurious signal.
Modification Part Of Only some of intention takes Interruption or part of transfer
place. data.
Substitution Reverse Reverse flow or reaction. Normally not applicable.
Other Than Result other than intention.
Time or Order Early Something happens too early. Alarm settings.
of Sequence Late Something happens too late. Measurement transfer lags.
Operations Maintenance Equipment isolation. Test overrides (ESD)

Table 1 Example of Deviations and their Guide Words

Page 2 of 11
As part of the Process Hazard Analysis (PHA) where operational deficiencies and risks are identified,
the risks require to be reduced to acceptable levels in accordance with the “As Low As Reasonably
Practicable” or ALARP principle, refer to Figure 1 this risk reduction concept.

Figure 1 Risk Reduction

The results to these deviation questions are recorded on the Hazop Study Notes worksheet, Refer to
Figure 2, and the P&ID‟s marked-up where necessary. It is not unusual for critical or complex items
of equipment to need a further in-depth examination using the Failure Mode and Effect Analysis
(FMEA), this is normally conducted outside of the Hazop. An Alarm Rationalisation review is also
required to confirm if all alarms are necessary and to assign alarm prioritisation, it is also important to
reduce operator „alarm floods‟ during process upsets by various suppression methods, for further
information refer to IEC 62682 Management of Alarm Systems for the Process Industries.

Figure 2 Typical HAZOP Study Worksheet

Page 3 of 11
The HAZOP and SIL Review timing is important so as to limit the amount of possible design rework
and will normally be conducted prior to the project detailed engineering design phase.

To determine just how much applicable safety design is required to be applied, a Safety Integrity
Level (SIL) is determined, preferably as part of the HAZOP, which is in relation to the perceived risk of
probable frequency of a dangerous event occurring (protection demand) and its likely or credible
consequence. There are 4 SIL grades or requirements based on the average probability of failure on
demand (PFDavg), i.e. safety availability or failure rate per hour, and each level increases by one
order of magnitude which is indicated by the Risk Reduction Factor (RRF). SIL 1 is the lowest and
most common, with SIL 4 being the highest and rarely seen in the normal process industries, refer to
Table 2 which tabulates these different SIL‟s. A RRF of less than 10 would apply to the normal
Process Control System (PCS or DCS).


1 1E-01>1E-02 1E-05>1E-06 90.00<99.00 10<100
2 1E-02>1E-03 1E-06>1E-07 99.00<99.90 100<1000
3 1E-03>1E-04 1E-07>1E-08 99.90<99.99 1000<10 000
4 1E-04>1E-05 1E-08>1E-09 >99.99 > 10 000

Table 2 SIL Requirements

As with the HAZOP, the SIL Review has to be well documented to record not only the applicable SIL
assigned, but also the SIL determination or decision procedure. The Safety Instrumented System
(SIS) has to be functionally separated from the normal Process Control System to maintain functional
safety integrity and to ensure no „common cause failure‟, and will normally reside within a certified
safety Emergency Shutdown (ESD) system. The SIS will comprise of a number of specific safety
protection loops or Safety Instrumented Functions (SIF‟s) such as Low Fuel Gas Pressure in a Burner
Management System (BMS), which itself can be a separate SIS or „partitioned‟ within the overall plant
SIS. During the preliminary or „internal‟ HAZOP, where high process or operating risks are identified,
the SIF protection functions will normally have assigned higher safety designed integrity such as
voting architecture, e.g. 1oo2 (One out of Two).
The SIL Review is a risk assignment in a structured sequence to determine the required SIL for a
specific safety application, and if a SIF is needed to form part of this protection. As an example, if the
high pressure protection of a vessel is determined to be SIL 2 and the vessel has a pressure safety
valve (PSV), we can normally assign a PSV as a SIL 2 rating, therefore the SIL 2 requirement is
achieved and no further risk reduction is necessary. However, if a SIL 3 protection rating was
deemed necessary, we then require an additional risk reduction to meet the minus SIL 1 gap to give
the overall SIL 3 risk reduction requirement. This can be achieved by a SIF which would detect a high
pressure in the vessel and trip the fluid supply via an ESD valve, thereby isolating the energy input to
the vessel. In determining the required SIL, it is also important to review the probable Spurious Trip
Rate (STR) and assign a „target‟ value which would be acceptable for the process Unit or Plant. It is
of little use if we design a very high SIF SIL, but due to the SIF complexity it is always tripping due to
SIF design and reliability problems. Many process accidents are caused due to spurious trips and
subsequent plant start-up, so if we can reduce the spurious trip rate we will increase overall plant
safety and reduce equipment stress during shutdown/start-up and subsequently equipment
maintenance. We need to address 3 variable attributes in a SIL assignment, these are personnel
safety, the environment and financial loss, and the highest SIL applicable to these three will be used
to design the safety protection required and any applicable SIF. There are a number of other factors
required in determining the required SIL, refer to Figure 3 showing a typical SIL Assignment
spreadsheet (shown in 3 parts). This spreadsheet would be designed and calibrated to match a
Clients or facility owner‟s specific risk aversion and determined from a Risk Graph such as Figure 4.

Page 4 of 11
Figure 3 Typical SIL Assignment Spreadsheet

Figure 4 Typical Risk Matrix

The first part of the SIL Assignment spreadsheet contains some general information such as SIS/ESD
Group reference, SIF I/O Tags, P&ID reference, HAZOP Node, Event Cause and Consequence. A
Page 5 of 11
likely demand rate (trip action) is determined from a database, e.g. failure of a control loop is taken as
once in 10 years or 0.1. All demands on a protection function (SIF) need to be summated to give the
probable overall demand rate, e.g. if there were 2 possible independent control loops failures then the
failure rate would be 0.1 + 0.1 = 0.2 or once in 5 years. One then needs to assess the possibility of a
fire or explosion, this is nearly always due to loss of containment (LOC), and is applicable to any
hydrocarbon but especially where the fluid has a low flash point and is operating above its auto-
ignition point. Finally the process safety time (PST) has to be determined, this is important on fast
reactions to ensure that any SIF can safely trip the process well within this time period, this time is
often dictated by the measurement transfer lag and stroke speed of large ESD valves, see Figure 5
showing the different protection layers and PST for a high pressure protection system.

Figure 5 Process Safety Time

The next section of the spreadsheet requires the Demand Rate or Event Frequency to be inserted
taken from the General Section and if any credit can be taken due to a short process operating period
termed the Mission Time. The next section to be completed is that of Safety and Health, where the
likelihood of any injuries or fatalities is determined due to the hazardous event consequence. Credit
is also taken for the probability of personnel (operators) being present should an event occur, if an
operator is present in the process area for less than 1 hour per shift, then a 0.1 (equivalent to SIL 1)
credit can be taken due to the probalistic lower risk of injuries. These are termed Risk Modifiers and a
number are included, see Table 3.
The next section to consider is the Environmental Consequence of an incident occurring and if any
credit can be taken for reducing or mitigating the consequence such as flare systems. Finally the
Business or Financial Loss, which not only includes possible equipment damage but also the loss of
production profit, and if any credit can be taken for reducing the consequences such as Fire and Gas
systems or equipment redundancy. This last section for Business or Financial Loss is not a
requirement in the safety standards, but is very important for the facility owner and will often produce
the highest SIL requirement. Because it is not a requirement in the safety standards, the facility
owner can accept some own risk for Business or Financial loss if the additional costs to meet a
certain SIL is very high, e.g. if the required protection was say a SIL 3 and the designed SIF could
only meet SIL 2, the owner may elect to accept the negative SIL 1 risk gap. Each of the 3 attribute
sections of Safety and Health, Environment and Financial Loss once completed, will automatically
calculate their individual SIL requirement, and credit must then be taken for any Independent Layers
of Protection (ILP) and then to determine if additional SIF requirements are needed to meet any
negative SIL gap.

Page 6 of 11
Table 3 Risk Modifiers

Table 4 Independent Layers of Protection

Page 7 of 11
Refer to Table 4 for some typical ILP‟s, these SIL credits where applicable, are then deducted from
the 3 attribute section SIL requirements and the final SIL Rating is determined, this being the highest
of the 3 individual attributes. There is also a column for the estimated STR or a default value of 1 in
10 (0.1) years can be inserted. Although a STR of 1 in 10 years seems adequate, one must
remember that this is only for 1 SIF and a protection system such as a BMS may have several SIF‟s,
so the STR will soon reach around once per year, however, this needs to be considered in proportion
with other „process‟ related shutdowns such as process equipment failure or operator error, i.e. the
SIF must not be the predominant cause of plant spurious trips. Another important reason to limit SIF
spurious trips apart from lost production is that many process incidents occur during shutdown and
start-up, as well as additional stresses on process equipment. SIF spurious trips can be minimised
through equipment selection including voting and functional logic software design.

For each SIF, a Safety Requirements Specification (SRS) needs to be developed to ensure that the
SIF meets the overall SIS design philosophy requirements and enables the SIS ESD engineering
contractor and safety system supplier or vendor to configure the SIF within the safety approved
system. This specification is also used during the SIS factory acceptance test to ensure that the SIF
design intent is achieved. An important aspect of the SRS is to provide guidance as to the design of a
SIS including maintenance override procedures and how to handle any SIF faults. The SRS will also
provide the requirements for good communications with the control room operator on the operational
status of the SIS via graphic displays. To this end, the SRS is normally split into two sections, the first
is the „General SRS‟ which provides for the overall SIS design guidelines such as voting
requirements, and the second section is the „SIF SRS‟ which provides narrative details of the specific
SIF SIL requirements, refer to Figure 6 for part of a Typical SIF SRS which satisfies IEC 61511
Once the SIF SIL requirements have been determined, each SIF loop which includes the sensor or
transmitter, Logic Solver (SIS ESD PLC) and the final element (ESD valve or motor drive), must be
evaluated to ensure that the SIF loop design meets the required SIL and also the „target‟ STR. This
involves some complex calculations based on the SIF architecture, e.g. 1oo2 voting, and requires all
SIF loop component failure data to be entered, which includes the safe failure fraction (SFF)
determined from the fail safe and fail to danger modes including both detected and un-detected, refer
to Figure 7 showing the final part of a typical SIL Evaluation Report. In addition, such information as
Mission Time, SIF Test Interval and Test Efficiency will determine if the designed SIF SIL can be
achieved in meeting the required SIF SIL.
The typical SIL evaluation report as shown, allows different sub-system test intervals to be inserted
together with sub-system architecture to see how best to achieve the required SIF SIL, the bar graphs
for PFDavg and STR clearly show which part of the SIF sub-system may need improvement. In the
majority of cases, the final element will always show the highest failure rate. With long Mission Times
of say 4 or 5 years between scheduled plant shutdowns, testing of final elements can be a problem in
achieving the higher SIL 2 and SIL 3 design requirements, as the ESD isolation valves cannot
normally be tested online. One solution is to use a 1oo2 ESD valve installation, but this will lead to
higher spurious trip rates, another solution is to use a parallel ESD valve configuration (often used in
the BMS main Fuel Block Valves due to specified testing requirements of at least once per year), but
both of these solutions increase the installed cost. A final solution is to apply valve partial stroke
testing, where the ESD valve is periodically exercised to move about 10-15%, which will not affect the
process variable such as flow, but will check for the correct trip functionality and ensure that the ESD
valve has not become stuck over time. This also applies with electrical actuators which are normally
not failsafe and due to the longer stroke times, can be achieved with less stroke movement in
detecting end limit switch action.
The SIF evaluation and verification calculations are combined in a project report including applicable
equipment failure data in the form of FMEA tables. All the SIF SIL‟s are tabulated with comments and
recommendations where required. In some cases it may be necessary to redesign the SIF
Page 8 of 11
architecture to meet the required SIL, this will then require the P&ID‟s and Instrument List to be
updated and may in some cases require additional vessel connections for level instruments.


UNIT: 11000 ESD SIF GROUP: ESD-1101 P&ID No.: 300-11000-PID-02 Sht. 03
SIF LOOP: F-11001A Process Pass ‘A’ SIF ALARM TAG: FALL-11001A

Functional Narrative Rev.

Safeguarding Description:
This SIF protects against low or no process flow through the heater. Should the pass flow fall to a low value, there is the possibility of
coking the heater tubes together with increased firing due to outlet temperature dropping and possible tube rupture resulting in a heater
tube leak and fire.
Independent Protection Layers (Independent – Min. RRF 10, Specific, Dependable and Auditable):
1. None.
Safe State (Primary Hazard, check this action for any additional secondary risk):
De-energise outputs to trip closed main fuel gas valves UV-11001A/B and main fuel oil valves UV-11002A/B (supply and return), thus
removing process energy input (heat).
Operator Precautions for SIF MOS or Fault (Normally for 1oo1 Sensor):
Switch HS-101A to operating flow transmitter and limit load changes or other high risk operations and be ready to initiate a Manual
ESD upon associated Pre-Trip alarm. If Automatic MOS applied (SIF fault), obtain work permit within 2hrs. to apply Manual MOS or
SIF will trip. If MOS exceeds the MTTR (8hrs.), obtain permission to continue with additional operating precautions.

Sensor Logic Solver Final Element (Primary)

Tag No. Voting Trip Setting Delay(sec.) Tag No. Voting Tag No. Voting
FT-11001A/B 1oo2D HH N/A SIS-11000 2oo4D UV-11001A/B 1oo2
LL 40m³/h 5 UV-11002A/B 2oo2
Above combines to 2oo2
Secondary Trips and Feed-Forward Action:
ESD SIF Groups: ESD-1103 and ESD-1104 - see Note 2.
Final Elements: UV-11001C.
DCS Functions: FMC PIC-11006 and PIC-11007 to 0% (4mA) which closes PV-11006 and PV-11007.
Manual ESD Requirements:
From Control Room operators console HS-11010A and local HS-11010B and HS-11010C (LCP)
Operational Override Switch (OOS) Requirements:
Trip Reset Permissives (Enables Reset – Note 1):
Tag No.: Permissive State:
Trip Reset Requirements:
Manual Reset from DCS HS11010.1, which enables output ready for LCP start-up.
Proof Test Interval (Months):
Sensor: 48 Logic Solver: 48 Final Element: 24 Mission Time (Years): 4
Valve Partial Stroke Test Req.?: No If Yes, Period (Wks): TSO Req.?: Yes Fire Proof ?: Yes
Transmitter Fault Settings (Namur NE43):
Transmitter failure drives output downscale to 3.6mA and applies an Automatic MOS with alarm.
Other Requirements or Operating Modes/Conditions (Ref. Hazop & Equipment Safety Manual):
Specific SIF Notes:
1. Defaults are final elements in safe state and sensors at safe value (no alarm - unless overridden).
2. All individual burner fuel oil and fuel gas valves are also tripped closed via ESD 1103/4, Pilots left on, however, Manual ESD action
will trip Pilots with ESD-1102.

SIL Assignment Ref.: Hazop – 26-27 July 2011 Item 6.2 STR (Yrs) PST Demand Rate
Safety/Health Environment Business TARGET Sec. or Min. (Yrs.)
SIL 1 SIL a SIL 2 10 30secs. 1 in 10

Revision Date MOC Ref. Description

A 02/11/11 N/A Issued for Approval

Figure 6 Typical (Part) SIF SRS

An integral part of safety systems installed in „classified hazardous areas‟, i.e., where potentially
explosive products are present, also includes explosion protected equipment such as intrinsically safe
(Exia) or flameproof (Exd). The selection of Ex certified equipment for use in the different classified
Zones in accordance with the likelihood of gas presence, the design, installation and maintenance of
such equipment, is equally important in maintaining the plant overall safety systems design integrity.
However, this is another subject and can be reviewed in SANS 10108 - The Classification of
Hazardous Locations and the Selection of Apparatus for use in such Locations, and IEC 60079 -
Electrical Apparatus for Explosive Gas Atmospheres, set of standards.

Page 9 of 11
Figure 7 Typical (Part) SIL Evaluation Report
Page 10 of 11
Following the SIS design and procurement, one of the most important phases is the Factory
Acceptance Test (FAT), where each SIF is fully tested and documented using the SIF SRS and
associated functional logic diagrams, also all sensor input ranges and trip alarm settings are checked.
During plant construction, special attention must be paid to the quality of the SIF installation, with a
final SIS validation Site Acceptance Test (SAT). All SIF simulation testing must be well documented
and witnessed by Client from the field equipment to the Central Control Room (CCR), including DCS
graphic displays with fault and trip alarms. The SIS operator interface commands such as manual
trips and resets together with maintenance override switches (MOS), must all be thoroughly tested
together with the operators present so they are fully up to speed for plant commissioning. It is also
very important that the Client or facility owner‟s control system technicians are competent and fully
trained on the equipment, with a good knowledge of the SIS standards with respect to maintenance
and the necessary SIF periodic testing procedures to achieve and maintain the specified SIL. The
periodic testing has to be well documented and any faults detected or spurious trips recorded, then
checked over time with the original SIL calculations to verify that the original failure data entered is
reasonably consistent with that found in operational experience, if this is not the case, then SIF
equipment modifications may be required or test intervals changed. It is of little use designing a high
integrity ESD protection system if the site operations safety culture or test/maintenance procedures
are poor as was the case below, leading to a large Fuel Depot explosion and fire north of London in
December 2005 (and with many other similar incidents such as the Caribbean Petroleum facility in
Puerto Rico in October 2009). Disasters such as indicated, will normally result in a judicial enquiry
leading to criminal charges with the investigative reports usually recommending changes to applicable
design standards. It is the authors‟ opinion that in general, the largest risk to plant and personnel is
not with the initial safety systems design, but with the operating company and how well they manage
and maintain their installed safety systems.

Buncefield Fuel Depot Fire

Page 11 of 11