Proceedings of the IEEE

International Conference on Automation and Logistics

Qingdao, China September 2008

Design and Development of Safety Instrumented System

Laihua Fang Zongzhi Wu, Lijun Wei and Ji Liu
Monitoring Center for Major Hazards Installations Monitoring Center for Major Hazards Installations
China Academy of Safety Science and Technology China Academy of Safety Science and Technology
Beijing, 100029, China
T T Beijing, 100029, China T T

[email protected]

Abstract - Procedure and method for the design and II. HAZARD ANALYSIS AND ORIGINAL RISK
development of safety instrumented system (SIS) in process ASSESSMENT OF THE CONTROLLED PLANT
industries has been presented. A technique of the system hazard From the beginning to the end use of a SIS, IEC 61511
analysis and initial risk assessment used for safety instrumented use the safety lifecycle as a framework in order to structure
function (SIF) determination and assignment has been
requirements relating to specification, design, integration,
introduced. Procedure and methods of safety integrity level (SIL)
selection are investigated in detail. Plan and engineering for SIS operation, maintenance, modification and decommissioning
have been investigated. of a safety instrumented system. Each phase has a set of
defined inputs and outputs, and towards the end of each
Keywords: Risk, safety instrumented system, safety integrity level, phase. The safety lifecycle phases are illustrated in Figure1
[1]
safety instrumented function .It can be seen that hazard analysis and risk assessment of
the controlled plant is the first step to be carried out in the
I. INTRODUCTION lifecycle of SIS.
Factories that don’t manage process operation risks may Management of functional safety and functional safety assessment and auditing
Hazard identification and
face fines, production stop, facilities damage and serious Risk assessment
injury or loss of life. It is of great necessity to perform hazard
identification, hazard analysis, and risk assessment studies to
develop plans to address current deficiencies. Past solutions Allocation of safety functions to
protection layers
for safe operations may no longer be sufficient. New
international standards for safety, like IEC61508 and IEC
Safety lifecycle structure and planning

61511, are prompting a reexamination of safety practices. Safety requirements

Planning is required to meet increased regulatory specification for the Design and
safety instrumented development
requirements around the world. system of other
In the past, safety protection refers to add-on means of risk

Verification
components that prevent employees working in or near reduction
hazardous production processes from injury or death. Today, Design and
engineering of safety
however, safety solutions go far beyond this notion. instrumented system
Companies are under pressure to contribute to their
profitability by continuously improving the performance of Installation, commissioning
their process operations. They are increasingly recognizing and validation
that the deployment of intelligent, integrated safety solutions
directly affect enterprise’s development. Operation and maintenance
As is known, safety is best achieved by an inherently
safe process design. However, intrinsic safety is too difficult Modification
to be obtained in many situations. Risks prevail wherever
there are hazardous materials stored, processed, or handled. Decommissioning
Those risks should to be minimized first by mechanical
Figure 1. SIS safety life-cycle phases
means and basic process control systems and finally by safety
instrumented systems. The interest in performing rigorous Usually, a combination of various safety-related
hazard and risk analysis and applying certified safety systems, including SIS, safety systems based on other
instrumented systems have considerably increased with the technology and additional risk reduction facilities is used to
publication of the IEC 61511, IEC 61508 and other safety- ensure required safety [2]. Hence, an overall safety strategy
related standards. In addition to technical issues these must take into consideration all the safety-related systems and
standards also include the planning, documentation and measures in order to reduce the risk to an acceptable level.
assessment of all activities required to manage safety This is shown in Figure 2.
throughout the entire life of a system.

978-1-4244-2503-7/08/$20.00 © 2008 IEEE

2685
 Inherent risk of the process & instrumentation diagram and Logic, in most cases
Risk after non-SIS process will identify shutdowns already in place. Due to regulatory or
mitigation
customer requirements, there is often also a requirement to
Like lihood

Increasing risk
conform to other appropriate national or international
standards such as IEC61511, design code for signal alarm and
Non-SIS
likelihood
safety interlock system. This is a perfect opportunity to
reduction
incorporate those requirements. The HAZOP should identify
SIL1 any other potential safety instrumented functions not already
Non-SIS identified in existing documents and standards.
consequence
SIL2 reduction
By separating the SIF identification process from the
HAZOP and drawing on other sources, to produce a list of
Unacceptable risk SIFS to be assessed, the risk of missing a SIF is minimized,
SIL3 SIS risk reduction region thereby resulting in an outcome that meets the objectives of
this phase of the safety lifecycle.
When compiling a list of SIFS, it is also important to
Final risk after clearly identify what the safety function must accomplish. A
mitigation
ALARP risk
safety-instrumented function can be compared to a balanced
region equation. Firstly, it must define a signal that identifies that a
hazard is present, and secondly it must define the critical
Acceptable risk action to remove that hazard.
region
HAZOP or
Existing specification National or international
Consequence other
criterion and standards
methods
Figure2. Forms of risk reduction
Equipment under control (EUC) could be a piece of
equipment, part of an installation, or even the entire
installation. Initial hazard and risk analysis should determine SIF identification
hazards and hazardous events of the EUC and associated
control equipment; the event sequence leading to the hazards;
the EUC risks associated with the identified hazards; the
SIL determination
requirements for risk reduction. It should also consider all
foreseeable circumstances including possible fault conditions,
misuse and extreme environmental conditions, possible Figure 3. SIF identification process
human errors, and abnormal or infrequent modes of operation
of the EUC.
IV. SAFETY INTEGRITY LEVEL SELECTION
III. IDENTIFYING SAFETY INSTRUMENTED The purpose of SIS is to reduce the risk that a process
FUNCTIONS may become hazardous to a tolerable level. The SIS does
Determination of safety integrity level (SIL) requires this by decreasing the frequency of unwanted accidents.
planning to ensure an effective outcome is achieved. The amount of risk reduction that an SIS can provide is
Preparation for a SIL assessment includes selection of the represented by its safety integrity level, which is defined as
participants, determining the suitability of the end-users risk a range of probability o failure on demand. An SIS senses
matrix, selection of the methodology to be used, and defining hazardous conditions and then takes action to move the
the SIFS to be assessed. One major item that may produce process to safe state, preventing an unwanted accident from
undesirable outcomes, and is often not very well defined, is occurring. The method to select SILs should be based on
the SIF identification process. The figure3 shows a process of their risk of accident, an evaluation of the effectiveness of
SIF identification that is based on building a list of SIFs all relevant process safeguards. Implementing an SIS, and
based on various sources [3]. As can be seen from the therefore selecting an SIL, should involve considering
illustration, there are 3 sources, i.e. existing specification, relevant laws, regulations, and national and international
national or international criterion and standards, and hazard standards [4].
and operability (HAZOP) to help identify SIF. Many To make the best decision about safety integrity level,
applications already contain some form of protection, which an SIS designer needs to completely understand not only the
is helpful to identify potential safety instrumented functions. potential likelihood of an unwanted event, but also the
Existing specifications, such as cause and effect diagrams, possible consequences of that event. Viewing either of these
two facets of the risk equation in isolation will yield poor

2686
results. Once the risk is known, one must determine how to
reduce that risk to a tolerable level. The amount of risk that Start
an organization is willing to tolerate will determine the
amount of risk reduction it needs. SIS designer must weigh
Select SIF
the amount of risk reduction and SIF achieves against the
equipment’s cost. Risk is the product of both likelihood and
consequence. The SIL selection procedure utilized is Define and categorizethe
severity of consequence
represented by the flowchart shown in Figure4
Several approaches can be used in safety integrity level
selection as following. Define and categorize the
A. Fault tree analysis (FTA) pres -safeguard likelihood
FTA is used for identifying causes of failures. It is the
most straightforward of the common fault propagation Categorize the occupancy
modeling techniques, which does not usually require analysis and avoidance probability
by redundant systems or the time for on-line repair, it can be
accurately characterized with the probability multiplication Identify the required risk
methods that form the basis of event tree analysis. The failure reduction
of the system is placed at the top of the fault tree. The next
step is to determine what caused this failure. Every List independent protection
subsequent step looks at the cause of failure in the previous layers
step. This analysis leads to a reason for the system failure.
Safety requirements are the baseline for deciding what is Calculate required SIL of
unexpected or unwanted system behavior. The probability or SIS
frequency of an event tree outcome is calculated as the logical
combination of the events that fit together to cause the
outcome. This combination includes the initiating event and Required
No SIL required
the intermediate branch events in the path from the initiating SIL less than 1 ?
event to outcome.
Fault Tree Analysis assumes that the failures of NO
redundant devices are independent and random. In FTA, the
average probability of failure on demand (PFDavg) is O btain expert Required SIL 3
calculated for each device and then Boolean algebra is used to review or greater ?
account for the architecture and voting. A Fault Tree Analysis
NO
begins with a graphical representation of the SIS failure [8].
For example, in the 1oo2 voting of two identical devices, the Document required SIL of
fault tree would look as shown in Figure 5. The failure of the SIS
SIS would only occur if both device 1 and device 2 failed.
The and gate is used to illustrate this logic.
The data would be collected and used to calculate the O ther SIF?
PFDavg of each device
PFDavg = λTI / 2 NO

Where λ represents failure rate, TI represents the Stop

testing interval. ` Figure 4 SIL selection procedure

Boolean algebra, also known as cut-set math, is used to
calculate the and gate. These yields:
PFDavg = λTI / 2 * λTI / 2 = λ2TI 2 / 4

2687
 is the process of determining the frequency or probability of a
complex sequence of events based on the frequencies of the
events that initiate or contribute to the resulting accident. The
primary models used include fault tree analysis, event tree
modeling, block diagrams, and Markov analysis.
D. Layer of protection analysis (LOPA)
1 2 Layer of protection analysis is a special form of event
tree analysis that is optimized for the purpose of determining
the frequency of an unwanted event, which can be prevented
Figure 5. Fault Tree for PFDavg for 1oo2 Voting Devices
by one or more protection layers [6, 7]. By comparing the
resulting frequency to the tolerable risk frequency, we can
B. Consequence analysis select the appropriated safety integrity level. LOPA uses
Consequence analysis is the act of estimating the initiating events in much the same way as event tree analysis,
damage that results from a process accident. It is applied in but it requires that they be expressed in terms of frequency.
industry in a variety of ways, and depends on a number of The protection layers in LOPA are analogous to the branches
factors, for instance, the organization’s degree of experience in event tree analysis. In LOPA, each branch is always a set
with the hazard and with the process containing the hazard; of complementary events in which the protection layer either
the level of sophistication of the engineering staff estimating operates successfully or fails.
the consequence; the amount of data available on the impacts E. As low as reasonably practical (ALARP)
of past accidents. Consequence analysis of accidents in the The idea hinges on three overall levels of risk and the
process industries typically involves analyzing the release of economics associated with lowering the risk [6]. The three
hazardous chemicals, which is usually done by using overall levels of risk are defined as “unacceptable”,
mathematical models and computer software to specifically “tolerable”, and “broadly acceptable” as shown in figure 5.
address the chemical and physical phenomena of the release.
Risk cannot be justified
Several techniques are usually used in consequence analysis Unacceptable except in extraordinary
[5]
: region circumstances
1) Qualitative methods
It is a procedure by which an expert or a team of expert
estimates the consequence of a hazard by simply using
judgment based on their personal and corporate experience The ALARP or tolerability Tolerable only if further
with the process. region (risk is undertaken risk reduction is
only if a benefit is desired) impractical, or the cost is
2) Semi-quantitative methods not proportionate to the
Semi-quantitative risk indices, such as the Dow fire and benefit gained
explosion index and the Dow chemical exposure index are
good tools for developing a general feel for the amount of
risk in a process. These indices use general process
Negligible risk
parameters to give the process a score that reflects a relative Broadly acceptable region
level of risk.
3) Quantitative methods
As the risk is reduced, the less it is necessary to spend to reduce it
Release phenomena modeling works by first analyzing further. The concept of diminishing proportional return is shown by the
the potential energy that a hazard contains in its pre-accident triangle
state. The method then estimates the effect of the release of Figure 5 ALARP principle
that energy under the conditions that result from the loss of
control of the process. F. Risk matrix
C. Likelihood analysis It categorizes frequency and severity of a hazardous
Likelihood analysis is an important part of the overall risk event using multiple qualitative levels. The first step is to
of a process, knowledge of the magnitude of consequence evaluate the frequency. The frequency or probability of an
alone provides an incomplete understanding of risk. The event may be ranked from low to high; improbable to
remaining likelihood component of risk can be determined frequent levels may be ranked qualitatively or quantitatively.
using a variety of methods, from qualitative study to If quantitative values are chosen, it’s suggested that they
statistical analysis to investigation using several fault differ by at least an order of magnitude, since the safety
propagation models. integrity levels differ by single orders of magnitude. The
Fault propagation modeling is well suited for complex second step is to evaluate the severity. Severity may also be
situations, where here is not enough sufficiently relevant categorized according to the different factors at risks, people,
historical data to directly form valid statistical conclusions. It

2688
capital equipment, production, etc. the third step is to evaluate applicable local/national regulations and standards in order to
the overall risk. avoid accidental isolation, common mode failures due to
Organizations have moral, legal, and financial freezing/clogging, etc. Similarly, consideration must be given
responsibilities to limit the risks their operations pose. to the location of sensors with respect to any shut-off valves,
Identifying what level of risk is tolerable within an in order to monitor the correct pressures as well as being able
organization is one of the key activities in safety lifecycle of to reset the system safely [9].
SIS. Inherently, the process of selecting a safety integrity Sensors in a SIS measure process variable condition in
level (SIL) requires decision criteria that convert the estimate order to recognize a potential hazard. Sensors designed for
of process risk into the required risk reduction, or SIL. Many SIS applications typically have excellent built-in automatic
different methods for selecting an SIL can be used. Some diagnostics. When selecting field sensors for a SIS with a
methods explicitly use quantitative risk decision criteria. given SIL requirement, this should be performed in
Others use qualitative tools, such as risk graphs, consequence accordance with the requirements laid down in IEC 61511-1.
tables, and risk matrices, that tend to obscure the risk criteria They shall be separate and independent from other field
on which they are based. No method is more accurate or devices and dedicated to SIS duty only.
better than another. The logic solver equipment constitutes the basic
components from which the safety applications are built.
V PLAN AND ENGINEERING OF SIS These components include framework, racks, cabinets;
Plans should be made for each phase of the SIS safety processor/memory boards; communication boards, etc. When
lifecycle and the software safety lifecycle, and also that each designing the logic solver architecture, a safety user design
phase shall be verified. The V-model of software manual should exist, which describes how non-certified
development is illustrated as figure 7 [2]. equipment shall be used in safety critical applications.
Plans shall include activities of SIS validation and Appropriate designated architecture must be selected for the
verification, times the activities should take place; the central processing unit, which shall meet the highest SIL level
procedures to be used for verification; the responsible part for of the relevant safety functions at least. For non-certified
the activities; a separate person, or organization, and the equipment PFD calculations shall be performed to show that
required level of independence; references from the validation the contribution from the logic solver is within acceptable
activity to relevant test procedures. limits [7]. Choose safe Programmable logic controller (PLC)
For safety functions implemented through SIS which is specifically designed to accomplish a key objective,
technology, there are three main types of requirements that all fail only in a predictable and safe way, as logic solver for SIS,
have to be fulfilled in order to achieve a given SIL: if possible.
1) A quantitative requirement, expressed as a probability Final elements can be remote actuated valve, flashing
of failure on demand (PFD) or alternatively as the probability lights, fire doors or dampers, etc. Each individual application
of a dangerous failure per hour. Safety integrity level is should be considered on its own merits and the most suitable
classified as following table1 [2]. type of final element should be chosen for that specific
Table1 Safety integrity levels for safety functions application. As for control panel design, for very critical
Safety Integrity Demand Mode of Continuous / High safety functions it should be considered to keep the valve
Level Operation Demand control panel lockable in order to avoid inadvertent or
4
10 −5 ~ 10 −4 10 −9 ~ 10 −8 unauthorized operation of the solenoid valves. For valves,
partial operation with feedback on movement can be applied
3
10 −4 ~ 10 −3 10 −8 ~ 10 −7
to reduce manual testing activities. Partial stroke testing
2
10 −3 ~ 10 −2 10 −7 ~ 10 −6 (PST) shall normally be treated as a functional test which
1
10 −2 ~ 10 −1 10 −6 ~ 10 −5 covers only a fraction of the possible failures, and not as self
2) A qualitative requirement, expressed in terms of test with diagnostic coverage.
architectural constraints on the subsystems constituting the Facilities for both full and partial testing are important in
safety function. SIS. The testing can be performed for a separate element or
3) Requirements concerning which techniques and part of the loop, but will normally have to be performed for
measures should be used to avoid and control systematic the complete loop from sensor to final element within some
faults. predefined interval. It must be possible to reset the system
The engineering of SIS shall be done as following: after testing, which has an impact on location of the sensors.
1) Hardware selection consideration 2) Software consideration
Field devices for safety system, if possible, should be The quality of the application software developed by the
separate and independent of the basic process control system end user is naturally an important issue affecting the overall
and non-safety-related system. Installation of field device, performance of a SIS.IEC 61511 describes three types of
which should be “fail safe” designed, needs to conform to software: application, utility, and embedded. User is primarily
concerned with the application software. For development of

2689
application software, a V-model of software development [3] Dirk SchreierˈSIL Assessments -Identification of Safety Instrumented
lifecycle is suggested as figure 7. Functionsˈwww.hima.com.auˈ2006
All of software requirements including system startup, [4] Ed Marszal and Eric Scharpf, “safety integrity level selection”, The
instrumentation, systems, and automation society, 2002
operation, maintenance, shutdown, alarms, etc, need to be [5] Xianhui Yang, Haitao Guo, Functional safety of safety instrumented
clearly documented. Software architecture defines the overall systems.Qinhua university press, 2007
structure of the software that will be used, including language, [6] Paul Gruhn, P.E.and Harry L.Cheddie. P.E.Safety instrumented
main program structure, subroutines, standard function blocks, system:design, analysis and justification, The instrumentation, systems,
and automation society, 2005
etc. [7] William M. Goble and Harry Cheddie, safety instrumented systems
. verification, practical probabilistic calculations.The instrumentation,
systems, and automation society, 2005.
SIS safety [8] Staff from Premier Consulting Services, “Simplified Methods and Fault
requirements Tree Analysis of Safety Instrumented Systems”ˈ2003
specification Validated [9] Norwegian Petroleum Directorate, the application of IEC 61508 and IEC
SIS 61511 in the Norwegian petroleum industry , 2004
[10]CCPS, Guidelines for safe and reliable instrumented protective systems,
SIS safety John wiley &sons INC, 2007
Sub-system validation
architecture

Application software
safety requirements Application software integration
specification testing

Application software
architecture design

Application software
Application software
testing
development

Application
Application module module testing
development

Code development

Figure.7 V-mode of software development lifecycle

VI. CONCLUSIONS
As users are becoming more knowledgeable about safety
issues, they are performing more thorough hazard and risk
analysis to determine their needs more accurately [10]. To
reduce the cost of SIS building, users are striving for more
proper design and development of SIS for their real need. In
this study, we propose methods of system hazard analysis and
risk assessment. And then present approaches of safety
integrity level (SIL) selection, plan and engineering for SIS.

REFERENCES
[1] IEC 61511-1, Functional safety -Safety instrumented systems for the
process industry sector, pp71,2004
[2] IEC 61508, Functional safety of electrical/electronic/programmable
electronic safety-related systems, International Electrotechnical
Commission, 2000

2690