A SIS is engineered to perform “specific control functions” to failsafe or maintain safe operation of a process when unacceptable or dangerous conditions occur.
Safety Instrumented Systems must be independent from all other control systems that control the same equipment in order to ensure SIS functionality is not compromised.
SIS is composed of the same types of control elements (including sensors, logic solvers, actuators and other control equipment) as a Basic Process Control System (BPCS).
However, all of the control elements in an SIS are dedicated solely to the proper functioning of the SIS. Read the Safety Instrumented System Engineer Interview Questions.
Safety Instrumented System Engineer Interview
SIS Questions & Answers
What are the standards that define the best rules for installation of field equipment of a SIF/SIS, on site?
IEC 61511 or ISA-S84-2003 (which is really the same thing, plus a grandfather clause) are intended for application in the process industry. They do the best job of defining what one needs to be concerned with for field instruments.
The guidance may be considered somewhat minimal but the critical safety issues are there. Whatever would make a good installation for the basic process control system (BPCS) is a good installation for the SIS also. However, some different issues need to be recognized.
First, the instruments need to be reliable. One measurement, referred to as “proven in use” means reliability data must be available for safety integrity level (SIL) calculations. If not then SIL-rated instruments are an option.
Next one must consider fault tolerance requirements for the Safety Instrumented Function (SIF). This is a function of the SIL level for each SIF in the SIS. There will of course always be the need to make sure the instruments are calibrated routinely and tested per the proof test requirement. If this is online then the engineer needs to make sure that those facilities plus the ability to do maintenance is designed into the project.
Typically sensors need their own root valve and final control elements may need bypasses or means for partial stroke testing.
The routing of the individual cables of transmitter that is in a 2oo3 voting system–the same route, different routes?
Some reliability engineers would want to try to convince you that a different route is required. While everyone would like a diverse routing from a common mode point of view, (a fire, dropped crane load, chemical spill could destroy all the cables in the same tray, etc.) it is many times impractical to route differently.
One deciding factor is availability. If high availability is require diverse routine is a good idea, but again not mandatory. Some companies may have internal standards on this subject.
The other factor is whether or not the SIS fails safe. If a loss of a cable, causes the System to have a spurious safe trip the system is safe, but you have to deal with the cost of the spurious trip. If the SIF is energized-to-trip, one needs to look at separate routing. Also, end of line monitoring etc.
Can I install the three field devices in battery or in different places to avoid, common failure, e.g., vibration, risk of fire?
Field instruments are designed for the outdoor industrial environment. Utilize them correctly for their application. If it is a bad installation for the BPCS it is bad for the SIS also.
While many SIS logic solvers have been industrially hardened to operate in a broad range of environmental conditions with numerous successful applications, it just stands to reason that putting them in environmentally controlled areas will improve potential reliability plus the ability to do maintenance.
Yes one must always be careful with respect to common mode. Common mode can wiped out the reliability gains of redundancy. That is why it is required to do SIL Calculations to verify that the common mode effect is not so strong that it renders the SIF ineffective.
Must I use the normal practices of engineering or do rules or recommendation exist for the installation of field equipment for the SIF/SIS?
One has to ask whose normal practices?? If we mean industry best normal practices the answer is yes again but one needs to follow the entire IEC-61511 Life Cycle to determine what that really means for each project.
What is an acceptable solution for one plant may not work for another. The questions you ask really points out that to safely design a plant, the project needs to execute the IEC61511 Safety Life Cycle. Hazards are identified early in the project and solutions are designed around those hazards.
The questions you asked should all be covered in the Safety Requirements Specification (SRS). There are 27 questions that cover the topics you have asked and more, much more. Inexperienced engineers may not be aware of this list of questions that define an IEC61511 SRS. This is why you should work with experienced organizations.
A study done by the Health and Safety Executive in the UK has shown that the majority of problems with SIS systems today are actually specified into the project. (Or shall we say not specified into the project, one does not know what one does not know.) Failure to execute the life cycle activities early and properly can have serious safety, schedule and cost implications on a project.
To reduce common mode each sensor should have a separate process connection. There have been some good arguments made with regards to using different technologies in order to reduce common mode but one must look at practicality vs. benefits and risk reduction.
Also, although the use of diverse technologies can reduce common cause it will not eliminate it completely.
For sensors integrated (or separate) with the transmitter, the geographical locations of the voted transmitters should be away from each other to the extent possible (so that in the event of a fire–all transmitters are not affected–as an example!)
Junction Boxes –
Separate JBs for each transmitter / 2 core cable is preferred.
Multicore Cables –
If separate JBs not possible, run each transmitter pair in separate multicore cables to the control room.
Cable Trays –
Run the multicore cables in separate trays which have separate routes to the control room when practical. Availability would be the determining factor.
Safety Logic Solver –
Each transmitter signal could be connected to separate SLS, on separate carriers. This would slightly compromise on the PFD value however and could also make the SIF configuration more complicated, but reduces common cause.
SLS installed in two different cabinets in different control rooms would be even better! However common sense needs to be used and practicality. Same logic could be used for the output signals.
The extent to which one would go in segregating will depend on ALARP – As low as reasonably practicable (here ‘low’ refers to the risks involved). The Risk Reduction Factor (RRF) of the SIF and how much of the risk is the engineer / company ready to absorb, will dictate the decision. The common cause calculator (based on such segregation) is given in IEC 61508-6, Table D.5.
When is a Safety Integrity Level Rating of a Valve Required?
Basic Process Control System (BPCS)
A system which responds to input signals from the process, its associated equipment, other programmable systems and/or an operator and generates output signals causing the process and its associated equipment to operate in the desired manner but which does not perform any safety instrumented functions with a claimed SIL = 1.
This definition leads us to conclude that a BPCS is any system that has a SIL<1. Therefore, SIS systems employing Safety Instrumented Functions with a specified safety integrity level, which is necessary to achieve safety function, need to have a SIL rating equal to or above 1.
Based on this definition,
Why are control valves that are used in a BPCS required to be SIL certified?
As per IEC definition, a SIL rating is not required but it is possible that reliability data for a valve may be required. Industry or end user may require failure rate data of equipment or in loose term MTBF (Mean Time Between Failure).
Essentially MTTF (mean time to fail) is the right term to define product reliability. It is usually furnished in units of hours. This is more common for electronic components, but trends are seen even for mechanical items.
How can MTTF provide useful data for the calculation of PFDavg (probability of failure upon demand)?
MTTF can be simplified to 1/(sum of all failure rates) or equal to 1/λ
MTTFs calculations provide plant availability, which is a very important measurement of process plant up-time capability. A spurious trip that is considered a safe but unplanned trip may be too strenuous for piping and other equipment. Not only are production and quality affected, profits may be as well.
Also, it is important to consider the higher risk associated with plant start up. IEC 61508 stresses more on “safety event”, in case of demands, which relates to dangerous undetected failures and are used to compute PFDavg.As such, mechanical equipment like valve bodies and actuators do not have any diagnostics capabilities.
According to IEC 61508 part 2, table 2, with a hardware fault tolerance (HFT) of zero, with a single valve without additional diagnostics, only SIL 1 is achievable per IEC 61508.
A digital valve controller mounted on a “Final Control Element” improves the diagnostic coverage factor, which in turn improves the SFF number, allowing the possible use of higher SIL rated applications (Per IEC 61508 part 2, table 3) by use of the Partial Stroke Test.If control valve is designated to carry out a safety function then it should meet the SIL level of the Safety Instrumented Function loop.
In this case, failure rate numbers will be required to compute the total PFDavg of the loop. The end user may possibly ask for third party certification to comply with IEC 61508 requirements to meet certain SIL suitability.
What is SIL?
A Safety Integrity Level (SIL) is a measure of safety for a given protective function. Specifically, the extent to which the end user can expect the protective function to perform, and in the case of a failure, fail in a safe manner? This protective function is known as the Safety Instrumented Function (SIF).
A Safety Instrumented System (SIS) is a collection of components (field devices and logic server) that execute one or more SIFs. In order to define the required SIL value, the SIF’s must be well defined and have undergone a Safety Analysis. Note that the SIL belongs to a specific SIF, not the whole SIS.
SIF verification can be optimized by the selection of components certified for use at the desired SIL value. For example, assume there is a SIF with a desired SIL value of 2.
By using components that are SIL 2 certified, this goal may be achieved. However, it is important to note that simply combining components certified for a given SIL level does not guarantee the process will achieve the specified SIL.
The SIF SIL value must still be verified by an appropriate method such as Simplified Calculations, Fault Tree Analysis, or Markov Analysis.
How is SIL different than reliability?
While the main focus of the SIL number is the determination of process safety, an important byproduct of the statistics used in calculating SIL ratings is the statement of a product’s reliability.
In order to determine if a product can be used in a given SIF, the product must be shown to “BE AVAILABLE” to perform its designated task. In other words, how likely is it that the device in question will be up and functioning when needed to perform its assigned task?
Considerations taken into account when determining “AVAILABILITY” include: Mean Time Between Failures (MTBF), Mean Time To Repair (MTTR), and Probability to Fail on Demand (PFD). These considerations, along with variations based upon system architecture (i.e. 2oo2 versus 2oo3, or TMR installation), determine the reliability of the product.
Subsequently, this reliability data, combined with statistical measurements of the likelihood of the product to fail in a safe manner, known as Safe Failure Fraction (SFF), determine the maximum SIL environment in which the device(s) can be used.
SIL ratings can be equated to the Probability to Fail on Demand (PFD) of the device in question. The reciprocal of the PFD is known as the Risk Reduction Factor (RRF).
When does a Fire & Gas system become a SIS?
When an RRF greater than 10 is required
How does SIL relate to individual components?
It should be noted that a SIL number applies to a complete function (SIF), i.e. the field sensor, the logic solver and the final element. It is therefore incorrect to refer to any individual item or equipment having a safety integrity level.
An individual component can be certified for use in a particular SIL application, but such a certificate constitutes only part of the verification effort, since the target SIL must be verified for the complete SIF.
Why would a customer want SIL certified products?
Products certified in accordance with the requirements of IEC 61508 have been assessed by a third party (TÜV) for use up to a specified SIL. This assessment includes not only the FMEDA, but also software.
A third-party SIL certified product offers several benefits to the customer. The most obvious benefit is the product has already had its’ reliability calculations performed and reliability statistics determined.
The results are available for the SIS designer to derive the SIF SIL number. This can significantly cut lead times in the implementation of a SIS.
Another benefit is the reliability statistics have been validated by a third party with expertise in SIL certification and reliability engineering.
Probably the most important benefit to using a SIL certified product is the certification report. Each certified product carries with it a report from the certifying body.
This report contains important information ranging from restrictions of use, to diagnostics coverage within the certified device, to reliability statistics. Additionally, ongoing testing requirements of the device are clearly outlined