Safety instrumented functions and safety integrity levels (SIL)

Paris Stavrianidis *, Kumar BhimavarapuRisk Engineering methodologies, Factory Mutual Research Corporation, PO Box 9102, 1151 Boston-Province Turnpike, Norwood,

MA 02062, USA

Abstract

This paper discusses two performance-based standards, ANSI/ISA S84.01 and IEC d61508, and the requirements

they place upon user companies of electrical, electronic and programmable electronic safety related systems (E/E/PESRS) or Safety Instrumented Systems (SIS). To comply to the requirements of the standards, a user company wouldhave to: (a) identify the safety target level of the process; (b) evaluate the hazardous events that pose a risk higher thanthe safety target level; (c) determine the safety function(s) that must be implemented in an SIS to achieve the safety

target level; (d) implement the safety functions in an SIS and evaluate its safety integrity level (SIL); (e) install, test andcommission the SIS; and (f) verify that the installed SIS does in fact reduce the process risk to below the safety targetlevel. Several risk analysis techniques that can be used to comply with the aforementioned requirements are discussed

and a simple example is used to illustrate the use, advantages and disadvantages of the techniques. The evaluation ofSIL of the SIS (probability to fail to respond to a process demand) is outside the scope of this paper. # 1998 ElsevierScience Ltd.. All rights reserved.

Keywords: Process risk; Performance-based standards; ANSI/ISA S84.01; IEC d61508; Safety instrumented systems; Safety integrity

levels; Risk analysis; Standard compliance

1. Introduction

Standards provide the foundation for thedesign, installation, start-up, operation and main-tenance of systems and processes. They often pro-vide general direction and guidance based on theconsensus work of experts. They do not necessa-rily oer distinct solutions for a specific process orsafety concern.Information and data from professional socie-

ties, industry sponsored organizations, trade asso-ciations, government agencies that havejurisdiction, international associations and specific

companies are used to develop two types of safetystandards:

. Prescriptive safety standards;

. Performance-based safety standards.

Prescriptive safety standards are traditionallydeveloped on the basis of acceptable engineeringprinciples and practices. They are founded on pastprocess history of undesired events and time testedsafety solutions. They constitute the current levelof our knowledge and concentrate on prescribingspecific safety solutions to predefined deviationsfrom normal operating conditions. Therefore, theyare general solutions to a set of abnormal condi-tions that are limited by past experience andavailable data. Precisely for these reasons, theyoften do not provide the optimal solution to

ISATRANSACTIONS

1

ISA Transactions 37 (1998) 337351

0019-0578/98/$see front matter # 1998 Elsevier Science Ltd.. All rights reserved.PII: S0019-0578(98)00038-X

* Corresponding author. Tel.: 001-781-762-4300; fax: 001-

781-762-9375.

specific safety concerns. Rather, they present aprescription to a general set of known safety con-cerns and attempt to deal with other unknownproblems by utilizing conservative safety factors.Recognizing the limitations of prescriptive

standards, some industries have begun focusing onthe development of performance based standards[16]. Similarly, government agencies have pub-lished performance-based regulations [7,8]. Thegoals of this approach are to improve the man-agement of technological risk by setting process-specific, performance-based targets, such as pro-cess safety target levels, and consistently evaluatealternative solutions that can achieve these targets.This approach is characterized by: (a) the detailexamination of a specific process; (b) the specifica-tion of safety solutions that account for the intri-cacies of the process; and (c) the identification ofoptimal process safety solution(s). The success of thisapproach does not depend on compliance to theminimum requirements of a prescriptive standard. Itrequires corporate commitment to process safetyand a culture change that relies on a continuous andlong-term commitment to understanding, evaluatingand improving the safety of an industrial process.

2. Performance-based safety standards andregulations

During the last two decades, great emphasis hasbeen placed on improving management of tech-nological risks. Improvement has occurred in thechemical and petroleum industries through the useof safety guidelines or standards utilizing perfor-mance-based criteria and to evaluate the benefitsof alternative risk management solutions. Thesesolutions often incorporate sophisticated safetysystems, such as an electrical, electronic and pro-grammable electronic (E/E/PE) system, to per-form complicated and critical safety functions. Asa result, a great emphasis has been placed on theimproved performance of these safety systemsthrough the development of industry guidelinesthat promote the systematic evaluation and certi-fication of their reliability [13].The IEC d61508 performance-based draft stan-

dard [1] has been developed as an umbrella stan-

dard that can be applied to any industrial processthat uses E/E/PE SRS. An E/E/PE SRS or SIS1 iscomprised of sensors, logic solvers and actuators(e.g., shutdown valves). The standard employs asafety life-cycle model, shown in Fig. 1, to identifyand provide guidance for all activities that aectfunctional safety of an SIS. It relies on perfor-mance-based metrics such as process risk and SISreliability. Therefore, it can objectively and sys-tematically be applied by industry, manufacturersof systems, industry regulators and approvalagencies. The standard provides guidance on howto establish the specifications for the requiredsafety functions that will be implemented in anSIS.The performance metric for the safety functions

and of the SIS is referred to as SIL and is shown inTable 1. These SILs are given in terms of theprobability of the SIS to fail to function, whichcan be translated to process risk reduction (i.e.,reducing the likelihood of occurrence of hazar-dous events due to the presence of a new safetysystem without aecting the consequences) thatcan be achieved by employing the SIS.

2.1. IEC d61508 Standard

The IEC d61508 standard is comprised of sevenparts. The normative parts the first three dealwith the assessment of industrial process risk andthe SIS hardware and software reliability. Theother four parts deal with definitions and provideinformative annexes to the standard.Part 1 of the standard defines the overall per-

formance-based criteria for an industrial process.It mandates the use of an overall safety life-cycleshown in Fig. 1.2 The standard recommends qua-litative or quantitative techniques to identify pro-cess risk, allocate risk to safety related systems(independent safety layers or SRSs of other tech-nologies) and external risk reduction facilities inorder to achieve a desired process safety level. It is

1SIS is used in ANSI/ISA S84.01 to refer to E/E/PE SRSs.

For the remainder of this paper the term SIS will be used.2It also permits the use of a dierent life-cycle model pro-

vided that it conforms to the overall requirements of the

standard.

338 P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351

this part of the standard that focuses on the pro-cess risk and proposes alternative ways to reducethe risk to manageable levels. It also providesdetailed guidance to evaluate the performance ofthe SIS in the field.Part 2 of the standard is primarily directed

towards manufacturers and integrators of SISs. Itemploys the safety specifications developed in Part1 for an SIS and presents methods and techniquesthat can be used to design, evaluate and certify itshardware reliability and thus its contribution toprocess risk reduction.Part 3 uses the software requirements for all

safety related software and provides informationfor the software/hardware integration. It does notapply to the performance of the E/E/PE systems inthe field. This is dealt with in Part 1 that addres-sees the overall industrial process.The IEC d61508 standard allows the develop-

ment of industry sector specific standards pro-vided they follow the same life-cycle model.

2.2. ANSI/ISA S84.01 Standard for the processindustry

The Instrument Society of America (ISA) hasindependently developed ANSI/ISA S84.01 [2] tobe a performance-based standard for the use ofsafety instrumented systems (SIS) in the processindustry. It follows a similar life-cycle model asthe IEC d61508, shown in Fig. 2, to identify theneed for an SIS. The objectives are to determinethe safety functions and associated SILs that willbe implemented in a SIS and evaluate the SIL ofthe SIS in order to achieve the desired safety targetlevel. Detailed information on the requirements ofthe standard is given in Ref. [2].The standard uses the safety integrity levels in

Table 1, but clearly states that SIL 4 is not used inthe process industries. Currently, the InternationalElectrotechnical Commission (IEC) is working toconvert the ANSI/ISA S84.01standard to an IECd61511standard [3] for the process industry.

Fig. 1. IEC d61508 safety life-cycle model.

P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351 339

2.3. IEC d61511 Standard for the process industry

This standard is being developed under theauspices of the International ElectrotechnicalCommission. It is a performance-based standardfor the process industry and follows the philoso-phy of the IEC d61508 and ANSI/ISA S84.01standards. Detailed information on the require-ments of the standard is given in Ref. [3].

2.4. Performance-based regulations

Recently, performance-based regulations havebeen published that mandate safety elements thatare embedded in the aforementioned standards,such as hazard and risk analysis. Therefore, com-pliance to these regulations would, in part, sup-port some of the compliance activities of thestandards. The two regulations are OSHA PSM

and the EPA RMP Rules. It is also noteworthythat OSHA views the ANSI/ISA S84.01 standardas good engineering practice.

2.4.1. OSHA PSM (Process SafetyManagement) rule

The OSHA PSM [7] rule lists a large number ofspecific chemicals plus all hydrocarbons and pro-vides threshold values above which a companyusing, storing, or producing the chemicals mustcomply with the provisions of the law. The law isperformance based rather than a prescriptive(specification based) standard, with no specificmeasurements which the company is mandated tomeet.The specific provisions for compliance addres-

sing process safety and risk related issues are: Pro-cess safety information (PSI), process hazardanalysis (PHA), operating procedures, employeetraining, pre-startup reviews, mechanical integrity,hot work permits, management of change, incidentinvestigations, emergency response and control,compliance safety audits, contractor oversight,employee participation and trade secrets.

2.4.2. EPAs RMP (Risk Management Plan) rule

EPAs Risk Management Plan (RMP) rule [8] isdesigned to prevent accidental releases of regu-lated substances and other extremely hazardoussubstances into the air. Similar to OSHAs PSM,EPAs RMP rule is performance based, and hasmost of the same elements as OSHAs PSM Stan-dard. However, the RMP rule sets minimumrequirements for fixed installations in developingrisk management programs using dispersion mod-eling to quantify the concentration of hazardousmaterial downwind of a release point. It is theresponsibility of individual plants to design sys-tems to address these minimum requirements in away that prevents accidental releases of regulatedsubstances.Those facilities that present a higher risk to

populations and the environment outside the plantboundaries must comply with more stringentrequirements than those that present lower risksto o site receptors. In fact, both the OSHAPSM and the EPA RMP rule have essentiallythe same requirements for facilities with low riskFig. 2. ANSI/ISA S84.01 safety life-cycle model.

Table 1

IEC d1508 SIL

Safety Integrity Level (SIL) Probability to fail to function

SIL 4 5105

(i.e., facilities that fall under the level three pro-grams). The full risk management programrequired by the RMP rule is comprised of a com-pilation of 5 year accident history, hazard assess-ment, a management system, a preventionprogram and an emergency response program.

2.5. Compliance to ANSI/ISA S84.01 and IECd61508 standards

The overall objective of the standards is toidentify the required safety functions, establishtheir SILs and implement them in an SIS in orderto achieve the desired safety level for the process.The standards also mandate the development of asafety management plan, require documentationof safety activities that aect functional safety,and propose validation and verification activitiesthroughout the safety life-cycle. The basic stepsrequired to comply are the following:

1. Establish the safety target level of the pro-cess.

2. Perform a hazard analysis.3. Perform a risk analysis of the process to

evaluate process risk.4. Identify hazardous events that do not meet

the safety target level.5. Evaluate potential risk reduction using

safety systems of other technology(mechanical devices) and external riskreduction facilities (e.g., dike).

6. Identify instrumented safety function(s) thatmust be implemented in an SIS.

7. Determine the SIL of the instrumentedsafety function(s).

8. Define the specification requirements of theSISs safety function(s).

9. Integrate safety instrumented functions intoa SIS.

10. Establish procedure to evaluate the prob-ability to fail on demand of the SISs.

11. Evaluate the SIL of the SIS.12. Evaluate process risk reduction due to the

use of the SIS.13. Make the required modifications and analy-

sis to make certain that SIS meets the riskreduction (SIL) requirements.

Step 1 establishes the safety target level ofthe process. Steps 29, inclusive, focus onthe risk analysis of the process and theidentification of safety functions and theirSIL in order to achieve the safety targetlevel. This paper discusses techniques toaccomplish these steps using an exampledetailed in the following section. Steps 10and 11, inclusive, discuss the hardware andsoftware reliability requirements of the SISand are outside the scope of this paper.

3. Application example

Several risk analysis techniques that can be usedto comply with the aforementioned requirementsare discussed and a simple example is used toillustrate the use, advantages and disadvantages ofthe techniques. The evaluation of SIL of the SIS(probability to fail to respond to a processdemand) is outside the scope of this paper.

3.1. Process

Consider a process comprised of a pressurizedvessel containing volatile flammable liquid withassociated instrumentation (see Fig. 3). Control ofthe process is handled through a Basic ProcessControl System (BPCS) that monitors the signalfrom the level transmitter and controls the opera-tion of the valve. The engineered systems3 avail-able are: (a) an independent pressure transmitterto initiate a high pressure alarm and alert theoperator to take appropriate action to stop inflowof material; and (b) in case the operator fails torespond, a pressure relief valve to release materialto the environment and thus reduce the vesselpressure and prevent its failure.

3.2. Process safety target levels

A fundamental requirement for the successfulmanagement of industrial risk is the concise and

3Engineered systems refers to all systems available to respond

to a process demand including other automatic protection lay-

ers and operator(s).

P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351 341

clear definition of a desired process safety targetlevel that may be defined using national andinternational standards and regulations, corporatepolicies supported by good engineering practicesand input from concerned parties such as thecommunity, local jurisdiction and insurance com-panies. The safety target level is specific to a pro-cess and should not be generalized unless existingregulations, standards and/or corporate policieshave safety target levels that apply across indus-tries, processes and often applications.

3.2.1. Example safety target level

For the illustrative example, assume that thesafety target level for the vessel is: no release to theatmosphere with a probability of occurrence greaterthan 104 in one year.

3.3. Hazard analysis

The second step is to perform a hazard analysisto identify hazards, potential process deviationsand their causes, available engineered systems,initiating events, and potential hazardous events(accidents) that may occur. This can be accom-plished using several qualitative techniques [69]:

. Safety reviews

. Checklists

. What if analysis

. HAZOP

. Failure mode and eects analysis

. Cause-consequence analysisOne technique that is widely applied is aHazard and Operability (HAZOP) analysis

[9]. The HAZOP analysis (or study) identifiesand evaluates safety hazards in a processplant, and non-hazardous operability pro-blems that compromise its ability to achievedesign productivity.

Although the technique was originally devel-oped for evaluating new technology in whichindustry has little experience, it is also very eec-tive with existing operations. It requires detailedknowledge and understanding of the design,operation and maintenance of a process. Gen-erally, an experienced team leader systematicallyguides the analysis team through the processdesign using a fixed set of guide words. Guidewords are applied at specific points or study nodesin the process and are combined with specific pro-cess parameters to identify potential deviationsfrom the intended operation. Checklists or processexperience are also used to help the team developthe necessary list of deviations to be considered inthe analysis. The team then agrees on possiblecauses of process deviations, the consequences ofsuch deviations, and the applicable engineeredsystems. If the causes and consequences are sig-nificant and the safeguards are inadequate, theteam may recommend a follow-up action formanagement consideration.

3.3.1. Example HAZOP

For the illustrative example, a HAZOP is per-formed for the process shown in Fig. 3. Theobjective of this HAZOP analysis is to evaluatehazardous events that have the potential to releasethe material to the environment. An abridged listis shown in Table 2 to illustrate the HAZOPresults.The results of the HAZOP study identified that

an overpressure condition could result in a releaseof the flammable material to the environment.This is an initiating event that could propagateinto an accident scenario depending on theresponse of the available engineered systems. If acomplete HAZOP was conducted for the process,other initiating events that could lead to arelease to the environment may include leaksfrom process equipment, full bore rupture ofpiping, and external events such as a fire. For

Fig. 3. Pressurized vessel with existing safety systems.

342 P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351

this illustrative example, the overpressurecondition will be examined.

3.4. Risk analysis techniques

After the HAZOP has been performed, the riskassociated with a process can be evaluated usingqualitative or quantitative techniques published inliterature [611]. These techniques rely on theexpertise of plant personnel and other hazard andrisk analysis specialists to identify potential acci-dent scenarios and evaluate the likelihood, con-sequences and impact of such accidents.The risk associated with the process is expressed

in terms of the frequency of a hazardous event andits associated consequence. Similarly, the safetytarget level establishes the acceptable level of riskof a hazardous event in terms of frequency andconsequence. For each hazardous event that isexamined, the introduction of a SIS is intended toreduce only the frequency of the hazardous eventand not its consequence. Therefore, the dierencebetween the existing hazardous event frequencyand the safety target level frequency is the SIL.

3.4.1. Qualitative risk assessment techniques

In qualitative techniques, the risk concept oflikelihood and consequences is used even thoughno explicit quantification is required. There areseveral examples of such techniques published inliterature [9,10]. These techniques rely on the exper-tise of plant personnel and other experts to identifypotential accident scenarios and evaluate both thelikelihood and consequences of an accident.The use of this approach may be dicult

because: (a) it relies heavily on the expert opinionof team members (to assess the critical

parameters) that may produce inconsistent results;(b) it is dicult to document all thought processesthat have led to the stated outcome; (c) it does notfacilitate the use of a monitoring and managementof change system for life-cycle management; and(d) it may be dicult to use for complex processes.The benefits of this approach are its simplicity,timeliness and the limited resources required for itsexecution making it a useful screening tool toidentify areas of safety concern. The disadvantageis that because it is so dependent on the expertise ofthe practitioners, consistency may be a problem.One such technique from IEC 61508 and based

on DIN 19250 [10] that can be applied to safe-guard personnel and the environment is shown inFig. 4.Similar risk graphs can be developed for

damage to property. The risk graph identifies therequired SIL of a safety function. In other words,it identifies the required risk reduction in order toachieve the desired safety target level. Therefore, itdepends on the safety target level that has beenestablished, consistent with Section 4.1.

Table 2

HAZOP analysis results

Item Deviation Causes Consequences Safeguards Action

Vessel High level Failure of BPCS High pressure Operator

High pressure 1. High level, Release to atmosphere 1. Alarm, operator, PRV Evaluate conditions for

release to atmosphere2. External fire 2. Deluge system

Low/no flow 1. Failure of BPCS No consequence of interest

Reverse flow No consequence of interest

Fig. 4. Qualitative technique to assess risk.

P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351 343

The proposed approach is to have a team ofexperts examine the process, identify each safetyfunction that will be handled by an SIS and evaluatethe SIL of each safety function. The highest SIL isthen allocated to the common elements of the newSIS that is needed to achieve a safety target level.

3.4.1.1. Example qualitative risk assessment. Theinitiating event of interest is overpressurization.Following the qualitative approach shown inFig. 4, the safety function needed to protectagainst overpressure and its associated SIL isdetermined as follows:

. Determine the extent of damage in the eventthe overpressurization occurs. The analysisteam would identify this damage based onplant and process specific experience.Assume for the example the damage isassessed to be S2.

. Determine the frequency of exposure of per-sonnel to the hazardous event. For thisexample assume that it is a permanent expo-sure (i.e., vessel is not isolated), therefore A2.

. Determine if there are measures in place orthat can be taken to minimize or avoid per-sonnel exposure to this hazardous event. Forthe illustrative example assume that no mea-sures can be taken, therefore assume G2.

. The last item to evaluate is the frequency ofoccurrence of the hazardous event. For thisexample, assume that the frequency is low orW2.Following the path identified by the riskgraph, specifically S2, A2, G2 and W2, the

safety function required to protect againstthe overpressure condition is estimated torequire a SIL 2. It is important to notethat this approach requires specific experi-ence and expertise with the process underanalysis and detailed guidance on the cri-tical safety issues that the analysts need toinvestigate in order to make a consistentand systematic assessment of the fourparameters.

3.4.2. Semi-quantitative risk assessment approach

A semi-quantitative approach can be used toassess process risk [6,9,11]. Such a semi-quantita-tive approach allows a traceable path of how theaccident scenario develops, and comprises the fol-lowing steps: (1) identify the accident scenarios;(2) identify the basic events that comprise eachaccident scenario, including the failure or successof safety systems; (3) assign a typical likelihood ofoccurrence for each event; (3) estimate the like-lihood (approximate range of occurrence) of anaccident scenario; (4) perform consequence analy-sis to understand the severity of the consequencesof the accident scenario; (5) assign the rating forthe severity of the consequences; and (6) evaluatethe risk as a combination of the likelihood and theconsequences. Typical guidance on how to esti-mate the likelihood of accidents to occur is pro-vided in Table 3. Table 4 shows one way ofconverting the severity of the consequences intoratings for a relative assessment. Similar tables forlikelihood and severity of consequences can bedeveloped based on plant specific expertise andexperience.

Table 3

Criteria for probability of occurence of hazardous events

Type of events Likelihood

Frequency/year Qualitative ranking

Events like multiple instrument or valve failures, multiple human errors

or spontaneous failures of process vessels

102 High

344 P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351

A risk matrix can be used for the evaluation ofrisk by combining the likelihood and the con-sequences. Such risk matrices, modified to identifySIL for risk reduction and shown in Fig. 5Fig. 6,can be used with qualitative or semi-qualitativeapproaches depending on the extent of informa-tion available. Such matrices can and should varywith dierent applications.The two-dimensional matrix in Fig. 5 assumes

that the likelihood of having the undesired event(y-axis) includes the probability that existingsafety systems of other technology (i.e., otherprotection layers) have failed to respond to thedemand.The three-dimensional matrix shown in Fig. 6

[6] accounts explicitly for the presence of SRSs ofother technology such as pressure relief valves andrupture disks. Therefore, the likelihood of ahazardous event does not account for the con-tribution of other protection layers.

A semi-quantitative approach is generally usedto identify and assess process risk where theemphasis is more on relative assessment ratherthan absolute assessment. The semi-quantitativetechnique does provide a more systematicapproach to assess risk than qualitative methods.It also relies on the ability of the team to assignvalues to the risk parameters based on judgment.It does have all the benefits of the qualitativeapproach without presenting the same level ofchallenge in documentation and life-cycle activitiesmanagement.

3.4.2.1. Example using semi-quantitative techni-ques. The SIL of the safety function to protectagainst overpressure can also be evaluated usingthe semi-quantitative method. After a careful andsystematic analysis of the events that would leadto the occurrence of the overpressure, the analysisteam would identify the likelihood of occurrenceof an accident that was initiated due to the over-pressure of the vessel. For the illustrative example,assume that the accident probability of occurrence

Table 4

Criteria for severity of consequences of hazardous events

Severity Nature of consequences

High Large scale damage of equipment. Shutdown of a process for a long time. Catastrophic consequence to personnel

and the environment

Moderate Damage to equipment. Short shutdown of the process. Serious damage to personnel and the environment

Low Minor damage to equipment. No shutdown of the process. Temporary injury to personnel and damage to the

environment

Very low No damage to equipment. Minor injury and environmental damage

Fig. 5. Process risk matrix with SIL identification. Fig. 6. Three-dimensional risk matrix.

P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351 345

is again evaluated to be low. This probabilityincludes the probability of failure of safety systemsof other technologies. The potential consequenceswere evaluated to be moderate. Using the riskmatrix in Fig. 5, the safety function is evaluated tobe SIL 2.The development of the risk matrix and the

identification of the safety function SIL dependson the safety target level that has been established,consistent with Section 4.2. It is also important tonote that this approach requires specific experi-ence and expertise with the process under analysisand detailed guidance on the critical safety issuesthat the analysts need to investigate in order tomake a consistent and systematic assessment ofthe probability of occurrence of an accident andthe severity of the consequences.

3.4.3. Quantitative risk analysis techniques

The quantification of the risks associated with aprocess is accomplished through a QuantitativeRisk Analysis (QRA) that identifies and quantifiesthe risks associated with potential process acci-dents. The results (i.e., process risk or safety level)can be used to identify safety functions and theirassociated SIL in order to reduce the process riskto an acceptable level. The assessment of processrisk using quantitative techniques can be dis-tinguished in the following major steps [1114].The first four steps can be performed during theHAZOP study.

1. Identify process hazards.2. Identify safety layer4 composition.3. Identify initiating events.4. Develop accident scenarios for every initiat-

ing event.5. Ascertain the probability of occurrence of

the initiating events and the reliability ofexisting safety systems using historical dataor modeling techniques (Fault Tree Analy-sis, Markov Modeling).

6. Quantify the likelihood of occurrence of all

significant accident scenarios using model-ing techniques such as Event Trees or FaultTrees [9].

7. Evaluate the consequences of all significantaccident scenarios.

8. Integrate the results (consequence andprobability of an accident) into risk asso-ciated with each accident scenario.The significant outcomes of interest are:. A better and more detailed understanding

of risks associated with the process.. The process risk profile (or safety level).. A measured contribution of existing

safety systems to the overall risk reduc-tion or safety level of the process.

. The identification of each safety functionneeded to reduce process risk

. A comparison of current process safetywith the process safety target level.

The quantitative technique is resource intensivebut does provide benefits that are not inherent inthe other two approaches. The technique reliesheavily on the expertise of a team to identifyhazards, provides an explicit method to handleexisting safety systems of other technologies, usesa framework to document all activities that havelead to the stated outcome, and provides a systemfor life-cycle management.

3.4.4. Comparison of techniques

The qualitative technique relies heavily on theexpert opinion of the team performing the analy-sis. Such expert opinion is dicult to gain, retainand oftentimes impossible to replace. Theapproach is however not resource intensive andcan be used with good results depending on thelevel of expertise available and the complexity ofthe process. It is an excellent basis for a screeningtool that can be used to identify process areas forfurther analysis. It does however present chal-lenges such as documentation of the thought pro-cesses used during the analysis and documentationrequirements for management of change and re-evaluation of the process risk.The semi-qualitative technique does provide a

more systematic approach to risk assessment;however, it also relies on the ability of the team to

4A safety layer comprises all the safety systems available to

safeguard a process and it includes SISs, SRSs of other tech-

nologies, external risk reduction facilities, and operator

response. For a definition of safety layer, see Ref. [6].

346 P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351

assign values to the risk parameters based on judg-ment. More often, the emphasis in semi-quantita-tive assessment is on relative assessment ratherthan absolute assessment. It does, however, haveall the benefits of the qualitative approach withoutpresenting the same level of challenge in doc-umentation and life-cycle activities management.The quantitative technique is resource intensive

but does provide benefits that are not provided inthe other two approaches. The technique relies onthe expertise of a team to identify hazards, pro-vides an explicit method to handle existing safetysystems of other technologies, uses a framework todocument all activities that have lead to the statedoutcome, and provides a system for life-cyclemanagement.The benefits of each technique, in terms of

initial cost, flexibility and life-cycle cost, have beenorganized and are shown in Fig. 7. The y-axisrepresents a relative scale for assessment of thethree parameters. Flexibility refers to the ability ofthe technique to address all types of processes, SISand other safety systems of dierent technologies;initial cost refers to the start-up cost of performinga risk assessment using the techniques; life-cyclerepresents the cost associated with life-cycle man-agement activities such as documentation needs,ability to trace all work, opportunity to modifythe safety layer and re-assess the process risk toclaim compliance to standards in the future.A proposed approach to assess the risk asso-

ciated with a new process in order to determine

the safety functions that will be incorporated intoan SIS and comply with the standards is as follows:

. Use the qualitative or semi-quantitativetechnique as a screening tool to reduceinitial cost by identifying complicated andsignificant, accident scenarios in terms ofrisk that require further analysis.

. Use the quantitative technique to assessprocess risk and clearly document theprocedure and results.

. Use a qualitative technique to re-assessthe process risk at periodic intervals thatare determined either by regulations,standards or changes in the process thatimpact safety.

If, however, a user company has developed asignificant experience base with the operation of aparticular process, the hazards and hazardousevents of interest are probably well known, andtherefore a qualitative or semi-quantitativemethod can be used to identify the safety func-tions that should be implemented in an SIS. Thesuccess of any risk assessment technique willdepend on the expertise of the analysis team andtheir experience with the process under study.

4. Example risk assessment

For the illustrative example, one initiating event overpressurization was identified through theHAZOP study to have the potential to releasematerial to the environment. It should be notedthat the approach used in this section is a combi-nation of a quantitative assessment of the like-lihood of the hazardous event to occur and aqualitative evaluation of the consequences. Thisapproach is used to illustrate the systematic pro-cedure that should be followed to identify hazar-dous events and safety instrumented functions.

4.1. Risk analysis of existing process

The next step is to identify factors that maycontribute to the development of the initiatingevent. In Fig. 8, a simple fault tree is shown thatFig. 7. Comparison of risk assessment techniques.

P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351 347

identifies some events that contribute to thedevelopment of an overpressure condition in thevessel. The top event, vessel overpressurization, iscaused due to the failure of the basic process con-trol system (BPCS), or an external fire (seeTable 3). The fault tree is shown to highlight theimpact of the failure of the BPCS on the process.The BPCS does not perform any safety functions.Its failure, however, contributes to the increase indemand for the SIS to operate. Therefore, a reli-able BPCS would create a smaller demand on theSIS to operate. The fault tree can be quantifiedusing minimal cut-set theory [15]. For this exam-ple, the likelihood of the overpressure condition isassumed to be in the order of 101 in one year.Once the probability of occurrence of the initi-

ating event has been established, the success orfailure of the safety systems to respond to theabnormal condition is modeled using event treeanalysis [15]. The reliability data for the perfor-mance of the safety systems can be taken fromactuarial data, published databases or predictedusing reliability modeling techniques. For thisexample, the reliability data were assumed andshould not be considered as representing pub-lished and/or predicted system performance. Fig. 9shows the potential release scenarios that could bedeveloped given an overpressure condition. Theresults of the accident modeling are: (a) the prob-ability of each accident sequence to occur;5 and (b)the consequences in terms of release of flammablematerial. In Fig. 9, five accident scenarios areidentified, each with a probability of occurrenceand a consequence in terms of potential releases.Accident scenario 1, no release, is the designedcondition of the process. The remainder scenariosrange from a probability of occurrence in the orderof 9 103 for release of material from the reliefvalve to about 1 103 for failure of the vessel.

4.2. Events that do not meet the safety target level

As was stated earlier, plant specific guidelinesestablish the safety target level as: no release of

material to the environment with a probability ofoccurrence greater than 104 in one year. Giventhe accident probability of occurrence and con-sequence data in Fig. 9, risk reduction is necessaryin order for accidents 2, 3 and 4 to be below thesafety target level.

4.3. Risk reduction using other protection layers

Both standards require that safety systems ofother technologies be employed prior to establish-ing the need for a safety function implemented inan SIS. To illustrate the procedure, assume that anadditional pressure relief valve with a higher setpoint is introduced to augment the existing safetysystems. Fig. 10 shows the process with the newsafety systems. Event tree analysis is employed todevelop all the potential accident scenarios. FromFig. 10, it can be seen that seven release accidentsmay occur, given the same overpressure condition.Examination of the probability of occurrence of

the modeled hazardous events shows that thesafety target level for the vessel has not been metbecause accident scenarios 2, 3 and 5 are stillabove the safety target level. At this point thefeasibility of using external risk reduction facilitiesshould be evaluated. Given that the safety target isto minimize the risk due to a release of material tothe environment, it can be assumed that externalrisk reduction facilities such as a dike is not a fea-

Fig. 8. Fault tree for overpressure of the vessel.

5Each event in Fig. 9 is assumed to be independent. Fur-

thermore, the probability data shown is approximate; there-

fore, the sum of the probabilities of all accidents approaches

the probability of the initiating event (0.1).

348 P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351

sible alternative risk reduction scheme. Therefore,since no other non-SIS protection can meet thesafety target level, a safety function implementedin an SIS is required to protect against an over-pressure and the release of the flammable material.

4.4. Risk reduction using an SIS safety function

The safety target cannot be achieved usingsafety systems of other technologies or externalrisk reduction facilities. Therefore, a new SIL 2safety function implemented in an SIS is requiredto meet the safety target level. The safety functionmust reduce the probability of occurrence of the

second accident scenario, in Fig. 9, from 9 103in a year to or below the established safety targetof less than 104 in one year. This requires a SIL 2safety function (Probability to Fail to Function103102, see Table 2). The new safety function isshown in Fig. 11. It is not necessary at this pointto perform a detail design on the safety function.This will be discussed in later sections. However, ageneral concept of the new safety function shouldbe available. For example, the new safety functioncan use dual, safety dedicated, pressure sensors in

Fig. 9. Accident scenarios with existing safety systems.

Fig. 10. Accident scenarios with redundant pressure relief valve.

Fig. 11. Accident scenarios with SIL 2 SIS safety function.

61oo2 means that either one of the pressure sensors can send

a signal to shut down the process.

P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351 349

a 1oo2 configuration6 sending signals to a logicsolver. The output of the logic solver controls oneadditional shutdown valve.The new SIL 2 safety function is used to mini-

mize the likelihood of a release from the pressur-ized vessel due to an overpressure. Fig. 11 presentsthe new safety layer and provides all the potentialaccident scenarios. As can be seen from this figure,the probability to have a release from this vesselcan be reduced to 104 or lower and the safetytarget level can be met provided the safety func-tion can be evaluated to be consistent with SIL 2requirements.

4.5. Define safety function specificationrequirements

As was mentioned earlier, there are additionalinitiating events that may occur and cause therelease of material from the pressure vessel.These have to be examined using the aforemen-tioned procedure. Using the same technique,event trees representing accident scenarios forthe chemical process for additional initiatingevents can be developed to identify all thesafety functions required to protect the processand evaluate the SIL of each safety function.Following the same procedure, assume thatthree additional safety functions have beenidentified ranging from a SIL 1 to 2 require-ment. All four safety functions will beimplemented into an SIS.The new SIS must then be designed according

to the requirements for the highest SIL determinedfrom the analysis of the safety functions. Whatthis clearly implies is that the common elements ofthe SIS, such as the logic solver, must meet theSIL 2 requirements. However, SIS elements thatcan be shown to be independent, such as sensors,can be designed to meet the specific safety functionSIL requirements.

5. Integrate safety functions in an SIS

The specifications for the new SIL 2 SIS havebeen defined through the hazard and risk analysis.The SIS must handle four safety functions that

safeguard against a release of material to theenvironment. A new SIS can be designed in termsof sensor configuration (i.e., redundancy, voting,etc.), logic solver(s) requirements and valve con-figuration.7 One such example of an SIS is shownin Fig. 12. The SIS shown includes the safetyfunction against overpressure (safety dedicateddual pressure transmitters in a redundant 1oo2configuration sending signals to a logic solverthat controls one shutdown valve), and threeadditional safety functions to protect againstother initiating events. The common elements ofthe SIS, logic solver, are assumed to meet theSIL 2 requirements supported either by relia-bility data taken from the manufacturer of thelogic solver and independently evaluated,through a reliability evaluation program or fromthird party certification program. Two shutdownvalves in series are employed to place the processin a safe state.At this point the proposed SIS configuration

must comply with the requirements of the stan-dards and meet the SIL that was identifiedthrough the risk analysis. It is beyond the scope of

Fig. 12. Schematic of proposed SIS.

7The example does not imply that only safety functions pro-

tecting the pressure vessel can be implemented in one SRS. The

same SRS can also implement safety functions safeguarding

other processes provided the same analysis is employed to

identify the specification requirements of the safety functions.

350 P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351

this paper to discuss techniques that may be usedto evaluate the SIL of the proposed SIS.

6. Conclusions

Two performance-based safety standards(ANSI/ISA S84.01 IEC d61508) were discussed.Compliance to the standard requires a hazardsand risk analysis to establish the safety require-ments for safety instrumented functions in termsof SIL. The identified safety functions were con-ceptually integrated into an SIS.Several techniques to perform process risk ana-

lysis were discussed and their advantages and dis-advantages identified. The benefits of eachtechnique, in terms of initial cost, flexibility andlife-cycle cost were discussed. A proposedapproach to assess the risk associated with a newprocess in order to determine the safety functionsthat will be incorporated into an SIS and complywith the standards was illustrated through asimple example.The success of any risk assessment technique

will depend on the expertise of the analysis teamand their experience with the process under inves-tigation. If a user company has developed a sig-nificant experience base with the operation of aparticular process, the hazards and hazardousevents of interest are probably well known, andtherefore a qualitative or semi-quantitativemethod can be used to identify the safety func-tions that should be implemented in an SIS. If,however, the process is new, a rigorous quantita-tive risk analysis technique should be used for thefirst time evaluation of the risk associated with theprocess.

References

[1] IEC d61508; Functional safety of electric/electronic/pro-

grammable electronic systems, International Electro-

technical Commission, Draft Report, 1997

[2] ISA S84.01; Application of safety instrumented systems

for the process industry, Instrument Society of America

Standard, 1996

[3] IEC d61511; Functional safety: safety instrumented sys-

tems for the process industry, International Electro-

technical Commission, Draft Report, 1997

[4] API Recommended Practice 752: Management of hazards

associated with location of process plant buildings,

American Petroleum Institute, Washington, DC, 1995

[5] ASME Risk Based Inspection Guidelines vol. 3, Fossil

fuel fired electric generating stations applications, Amer-

ican Society of Mechanical Engineers, New York, 1993

[6] CCPS Guidelines for safe automation of chemical pro-

cesses, Center for Chemical Process Safety of the Amer-

ican Institute of Chemical Engineers, NY, 1993

[7] OSHA 29 CFR Part 1910; Process safety management of

highly hazardous chemicals; explosives and blasting

agents; Final Rule, Occupational Safety and Health

Administration, Washington, DC, 1992

[8] EPA 40 CFR Part 68; Risk management programs for

chemical accidental release prevention; Proposed Rule

Environmental Protection Agency, Washington, DC, 1995

[9] N.J. McCormick, Reliability and Risk Analysis, Academic

Press, San Diego, CA, 1981

[10] DIN V VDE 19250 Fundamental safety aspects to be

considered for measurement and control equipment, Ger-

many, 1990

[11] K. Bhimavarapu, L. Moore, P. Stavrianidis, Performance-

based safety standards: an integrated risk assessment pro-

gram, Presented at ISA Tech 97, Instrument Society of

America, Anaheim, CA, 1997

[12] S. Contini, Benchmark exercise on major hazard analysis,

Commission of European Communities, 1992

[13] N. Siu, Risk assessment for dynamic systems: an overview,

Reliability Engineering and System Safety, vol. 43, 1996

[14] P. Stavrianidis, Improving management of technological

risk: a process safety compliance framework, Risk and

Safety Assessment Conference, Hawaii, 1995

[15] E.J. Henley, H. Kumamoto, Probabilistic risk assessment,

IEEE Press, New York, 1992

P. Stavrianidis, K. Bhimavarapu/ISA Transactions 37 (1998) 337351 351