Safety Instrumented System design is all about the process

The ISA 84.00.01-2004 (IEC 61511) standard is performance oriented, not prescriptive. It does not tell people what technology to use (PLC, relay, etc.) or field device configuration (single, dual or triple) or how often the system needs to be tested (monthly, quarterly or yearly). It simply describes the performance requirements (i.e. Safety Integrity Level, or SIL) for the overall system. The greater the level of risk of the process, the greater the performance needed of the safety instrumented system.

Plants must decide for themselves just what is “safe,” and each plant must decide on how they will determine and document that their systems are, in fact, safe. Unfortunately, these are difficult decisions that few want to make – and fewer still want to put in writing.

Designing a single component may be viewed as a relatively simple matter – one that a single person can handle. Designing a large SIS, however, is typically beyond the ability of any single individual. Large systems require a multi-discipline team. The control system engineer should not feel that the entire burden of designing a safe plant rests on his shoulders alone, because it does not.

Experience has shown that a detailed, systematic, methodical, well documented design process is called for in the design of safety instrumented systems. This starts with a safety review of the process, implementation of other safety layers and systematic analysis, as well as detailed documentation and procedures. The steps are described in most documents as a safety life cycle. The intent is to leave a documented, auditable trail, making sure that nothing is missed.

Some will complain that performing all of the life cycle steps – as with other tasks designed to lower risk – will increase overall costs and result in lower profitability and productivity. One in-depth study conducted by a group including major engineering societies, 20 industries and 60 product groups with a combined exposure of over 50 billion hours, concluded that production increased as safety increased.

The safety life cycle steps include:

Conceptual process design – The first step in the life cycle is to develop an understanding of the process, the equipment under control and the environment (physical, social, political and legal) in sufficient depth to enable the other life cycle activities to be performed. The goal is to design an inherently safe plant. These activities are generally considered outside the realm of the control system engineer, but of course, you can understand the importance of understanding the general process.

Hazard analysis, risk assessment – The next step is to develop an understanding of the risks associated with the process. Risks may impact personnel, production, capital equipment, the environment, company image, etc.

Hazard analysis consists of identifying the hazards. There are numerous techniques one can use (HAZOP, what if, fault tree, checklist, etc.) and numerous texts describing each method. Risk assessment consists of classifying the risk of the hazards that have been identified in the hazard analysis. This is not intended to be the sole responsibility of the control system engineer. There are obviously a number of other disciplines required in order to perform these assessments.

Application of non-SIS layers – The goal of process plant design is to have a plant that is inherently safe; or one where residual risks can be controlled by the application of non-instrumented safety layers.

Is an SIS required? – If the risks can be controlled to an acceptable level without the application of an instrumented system, then the design process stops (as far as a safety instrumented system is concerned). If the risks cannot be controlled to an acceptable level by the application of non-instrumented layers, then an instrumented system will be required.

Define target SIL – Safety system performance should match the level of risk. In other words, the greater the level of process risk, the better the safety system needs to be in order to control the risk. This requires identifying the individual risks and assessing their impact.

The most difficult step in the overall process for most organizations seems to be determining the required Safety Integrity Level (SIL). This is not a direct measure of process risk, but rather a measure of the safety system performance required in order to control the risks identified earlier to an acceptable level.

Develop safety requirements specification – The next step consists of developing the safety requirements specification (SRS), essentially the functional logic of the system. Each safety function should have an associated SIL requirement, as well as any reliability requirements if nuisance trips are a concern. One should include all operating conditions of the process, from start-up through shutdown, as well as maintenance. (One may find that certain logic conditions conflict during different operating modes of the process.)

Conceptual SIS design – The purpose of this step is to develop an initial design in order to see if it meets the safety requirements and SIL performance requirements. One needs to initially select a technology, configuration (architecture), test interval, etc. This pertains to the field devices as well as the logic box.

Factors to consider are overall size, budget, complexity, speed of response, communication requirements, interface requirements, method of implementing bypasses, testing, etc. One can then perform a relatively simple calculation to see if the proposed system meets the performance requirements, or make a qualitative judgment based on prior experience (although this is obviously harder to substantiate).

The intent is to evaluate the system, before one specifies the solution. Just as it is better to perform a HAZOP before you build the plant (it’s hard to change the design once it’s already been built), it is better to analyze the proposed safety system before you specify it, or else how will you know if it meets the performance goal?

Detailed SIS design – The purpose of this step is to finalize and document the design. Once a design has been chosen, the system must be engineered and built following strict and conservative procedures. This is the only realistic method of preventing design and implementation errors that we know of. The process requires thorough documentation, that is, an auditable trail that someone else may follow for verification purposes.

Installation, commissioning – This step is to ensure the system is installed according to the design and performs according to the safety requirements specification. Before a system is shipped from a factory, it must be thoroughly tested for proper operation. If any changes are required, they should be made at the factory, not at the installation site.

At installation, the entire system – this time including the field devices – must be checked as well. There should be a detailed installation document outlining each procedure to be carried out. Finished operations should be signed off in writing showing that each function and operational step has been checked.

Operations, maintenance – In order to function properly, every system requires periodic maintenance. Not all faults are self-revealing, so every safety system must be periodically tested in order to make sure it will respond properly to an actual demand. The frequency of inspection and testing will have been determined earlier in the life cycle. All testing must be documented.

Modifications – As process conditions change, it will be necessary to make changes to the safety system. All proposed changes require returning to the appropriate phase of the life cycle. A change that may be considered minor by one individual may actually have a major impact to the overall process. This can be realized only if the change is thoroughly reviewed by a qualified team. History has shown that many accidents have been caused by this lack of review.

Decommissioning – Decommissioning a system should entail a review to make sure removing the system from service will not impact the process or surrounding units, and that means are available during the decommissioning process to protect the personnel, equipment and environment.