D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 1

- : UNIT No. : 02 : -

2a. DEFINE SAFETY INSTRUMENTATION SYSTEMS (TERMS) :

2.1 SAFETY INSTRUMENTATION SYSTEMS TERMS :

 HAZARD AND OPERABILITY STUDIES [HAZOP] :

-> What is HAZARD?

>Examples of hazards in the home include:

• Broken glass because it could cause cuts;
• Pools of water because it could cause slips and falls;
• Too many plugs in a socket could overload it and cause a fire.

>Examples of hazards at work might include:

• Loud noise because it can cause hearing loss;
• Breathing in asbestos dust because it can cause cancer.

>Hazards in the process industry might include:

• The level of liquid in a vessel: a high level may result in an overflow of

liquid into gas streams, or an overspill of a dangerous chemical or
flammable liquid; a low level may result in dry running of pumps, or gas
blow by into downstream vessels.

• The pressure of liquid in a vessel: high pressure may result in loss of

containment, leaks or vessel rupture.

-> Reasons to use HAZOPs :

-The pressures of project schedules can result in errors or oversights and the HAZOP allows
these to be corrected before such changes become too expensive. Because they are easy to
understand and can be adapted to any process or business, HAZOPs have become the most
widely used hazard identification methodology.

-A Hazard and Operability (HAZOP) study is a structured and systematic examination of a

planned or existing process or operation in order to identify and evaluate problems that may
represent risks to personnel or equipment, or prevent efficient operation.

- The HAZOP technique was initially developed to analyze chemical process systems, but
has later been extended to other types of systems and also to complex operations and to
software systems.

- The Inputs to the HAZOP are the Process and Instrumentation Diagrams (P&Ids), Cause
and Effect charts (C&E : Cause & Effect Analysis) and the operating company’s risk matrix.

-> HAZOP Study Team :

It is important that a HAZOP team is made up of personnel who will bring the best
balance of knowledge and experience, of the type of plant being considered, to the
study. A typical HAZOP team is made up as follows:

>The following items should be available to view by the HAZOP team:

• Piping and Instrumentation Diagrams (P&IDs) for the facility;
• Process Description or Philosophy Documents;
• Existing Operating and Maintenance Procedures;
• Cause and Effects (C&E) charts;
• Plant layout drawings.

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 2

-> TYPES OF HAZOP:

- Process HAZOP : The HAZOP technique was originally developed to assess-plants

And process systems.

- Human HAZOP : A “family” of specialized HAZOPs. More focused on human errors

Than technical failures.

- Procedure HAZOP : Review of procedures or operational sequences Sometimes denoted

SAFOP - SAFE Operation Study.

- Software HAZOP : Identification of possible errors in the development of software.

-> PROCESS HAZOP :

As a basis for the HAZOP study the following information should be available:
- Process flow diagrams, - Piping and instrumentation diagrams (P&IDs)
- Layout diagrams, - Material safety data sheets, - Provisional operating instructions
- Heat and material balances,
- Equipment data sheets Start-up and emergency shut-down procedures.

-> Mode of operation :

The following modes of plant operation should be considered for each node:
- Normal operation, - Reduced throughput operation, - Routine start-up,
- Routine shutdown, - Emergency shutdown, - Commissioning, - Special operating modes

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 3

-> HAZOP Procedure :

01. Divide the system into sections (i.e., reactor, storage)

02. Choose a study node (i.e., line, vessel, pump, operating instruction)
03. Describe the design intent
04. Select a process parameter
05. Apply a guide-word
06. Determine cause(s)
07. Evaluate consequences/problems
08. Recommend action: What? When? Who?
09. Record information
10. Repeat procedure (from step 2)

-> PROCESS HAZOP WORKSHEET :

-> WORKSHEET ENTRIES :

> NODE : A node is a specific location in the process in which (the deviations
of) the design/process intent are evaluated.
Examples might be: separators, heat exchangers, scrubbers, pumps, compressors, and
interconnecting pipes with equipment.

> DEFININTION : The design intent is a description of how the process is expected to
behave at the node; this is qualitatively described as an activity (e.g., feed, reaction,
sedimentation) and/or quantitatively in the process parameters, like temperature,
flow rate, pressure, composition, etc.

> DEVIATION : A deviation is a way in which the process conditions may depart from
their design/process intent.

>Process parameters may generally be classified into the following groups:

- Physical parameters related to input medium properties

- Physical parameters related to input medium conditions
- Physical parameters related to system dynamics
- Non-physical tangible parameters related to batch type processes.
- Parameters related to system operations

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 4

-These parameters are not necessarily used in conjunction with guide-words:

+Instrumentation, +Relief, +Start-up / shutdown, +Maintenance, +Safety / contingency,

+Sampling.

-> RESULTS OF HAZOP:

- Improvement of system or operations.

– Reduced risk and better contingency, - More efficient operations.
- Improvement of procedures.
– Logical order, – Completeness.
- General awareness among involved parties, - Team building.

-> ADVANTAGES OF HAZOP:

- Systematic examination, - Multidisciplinary study, - Utilizes operational experience

- Covers safety as well as operational aspects
- Solutions to the problems identified may be indicated
- Considers operational procedures, - Covers human errors
- Study led by independent person, - Results are recorded

 FAILURE MODES, EFFECTS, AND CRITICALITY ANALYSIS [FMECA] :

In failure modes effects and criticality analysis (FMECA), the term FAILURE MODE is used
in the way that RCM uses the term functional failure. However, the RCM community uses
the term failure mode to refer to the event that causes functional failure.

> The standard’s criteria for a process that identifies failure modes are,

• All failure modes reasonably probable to cause each functional failure shall be identified.
• The method used to decide what constitutes a reasonably probable failure mode shall be
acceptable to the owner or user of the asset.

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 5

• Failure modes shall be identified at a level of causation that makes it possible to identify an
appropriate failure management policy.
• Lists of failure modes shall include failure modes that have happened before, failure modes
that are currently being prevented by existing maintenance programs, and failure modes that
have not yet happened, however they are thought to be reasonably likely (credible) in the
operating context.
• Lists of failure modes should include any event or process that is likely to cause a functional
failure, including deterioration, human error whether caused by operators or maintainers, and
design defects.
• Failure effects shall describe what would happen if no specific task were done to anticipate,
prevent, or detect the failure.
• Failure effects include all the information needed to support the evaluation of the
consequences of the failure, such as
- What is the evidence (if any) that the failure has occurred (in the case of hidden
functions, what would happen if multiple failures occurred)?
- What it does (if anything) to kill or injure someone, or to have an adverse effect on the
environment?
- What it does (if anything) to have an adverse effect on production or operations?
- What physical damage (if any) is caused by the failure?
- What (if anything) must be done to restore the function of the system after the failure?

 PROBABILITY OF FAILURE ON DEMAND [PFD] :

- “The effectiveness of a SIS as an independent protective layer is described in terms of the

probability it will fail to perform its required function when it is called upon to do so.” This is
called its Probability of Failure on Demand (PFD).

-Probability of Failure on Demand is the probability of a system failing to respond to a

demand for action arising from a potentially hazardous condition.

- PFD is calculated for typical sensors failure rates and repair times and assumes a
contribution from common causes for redundant configurations.

-Safety Availability = 1 – PFD.

It often may be desirable to express the SIL level in terms of the hazard reduction factor,
where HRF is defined as: HRF = 1 / PFD

-PFD = 1 / RRF.
-PFD is a probability and therefore is a dimensionless quantity with a value between zero and
1.
-PFD of between 1 (no risk reduction) and 0.1, SIL1 is required.
-A PFD of 0.1 is generally the most risk reduction that can be claimed for a non-SIL
rated system.
-PFD of 0.1 may be claimed for independent alarms.

-λDu is used to calculate the PFD: the Probability of Failure on Demand, i.e. the chance that
the safety systemwill miss the ability to command the output to a safe state in case there is a
demand from the process". λSd , λSu and λDd can cause a before mentioned spurious action and
therefore the sum of these fractions can be used to calculate the process availability.

-For a simple safety system

PFDAV = 1/2 [λdu * (Tp + MTTR)]

> PFD calculated by comparing the Maximum Tolerable Risk λMTR, with the Intermediate
Level Event Likelihood, or the hazard frequency, λHAZ.

PFD = λMTR / λHAZ

- PFD = λT/2 or = T/(2 x MTTF), or RRF = 2/(λT) or = (2 x MTTF)/T

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 6

->For detected failures:

>PFD1oo1 = λDD.MDT Ref. IEC61508-6, B.3.2.2.1

>PFD1oo2 = λDD

-> MDT2 + β.λDD.MDT Ref. IEC61508-6, B.3.2.2.2

->For undetected failures:

>PFD1oo1 = λDU.TP / 2 Ref. IEC61508-6, B.3.2.2.1

>PFD1oo2 = λDU
>Tp2 / 3 + β.λDU.TP / 2 Ref. IEC61508-6, B.3.2.2.2

Where, λDD is the dangerous detected failure rate,

λDU is the dangerous undetected failure rate and β is the contribution from common
cause failures section.

TP is the proof test interval and MDT is the Mean Down Time.

- Single element PFD:

sensor: 2,2 x 10-3 (see Clause A.1) - not acceptable .
logic solver (redundant): 1,3 x 10-4 including I/O interface (from certificate).
valve: 2,41 x 10-3 (see Clause A.1) - not acceptable

-PFD check: sensor + logic solver + final element.

(2,3 + 1,3 + 4,7) x 10-4 = 8,3 x 10-4 < 10-3

-PFD PLC = [(1/15) *.25 * (1/2) = 0.008 PFD system = (0.17 * 0.008)/3 = 0.00045
RRF (risk reduction factor) = 1/PFD = 2,222

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 7

> SAFETY PERFORMANCE PFD FOR SAFETY PLC :

- The following assumptions were used to perform the safety (PFD) analysis:
MTTFd PLC = 10 years, 99% diagnostics All components were tested annually (assumes
perfect testing):
PFD safety PLC = [(1/10) *.01 * (1/2) = 0.0005

-RRF (risk reduction factor) = 1/PFD = 2,000NOTE: This system would also be suitable for
use in SIL 2 (RRF 100 – 1000) since the logic solver should generally only account for
approximately 10% of the system PFD.)

 FAILURE MODE AND EFFECTS ANALYSIS [FMEA] :

>Failure modes and effects analysis (FMEA) should be used to identify the following
information that is necessary for the logic tree evaluation of each FSI.

>The following examples refer to the failure of a pump providing cooling water flow:
• Function: The normal characteristic actions of the item (e.g., to provide cooling water flow
at 100 to 240 gpm to the heat exchanger).

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 8

• Functional failure: How the item fails to perform its function (e.g., pump fails to provide
required flow).
• Failure cause: Why the functional failure occurs (e.g., bearing failure).
• Failure effect: What are the immediate effect and the wider consequence of each functional
failure (e.g., inadequate cooling leading to overheating and failure of the system).

>A failure modes and effects analysis (FMEA) becomes a basis for establishing a probability
for failure evaluation. To conduct a valid FMEA, there has to be a history of equipment repair
and some idea of the life expectancy of the parts you are trying to evaluate. Without repair
history on equipment and parts life, decisions to stock or not to stock become very subjective
and logic takes a back seat in the final decision.

>Some of the rules of logic applied when conducting a FMEA are listed below and as you
can see, it becomes a “what if” scenario and if in doubt, error on the side of safety stock.

• Is there a possibility for the supplier to go out of business?

• Have engineering changes been made that make the part more reliable?
• Are there technological advances that have occurred, are we keeping up with the times?
• Is the equipment in a maintainable state?
• Is there a possibility of a labor strike at the supplier site and how would this affect us?
• Can a natural disaster occur and what are the probabilities?
• What are the safety issues, and what are the risks?

 SAFE FAILURE FRACTION [SFF]:

> Per IEC, “Safe failure fraction is the ratio of the (total safe failure rate of a subsystem plus
the dangerous detected failure rate of the subsystem) to the total failure rate of the
subsystem.” (In IEC terms, subsystem refers to individual devices.)

> Its a number that shows the percentage of possible failures that are self-identified by the
device or are safe and have no effect. The key number in this calculation is Dangerous
Undetected failures—those that are not identified and do have an effect.

> Definition - The fraction of the overall failure rate of a device that results in either a safe
fault or a diagnosed (detected) unsafe fault. The safe failure fraction includes the detectable
dangerous failures when those failures are annunciates and procedures for repair or shutdown
are in place.

-The SFF is the percentage of safe failures, e.g. those that are safe or detected.

- The following general relationships are used.

-SFF =[ (λSU + λSD + λDD)/ (λSU + λSD + λDU + λDD ) ]

-SFF = Ʃ (Ʃ λS + Ʃ λDD) / (Ʃ λS + Ʃ λD) Ref. IEC61508-2.C.1

Where: λD = λDU + λDD

-SFF = (λSd + λSu+ λDd) / λ

 SAFETY INSTRUMENTED FUNCTION [SIF] : Check on page no. 15.

 PROCESS HAZARDS ANALYSIS [PHA] :

-A Safety Integrity Level is determined via a procedure called Risk/Process Hazard Analysis
(PHA).

- “The levels of protective layers required is determined by conducting an analysis of a

process’s hazards and risks known as a Process Hazards Analysis (PHA).”

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 9

-It identifies all the hazards of a process and estimates the risks inherently involved and
determines if that risk is tolerable/ acceptable.

- A process hazard analysis (PHA) is structured brainstorming in which a team of experts

systematically reviews sections of a process to identify hazards that could occur in the
process and lists all events that could cause an accident.

-The PHA then evaluates outcomes of an accident, the safeguards in place to prevent
that accident and measures that can be recommended to reduce the process risks.

 HARDWARE FAULT TOLERANCE [HFT]:

- A hardware fault tolerance of 1 indicates that the architecture of the sub-system is

such that a dangerous failure of one of the sub-systems does not prevent the safety
action from occurring.

- A hardware fault tolerance of N means that N+1 faults could cause the loss of the safety
function.

-In determining the hardware fault tolerance, no account shall be taken of other measures that
may control the effects of faults such as diagnostics.

- With a SFF of 0.40 and a fault tolerance of 1.

-Hardware Fault tolerance architectures also gave protection to a wide range of systematic
faults (mainly in hardware) because such faults do not necessarily arise at the same instant of
time.
-This standard recognizes that the process industry needs more than one level of performance
from safety systems.
- In selecting the architecture to use for a specified integrity level it is however important to
ensure that it is sufficiently robust for both random hardware faults and systematic faults. –
-To ensure robustness against random hardware faults this standard requires that a reliability
analysis be carried out.
-In deciding the extent of fault tolerance needed there are a number of factors that should be
taken into consideration as follows :
The complexity of the devices used within the subsystem. A device will be less likely to be
subject to systematic faults if the failure modes are well defined . the behaviour under fault
conditions can be determined and there is sufficient failure data from field experience;
The extent to which faults lead to a safe condition or can be detected by diagnostics so
that a specified action can be taken . This capability is termed the safe failure fraction of
the device;

-The requirements for hardware fault tolerance can apply to individual components or
subsystems required to perform a SIF For example, In the case of a sensor subsystem
comprising a number of redundant sensors, the fault tolerance requirement applies to the
sensor subsystem in total, not to individual sensors.

 HIGH INTEGRITY PROCESS PRESSURE SYSTEM [HIPPS] :

>DEFINITION: HIPPS is an acronym for High Integrity Pressure Protection System, which
is a specific application of Safety Instrumented System (SIS) The function of a HIPPS is to
protect downstream equipment against overpressure or upset conditions coming from the
upstream.
-This is achieved by quickly closing two in-series dedicated safety shut-off valves to
preventing further pressurisation of downstream piping.

- High Integrity Pressure Protection System (HIPPS) is a Safety Instrumented System (SIS),
which by definition, is a distinct, reliable system used to safeguard a process to prevent a
catastrophic release of toxic, flammable, or explosive chemicals.

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 10

- HIPPS can be employed to prevent over-pressurization of a plant by shutting-off the source

of the high pressure gas rather than by releasing it to the atmosphere. This system closes the
source of over-pressure within two seconds and has at least the same reliability as a safety
relief valve or flare system.

> As per ASME Section VIII, UG-140, which covers ‘Over-pressure Protection by System
Design’, HIPPS can be used for the following applications:

• Chemical reactions so fast the pressure propagation rate could result in loss of containment
prior to the relief device opening.
• Chemical reactions so fast the lowest possible relieving rate yields impractically large vent
areas.
• Exothermic reactions occurring at uncontrollable rates.
• Plugging, polymerization, or deposition formed during normal operation.
• Reactive process chemicals relieved into lateral headers with polymerization and thus
plugging, rendering the relief device useless;
• Multi-phase venting, where actual vent rate is difficult to predict.
• Reducing Greenhouse gas [GHG] through regulations such as Kyoto protocol.

>ADVANTAGES OF USING A HIPPS:

• Weight and cost reduction for piping and vessels downstream the HIPPS.
• Increased capacity /throughput in flow line applications.
• Transportation and storage cost reduction due to volume and weights reduction.

> A typical HIPPS system comprises the following:

• Three pressure sensors (2oo3 voting) that detect the over pressure in the line
• A logic solver which receives and processes the input signal from the sensors and transmits
the output to the Solenoid Valve in the final element.
• A final element (Actuated Valve) which perform the emergency closure action via a
Solenoid Operated Valve (SOV) to bring the process to a safe state. Typically, 3 SOVs are
used - a manual-reset SOV (M), an auto-reset SOV (A) and one for Partial Stroke Testing
(PST).

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 11

2b. DESCRIBE SAFETY LIFE CYCLE :

 SAFETY LIFE CYCLE :

- Failure results in loss of life, injury or damage to the environment;

- Chemical plant protection system

-The Safety Life Cycle (SLC) is one of the most fundamental concepts detailed in IEC 61508
and ANSI/ISA 84.01. This common sense engineering procedure can be summarized in three
steps:

1) Analyze the problem, 2) Design the solution, 3) Verify that the solution solves the
problem.
> Following factor should be consider for Safety Life Cycle:

- Safety Life Cycle, - Safety Instrumented Function (SIF),

- Safety Requirement Specification (SRS)

 CONCEPTS (SAFETY ACRONYMS):

SAFETY ACRONYMS Include following terms:

� Safety Life Cycle
� Safety Instrumented System (SIS)
�Safety Integrity Level (SIL)
�Safety Instrumented Function (SIF)
�Safety Requirement Specification (SRS)

 SAFETY LIFE CYCLE:

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 12

-Figure shows each phase require necessary data as input data to be analyse and after analysis
useful output data can be derive for implementation in the field from that Phase. Each Phase
is described in detail below:

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 13

->1. HAZARD AND RISK ANALYSIS:

>INPUT DATA FOR PHASE-1 : Define the scope of the hazard analysis.
>OUTPUT DATA OF PHASE-1 :
-Description of, and information relating to, the hazard and risk analysis.
-Hazard and Risk Analysis: Hazards; Initiating event frequencies; Other measures to reduce
risks; Consequences; Risk; Consider maximum tolerable risk; availability of data;
Document assumptions.
-Specification for the overall safety requirements in terms of the safety functions
requirements and the safety integrity requirements. Note: safety functions not technology
specific. SIL target should specify target reliability.

->2. SAFETY REQUIREMENTS ALLOCATION:

>INPUT DATA FOR PHASE-2 : OUTPUT DATA OF PHASE-1 will be input data for
PHASE-2.
>OUTPUT DATA OF PHASE-2 :
-Specification of safety functions.
-Information on the allocation of the overall safety functions, their target failure measures,
and associated safety integrity levels.
-Assumptions made concerning other risk reduction measures that need to be managed
throughout the life of the process.

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 14

-> 3. SAFETY REQUIREMENTS SPECIFICATION:

>INPUT DATA FOR PHASE-3 : OUTPUT DATA OF PHASE-2 will be input data for
PHASE-3.
>OUTPUT DATA OF PHASE-3 :
-Specification of the SIS safety requirements.
-May include C&E, Shall include:
a) specification of safe state; b) requirement for proof tests;
c) response time; d) operator interfaces necessary;
e) interfaces to other systems; f) modes of operation;
g) behaviour on detection of a fault; h) requirements for manual shutdown;
i) application software requirements; j) SIL and target reliability measure;
k) duty cycle and lifetime; l) environmental conditions likely to be encountered;
m) EMC limits;
n) Constraints due to CCFs. ; Refer to IEC61511-1, 10.3 for complete requirements.

>Phase 3 addresses the Safety Requirements Specification (SRS) which enables the
Design and Engineering Phase (Phase 4) to begin.

-> 4. DESIGN AND ENGINEERING:

>INPUT DATA FOR PHASE-4 : OUTPUT DATA OF PHASE-3 will be input data for
PHASE-4.
>OUTPUT DATA OF PHASE-4 :
-Realisation of each SIF according to the SIS safety requirements specification.
>PHASE-4 also deliver data to sub phase: DESIGN AND DEVELOPMENT OF OTHER
MEASURES
>This Sub phase will give output data: Realisation of each other risk reduction measure
according to the safety requirements for that measure.
>Phase 4 may be adequately addressed in a single Functional Design Specification
(FDS) or similar document, which sets the scene, defines the process, the
environmental and operational considerations and establishes the scope of the
following phases.

->Phases 5 and 6 identify requirements for SIS installation, commissioning, validation,

operation and maintenance.

-> 5. INSTALLATION, COMMISSIONING AND VALIDATION:

>INPUT DATA FOR PHASE-5 :

-A plan for the installation and commissioning of the SIS.
+Provides planning for the installation and commissioning activities; procedures, techniques
and measures to be used; schedule and personnel and departments responsible.
-A plan for the overall safety validation of the SIS.
+Provides planning for the SIS safety validation against theSRS and other reference
information i.e. cause and effects charts. Validation will include all relevant modes of
operation (start-up, shutdown, maintenance, abnormal conditions etc.),
procedures, techniques and measures to be used, schedule, personnel and departments
responsible. Will also include validation planning for the safety application software.
-Realisation of each SIF according to the SIS safety requirements specification.
>OUTPUT DATA OF PHASE-5 :
-Fully installed and commissioned SIS:
+Document installation; Reference to failure reports; Resolution of failures.
[Confirmation that the SIS meets the specification for the overall safety requirements in terms
of the SIF requirements and the safety integrity requirements, taking into account the
safety requirements allocation. Documentation requirements include: chronological
validation activities; version of the safety requirements; safety function being validated; tools
and equipment; results; item under test, procedure applied and test environment;
discrepancies; Decisions taken as a result.]

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 15

-A plan for operating and maintaining the SIS Provides planning for routine and abnormal
operation activities; proof testing, maintenance activities, procedures,
techniques and measures to be used, schedule, personnel and departments responsible,
method of verification against the operation and maintenance procedures.

-> 6. OPERATION,MAINTENANCE AND REPAIR:

>INPUT DATA FOR PHASE-6 : OUTPUT DATA OF PHASE-5 will be input data for
PHASE-6.
>OUTPUT DATA OF PHASE-6 :
-Continuing achievement of the required functional safety for the SIS.
-The following shall be implemented: O&M Plan; Operation, maintenance and repair
procedures; Implementation of procedures; Following of maintenance schedules;
Maintain documentation; Carry out regular FS Audits;
Document modifications; Chronological documentation of operation and maintenance of the
SIS;

->The inputs, outputs and activities associated with Phase 7 – Modification, are
essentially the same for Phase 8 – Decommissioning. In effect, decommissioning is
a modification which occurs at the end of the lifecycle and is initiated with the same
controls and managed with the same safeguards.

-> 7. MODIFICATION : & 8. DECOMMISSIONING:

>INPUT DATA FOR PHASE-7&8: OUTPUT DATA OF PHASE-6 will be input data for
PHASE- 7&8.

>OUTPUT DATA OF PHASE-7&8:

-Achievement of the required functional safety for the SIS, both during and after the
modification phase has been maintained.
-Modification shall only be initiated following authorised request under procedure for FS
Management.
-Request shall include: the hazards that may be affected; proposed change (hardware and
software); reason for change. Impact analysis shall be carried out.
-Chronological documentation of operation and maintenance of the SIS.

 SAFETY INSTRUMENTED FUNCTION (SIF):

- Definition : Individual interlock or automatic trip function that is designed to alleviate or

minimize an undesired hazard, as determined in the PHA/HAZOP and the SIL
Selection/LOPA.

- SIF is that of an instrument safety loop that performs a safety function which provides a
defined level of protection (SIL) against a specific hazard by automatic means and which
brings the process to a safe state.

- A SIS is made up of one or more SIFs.

- A SIF is made up of sensors, logic solver, and final elements that act in concert to detect a
hazard and bring the process to a safe state.

-‘SIF’ includes all instrumentation in the interlock function, from the sensor and transmitter
through the control system all the way to the final element (e.g., isolation valve)

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 16

- Each SIF is assigned

a Safety Integrity Level
(SIL) during SIL
analysis - risk
assessment:

� SIL 0/none – lowest

risk,

� SIL 1 – 95% of the

SIFs

� SIL 2 – 5% of SIFs,

� SIL 3 – < 1% (not

likely in refineries, but
possible in off-shore
platforms or nuclear),

� SIL 4 – highest risk

(only seen in nuclear
industry).

-Some examples of SIFs are:

• High pressure in a vessel opens a vent valve: The specific hazard is overpressure of the
vessel. The high pressure is detected by a pressure-sensing instrument, and logic
(PLC, relay, hardwired, etc.) opens a vent valve, bringing the system to a safe state.

• High temperature in a furnace that can cause tube rupture shuts off firing to furnace: The
specific hazard is tube rupture. Instrumentation automatically causes a main fuel trip
that removes the heat, bringing the system to a safe state.

• Flame-out in an incinerator that can lead to a release of toxic gas causes process gas feed to
be shut off: The specific hazard is a flame-out. The automatic instrument protective
action is to close
process gas feed to the
incinerator, which stops
any toxic gas release
bringing the system to
a safe state.

• Flame-out in an
incinerator that could
cause fuel gas
accumulation and
explosion causes a
main fuel gas trip: The
specific hazard is a
flame-out. The

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 17

automatic instrument
protection action is a main fuel gas trip, which cuts off the fuel and prevents fuel gas
accumulation, bringing the system to a safe state.

-Some SIF applications include:

• Shutdown in a hazardous process, • Open excess pressure relief valve,
• On/off tank overflow control, • Add coolant to arrest exothermic runaway,
• Automatic shutdown when manual control is not present or available,
• Close a feed valve to prevent tank overflow,
• Fire suppressant release,
• Evacuation alarm alert.

 SAFETY REQUIREMENT SPECIFICATION (SRS) :

- Definition of SRS as per Standard IEC 61511 :

“ Specification that contains all the requirements of the safety instrumented functions that
have to be performed by the safety instrumented system.”

-It’s a Document containing detailed SIS Interlock information.

- According to IEC61511 the requirements regarding the SRS documentation may be

developed by the Hazard and Risk Assessment team or project team.

-The design and verification is compiled into a document called the Safety Requirement
Specification (SRS).

- The purpose of the SRS, according to IEC 615082, is “to develop the specifications
requirements and safety integrity requirements, for the E/E/PES safety related
systems, other technology safety related systems and external risk reduction
facilities, in order to achieve the required functional safety.”

-The SRS is created after the hazard and risk analysis and the allocation of safety functions
to protective layers in the safety life cycle.

- Requirement [Important] of SRS :

For - design and architecture, - reliability (nuisance trip rate),

- availability (SIL),
- Support systems, - Installation, Testing and maintenance,
- Hardware specification, - Software development & Security,
- Human machine interface.

> SRS format divide in three components:

- General requirements, - Functional requirements,

- Safety Integrity Requirements.

> Following input information require for SRS:

� Intent of each SIF (the hazard that is mitigated).

� Components of each SIF (sensor, logic solver, final element).

� Calculations to verify the target (required) SIL can be achieved.

� Process information and process conditions :

PREPARED BY Lect. N P VASAVA

 D I C : SEM-3 : SIS & SIL : GOVERNMENT POLYTECHNIC PALANPUR: 2 0 1 5 | 18

The process itself shall be described in order to give detailed information regarding the
process parameters to the personnel dealing with the SRS documentation. Drawings that
support the description of the process itself are useful. Later on this process information is
important for the personnel dealing with implementation of SIS and SIF. Specific process
conditions that are important for the safety must be addressed.

� Process and hazard report (PHA) :

The PHA report is needed. This report gives valuable information about the hazards and the
hazardous events for the intended Safety Instrumented System. Important information are
also the hazard frequencies and hazard consequences.

� Required Safety Instrumented Systems :

A specification of the required Safety Instrumented Systems

� Required Safety Instrumented Functions :

A specification of each individual Safety Instrumented Function.

� Target SIL : The target SIL shall be defined for each SIF.

� Regulatory requirements :

If there are any regulatory requirements that affect the design of the SIS, the SRS shall
include these requirements.

� Common cause failures :

The possibilities of common cause failures must be taken in account. These failures could
reduce or eliminate the redundant safety measures applied in the SIF or SIS. Sometimes it is
tricky to find the common cause failures that affect the safety measures. The personnel
involved in the design of the SIS or SIF must identify possible common cause failures.

FULL FORMS & NORMS

> NATIONAL FIRE PROTECTION ASSOCIATION [NFPA],

> λS = Safe failure,
> λSd = rate of safe failures, detected,
> λSu = rate of safe failures, undetected,
> λDd = rate of dangerous failures, detected,
> λDu = rate of dangerous failures, undetected,
> MTTR = Mean Time To Repair,
>β = Common cause factor,
> PC = proof test coverage factor,
> RRF = risk reduction factor,
> RCM = Reliability Cantered Maintenance,
> RRF = Risk Reduction Factor (RRF)= 1/PFD

COURTESY

> ABB, SAFEPROD, & EMERSON

PREPARED BY Lect. N P VASAVA