Safety Instrumented Systems Vs Process Control Systems... https://innovativecontrols.com/blog/safety-instrumented...

Integrated Systems

Safety Instrumented Systems Vs

Process Control Systems
by David Yoset (/users/david-yoset) | March 27th, 2017 Comments

Tweet (http://twitter.com/share)

When choosing a control system for your facility, there are many factors to take into consideration
including system reliability (translated into plant uptime), upkeep and maintenance costs,
installation costs, compatibility with installed control systems, quality of support from
manufacturers, etc. But what about process safety? When is it necessary to choose a Safety
Instrumented System (SIS) instead of a Basic Process Control System (BPCS)? And what do these
two terms mean? In this article, we explore these questions.

Differences Between a SIS and a BPCS

ProcessOperations.com (http://www.processoperations.com/SafeInstrSy/SS_Chp01c.htm) very
clearly defines these two systems as follows:

“Process control systems (PCS) are active, or dynamic. They have analog inputs and analog
outputs, perform math and number crunching, and have feedback loops. Process controls act

1 of 11 10/09/2017 05:55 PM
Safety Instrumented Systems Vs Process Control Systems... https://innovativecontrols.com/blog/safety-instrumented...

positively to maintain or change process conditions. They are there to help obtain best performance
from the process and o�en are used to push the performance to the limits that can safely be
achieved. Hence, most failures in these systems are inherently self-revealing. PCS must be flexible
enough to allow frequent changes. Process parameters (e.g. set points, PID settings, MAN/AUTO,
etc) require changing. Portions of the system may also be placed in bypass, and the process may be
controlled manually. They are not built with safety in mind and are not dedicated to the task.
Because they are operating at all times they are not expected to have diagnostic routines searching
for faults.

Safety systems, however, are just the opposite of process control systems. They are dormant, or
passive. They sit there doing nothing and hopefully will never be called into action. An example
would be a pressure relief valve. Normally the valve is closed. It only opens when the pressure
reaches the set value. If the pressure never exceeds that value, the valve never operates. Many
failures in these systems may not be self-revealing. If the relief valve is plugged, there is no
immediate indication. A PLC could be hung up in an endless loop. Without a watchdog timer, the
system would not be able to recognize the problem. There is a need for extensive diagnostics in
dormant, passive safety-related systems. Safety systems should be incorruptible - need to be kept
to a fixed set of rules and access for changes carefully restricted. And they must be highly reliable
and be able to respond instantly when a hazardous situation develops.”

A common question people ask is, “Can I program a BPCS to perform safety functions?” The answer
is absolutely “yes.”

But try to ask a BPCS manufacturer the following question: “Assuming that I write perfect bug-free
code, can you guarantee with measurable certainty that your control system will consistently
perform my safety functions on demand?” The answer you will likely receive is, “No.”

A key di�erence between process and safety control is the fact that you need to know, with
measurable certainty, that the safety system will respond when required to. So, while you can
program safety functions in a basic process control system, there is no guarantee that the system
will do its job when required.

Real World Application Example

For those who are skeptical about a control system not doing its job when required, I o�er the
following personal real world example. I was in charge of designing, building, programming, and
starting up a simple PLC control system for a wood-fired boiler in a lumber mill. A�er going
through loop checks and commissioning, it was time to light a fire in the balanced-dra� furnace and
to bring the new PLC online.

In a typical balanced dra� system, an Induced Dra� fan and a Forced Dra� fan act in tandem to
keep the furnace under a slight vacuum. This way, if the furnace is not perfectly sealed, the
combustion process remains in the furnace rather than a�ecting the environment outside the
furnace. A�er several smooth hours of run time, it was evident that the brick furnace was not

2 of 11 10/09/2017 05:55 PM
Safety Instrumented Systems Vs Process Control Systems... https://innovativecontrols.com/blog/safety-instrumented...

perfectly sealed because sparks and smoke began to pu� through various small openings where
brick met steel.

A�er a few panicked minutes of trying to pinpoint an issue with the PLC code, I realized that all of
the I/O signals were static - nothing was changing. My PLC was locked up. The only solution was
to toggle the power to the CPU. Once I did this, I was able to restart the fans and re-engage the dra�
control. I never saw this issue again on that job site, but I had learned that PLCs can indeed lock up.
Thankfully my story does not include anyone getting hurt or injured unless you count my
embarrassment of having a boiler house that smelled like a campfire!

With the basic di�erences understood, we can now explore one method of determining when to use
a SIS based on the Safety Life Cycle.

SIS and SIL

Deciding whether to use a SIS is a subset of assigning Safety Integrity Levels (SIL). For more on SIL,
please read my previous blog on the topic.

Determining Safety Integrity Levels (SIL) for Your Process Application (/blog
/determining-safety-integrity-levels-sil-your-process-application)

Safety Life Cycle

The Safety Life Cycle comes from two voluntary standards used by plant owners/operators to
quantify safety performance requirements for hazardous operations:

IEC 61508: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related

Systems
IEC 61511: Safety Instrumented Systems for the Process Industry Sector

The Safety Life Cycle (see Figure 1) provides a repeatable framework whereby all process hazards
are identified and analyzed to understand which hazards require the use of a SIS for mitigation.
By design, this is a cyclic process, not a linear process with an endpoint. Any changes in process
design, operating conditions, or equipment requires cycling back to the beginning to ensure any
changes are properly implemented.

3 of 11 10/09/2017 05:55 PM
Safety Instrumented Systems Vs Process Control Systems... https://innovativecontrols.com/blog/safety-instrumented...

Figure 1: Safety Life Cycle model. Adapted from IEC 61511.

For the remainder of this article, we will focus on the steps to follow to determine when a SIS is
required, starting with the Process Hazard Analysis.

Process Hazard Analysis

A Process Hazard Analysis (PHA) is a systematic assessment of all potential hazards associated
with an industrial process. It is necessary to analyze all potential causes and consequences of:

Fires
Explosions
Releases of toxic, hazardous, or flammable materials
Etc

Focus on anything that might impact the process including:

Equipment failures
Instrumentation failures or calibration issues
Loss of utilities (power, cooling water, instrument air, etc.)
Human errors or actions
External factors such as storms or earthquakes
Etc

Both the Frequency and Severity of each process hazard must be analyzed:

How o�en could it happen? Tank spills could happen any time there’s a manual fill operation
(multiple times a year)
How severe is the result? Localized damage, fire, explosion, toxic gas release, death

Core to the PHA analysis is the fact that things can and do go wrong. You have to forget IF it will
happen and instead consider WHEN it will happen. Each identified hazard is assigned an
“acceptable” frequency. For purposes of the PHA, you cannot assume a hazard will “never” happen.

A hazard which results in simple First Aid could be considered “acceptable” if it could happen

4 of 11 10/09/2017 05:55 PM
Safety Instrumented Systems Vs Process Control Systems... https://innovativecontrols.com/blog/safety-instrumented...

only once a year

An explosion and fire due to a tank rupture could have an “acceptable” frequency of once in
10,000 years

The end result of the Process Hazard Analysis is a list of all possible process hazards with each one
assigned an acceptable frequency of occurrence. With the PHA complete, the next step in the Safety
Life Cycle is the Layer of Protection Analysis.

Layer of Protection Analysis

No single safety measure alone can eliminate risk. For this reason, an e�ective safety system must
consist of protective layers. This way if one protection layer fails, successive layers will take the
process to a safe state. As the number of protection layers and their reliabilities increase, the safety
of the overall process increases. Figure 2 provides a generalized view of various protection layers. It
is important to understand that each layer must function independently from the others in case one
or more layers fails.

Figure 2: General view of plant safety protection layers. Used with permission from Magnetrol
(http://www.magnetrol.com/v2/pdf/MII/41-299.pdf).

Some specific examples of Protection Layers include:

Fire suppression systems

Leak containment systems (dikes or double walls)
Pressure relief valves
Gas detection/warning systems

The general steps of a LOPA are as follows. For every Process Hazard identified in the PHA:

List all available non-SIS safety measures

Assign each layer its own hazard risk reduction factor
Calculate an e�ective hazard frequency with protection layers applied

5 of 11 10/09/2017 05:55 PM
Safety Instrumented Systems Vs Process Control Systems... https://innovativecontrols.com/blog/safety-instrumented...

Example: A tank fill operation that happens 250 times per year - “could” experience an overfill event
250 times per year.

A protection layer in the form of a proper vent/drain system could reduce the danger by a
factor of 100 (risk reduction factor)
The hazard resulting from tank overfill would have an e�ective frequency of 250/100 = 2.5
times per year

A�er the e�ective hazard frequency of each hazard is known, the key question is: “With non-SIS
protection layers applied, is the e�ective frequency lower than the acceptable frequency?”

In other words, once all Process Hazards are identified, and Protection Layers assigned if the
PHA/LOPA study concludes that existing protection cannot reduce risk to an acceptable or tolerable
level, a Safety Instrumented System will be required.

For those hazards where existing protection layers (including the BPCS) can reduce risk below the
acceptable level, a SIS is not required and it is acceptable to use the BPCS for hazard mitigation.

Safety Instrumented Systems and Functions

The purpose of a SIS is to take a process to a “safe state” when predetermined set points have
been exceeded or when safe operating conditions have been transgressed.

The role of the SIS is to reduce risk by implementing Safety Instrumented Functions (SIF). Two
example SIFs include:

Hazard: Tank overfill. SIF: The SIS stops the fill pumps at a predetermined safe level
Hazard: High temperature. SIF: The SIS opens a relay to cut power to a heater circuit at a
predetermined safe temperature

In any case, an SIF is a safety function implemented by the SIS to achieve or maintain a safe state.
An SIF’s sensors, logic solver, and final elements act in concert to detect a hazard and bring the
process to a safe state.

Contact Cross Company (/integrated-systems/contact-integrated-systems)

6 of 11 10/09/2017 05:55 PM
Safety Instrumented Systems Vs Process Control Systems... https://innovativecontrols.com/blog/safety-instrumented...

Yoset + (/users
/david-yoset)

Dave is a Project Manager with Cross Company Integrated Systems Group. He holds both a
Bachelor's and a Master's degree in Mechanical Engineering from Penn State University and has
more than 20 years experience in control systems engineering for the manufacturing and
chemical processing industries. He has experience in multiple control platforms including
Rockwell and Siemens.

LinkedIn (https://www.linkedin.com/in/dave-yoset-02b06a11)

RELATED POSTS
How to Cycle Three or More Pumps and Fans (/blog/how-cycle-three-or-more-pumps-and-fans)

The Growing Need For Industrial Control System Cybersecurity (/blog/growing-need-industrial-

control-system-cybersecurity)

A Guide to Industrial Control System Security (/blog/guide-industrial-control-system-security)

How Vulnerable Is Your Industrial Control System (ICS)? (/blog/how-vulnerable-your-industrial-

control-system-ics)

Jack Daniel's Distillery Selected Cross' ISG for Distillery Expansion (/blog/jack-daniels-distillery-
selected-cross-isg-distillery-expansion)

Topics
Control System (/blog/topic/control-system)

7 of 11 10/09/2017 05:55 PM
Safety Instrumented Systems Vs Process Control Systems... https://innovativecontrols.com/blog/safety-instrumented...

0 Comments Cross Company  Bikram Roy

Sort by Best
 Recommend ⤤ Share

Start the discussion…

✉ Subscribe d Add Disqus to your siteAdd DisqusAdd 🔒 Privacy

Cross Company

4 Best Business Practices & Related Resources for Executive Leadership

The Strategic Significance of Modern HR

Cross Company Career Development

Motion Control Solutions

When it Comes to Robotics, the Proof is in the Pudding

What Are Your Options When Custom Machinery Fails?

Maximum Performance - Minimum Size with LinTech 200 Series Linear Tables

Instrumentation

How to Select a Solenoid Valve for Operating a Shuto� Valve

8 of 11 10/09/2017 05:55 PM
Safety Instrumented Systems Vs Process Control Systems... https://innovativecontrols.com/blog/safety-instrumented...

Product Spotlight: Draeger X-am 5600 Gas Monitor

Thermal Mass Flow Meters from Sage Metering

Integrated Systems

How Vulnerable Is Your Industrial Control System (ICS)?

The Growing Need For Industrial Control System Cybersecurity

A Phased Migration from Siemens APACS to Siemens PCS 7

Mobile Hydraulic & Control Systems

How to Select Hydraulic Flow Dividers

Why Is My Pressure Compensated Hydraulic System Running Hot?

Choosing a Hydraulic Motor for a Medium Speed (1000 RPM) Application

Hose & Fittings

Reduce Downtime and Repair During Leaf Collection Season

Hydraulic Hose Pressure Ratings: Working Pressure vs Burst Pressure

Decoding a Hydraulic Hose Layline

Blog Series
Andy Larson's Robotic Blog Series

9 of 11 10/09/2017 05:55 PM
Safety Instrumented Systems Vs Process Control Systems... https://innovativecontrols.com/blog/safety-instrumented...

Siemens PCS 7 Tools

Universal Robots Application Programming Tips

10 of 11 10/09/2017 05:55 PM
Safety Instrumented Systems Vs Process Control Systems... https://innovativecontrols.com/blog/safety-instrumented...

Choosing, Customizing and Installing Your Flomec/GPI Oval Gear Meter

11 of 11 10/09/2017 05:55 PM