What Is a Safety Instrumented System?

Learn what a Safety Instrumented System is, how it is constructed.
Listen to this article

In this video and blog post, you will learn what a Safety Instrumented System is, how it is constructed, and how it plays an important role in keeping our chemical, refining, and other manufacturing plants running safely and as productive community partners and employers.

Chemical, petrochemical, mining, gas compression, and many other types of plants and manufacturing facilities can be very dangerous places to work due to the presence of risk:  risk due to fire, explosion, tank overflow, gas release, or chemical exposure.

The only way to eliminate these risks is to not build or operate these types of plants.  But that is not practical.  These plants produce materials that are useful, necessary, and important in our everyday lives.

Even a product like dry powdered laundry detergent is made via a process that includes pumping liquids at high pressure, spraying droplets into very hot air, and collecting the product below which may be dusty and pose an inhalation hazard.

In order to minimize these risks, process control systems are installed to maintain a safe operation of the plant, assisted by a robust alarm detection and reporting system, and operated by trained, qualified personnel.  But often, these measures alone cannot reduce the risk of injury, fire, explosion, or other risks to a tolerable level.

Regardless of the types of risks, the process design itself, the basic process control system, alarms, and operator intervention, provide the first layers of protection for the process.

Each of these layers provides approximately a 10-fold or greater protection to the process plant than the layer below.

In the process design, care is taken to specify lines, equipment, and valves with the right sizes, materials of construction, and proper accessories.  The basic process control system is installed with the appropriate instruments, controls, and monitoring logic to allow the plant to be operated within the safest ranges for pressure, temperature and flowrate.

Alarms are configured to allow the operators to react to abnormal conditions and take corrective actions before a risk becomes an accident.

Even with all of these layers of protection in place, the risks may still be too great to prevent an accident from happening.

A couple of examples illustrate this.  In 1974, a nylon plant in Flixborough, England, exploded, killing 28 and injuring more than 100.

In 1984, a gas leak in a fertilizer plant in Bhopal, India, killed over 3000 and injured 200,000.

More recently, in 2005, an explosion at a Texas City refinery killed 15 and injured more than 150.  All three of these plants had control systems, alarms, and trained operators.

But these first three layers of protection do not reduce a hazardous plant’s risk to a tolerable level.

The risks associated with production at Flixborough were all not all well-defined, and the proper controls were not in place to minimize those risks.

At Bhopal, systems were in place to prevent the resulting gas leak but did not take into account the scenario that led to the accident.

In Texas City, several technical and operational shortcomings led to an explosion.

In order to mitigate risks like the ones above, OSHA, The Occupational Safety and Health Administration, and several companies in the chemical industry, along with ISA and other professional groups, embraced the idea of defining risks, not as isolated processing line or tank risks, but as risks associated with processing functions as a whole.  Standards ISA 84 and IEC 61508 were developed around the concept of functional safety.

Later, these standards, ISA in the US and IEC in Europe, were harmonized in a single standard, ISA-84/IEC-61511.

The way functional safety would be addressed in a plant in order to reduce functional risks was to install a separate, well-designed, Safety Instrumented System.

The Safety Instrumented System, or SIS, represents an additional layer of protection above the first three layer discussed previously.

This layer should provide at least a 10-fold decrease in the risk of the operation.  This decrease can be called a risk reduction factor of equal to or greater than 10.

So as we have seen, many levels of protection are required to reduce the risk of an operation to a tolerable risk level.

This level of tolerable risk must be determined by each individual company, but there are benchmarks for many industries, such as chemical, oil & gas, food & beverage, and others.

Overall, the chemical industry has a Fatal Accident Rate, or FAR, of 4.  Driving a car has an FAR of 40.  Fatal Accident Rate is just one way that overall risk can be measured.

And in addition to the layers discussed so far, others can be added to reduce the overall risk even greater, like physical protection devices, such as relief valves and dikes, and plant and community response teams, like fire departments.

So, now let’s answer what a Safety Instrumented System is.

A Safety Instrumented System is comprised of sensors, logic solvers, and final control elements for the single purpose of taking the process to a safe state when pre-determined conditions are violated.

This means that the SIS, Safety Instrumented System, is a separate set of devices from the basic process control system.

So, what Is a Safety Instrumented System? In order to provide a risk reduction factor of greater than 10X, it cannot be interlinked with the basic process control system, and any of shortcomings of that system.

The logic solver is a specialized, hardened PLC-like device that may have multiple processors executing the logic in parallel to insure integrity of the logic and resulting action.

The SIS is designed around individual functions in the plant, called Safety Instrumented Functions, or SIF for short.

The logic solver takes the SIS inputs and determines what the state of the SIS outputs should be for that SIF.

Consider the process below for transferring a liquid from a tank to reactor. Normally, the flow controller, which resides in the basic process control system, can easily make the transfer of liquid in a very controlled, repeatable manner.

When the reactor level reaches a high alarm point, the flow is stopped by shutting the control valve in order to keep the closed tank from over-pressurizing.

Let’s define our Safety Instrumented Function as “reactor overpressure protection”.

Now, let’s add the pieces of the SIS that are required to implement the components required for this function.

As you can see, we keep the basic process flow control loop in place, operating as it normally does.

But now, we add a pressure sensor, logic solver, and a positive shutoff valve to stop the flow independent of the flow controller and the basic process control logic. We have provided an independent layer of protection against reactor overpressure.  This improves the overall safety of the process.

In designing a Safety Instrumented System, the design team must do a detailed risk analysis, identifying all of the potential risks and deciding which of the risks require a Safety Instrumented Function to be defined.

A detailed risk matrix can be used to identify the level of risk that is tolerable, and at what point a function require as a SIF to be defined.

This can be done qualitatively, or quantitatively by assigning numerical values to the expected frequency and severity of the risk.

Even a Safety Instrumented System has a probability to fail.

What if the pressure sensor in the previous example does not detect the high-pressure condition?

What if the isolation valve does not close when it is told to?

The probability that a device, whether input, output, or logic solver, will fail causing the SIF to not respond when called upon, is called the Probability of Failure on Demand, or PFD.

For instance, a pressure regulator has approximately a 1 in 10, or 1 x 10-1, probability of failure in a years’ time. Failure of an isolation valve is about 1 in 100, or 1 x 10-2.

These values can be obtained from vendor data for specific devices, or from industry databases of typical PFD’s for each type of device.

When we design an overall safety instrumented system for each safety instrumented function, we need to determine the overall Probability of Failure on Demand or PFD for each function that is required.

If we determine the PFD should be less than 0.01, or 1 x 10-2, then our SIF needs to be designed to a Safety Integrity Level of 2.

Similarly, a PFD of less than 1 x 10-1 requires a safety integrity level of 1, and a PFD of less than 1 x 10-3 requires a safety integrity level of 3.

We can look up the PFD values for each of the devices and logic solver elements we would like to use, but to determine the overall PFD for an individual SIF usually requires a computer program.

Suffice it to say, the higher the safety integrity level, the more reliable the safety instrument function will be.

A Safety Integrity Level of 4 is possible, or a PFD of 1 x 10-4, but is usually not practical or economically feasible.

Another way to reduce risk is to add redundancy.  Redundancy adds cost, but generally will increase the reliability of the system and reduce risk.

A 1 out of 2 system will provide a greater level of safety response than a simplex system.

A 2 out of 3 fault-tolerant system can provide a greater level of safety response than a 1 out of 2 system.

While the 2 out of 3 system may be more reliable, it will be installed at a much higher cost than a 1 out of 2 system.

Likewise, a 1 out of 2 system will have a higher cost than a simplex system.

When designing a Safety Instrumented System, the ISA-84/IEC-61511 standards prescribe a methodology for developing and documenting the system.

Certain design principles should be followed, such as not allowing on-line changes to a logic solver, requirements for testing the SIF, and a Management of Change process for making any changes to the system once the design has been approved.

To review, past accidents and fatalities have led to a new way of looking at risk in a processing plant.

We now look at Safety Instrumented Functions in order to mitigate risk and provide a safer operating environment.

The goal of the Safety Instrument System is to reduce the risk of accident or injury.  The SIS is only one of many layers of protection that a plant uses to safeguard the process, equipment, personnel, and the community.  But when implemented correctly, it can provide a very large reduction in the overall risk profile.

Safety Instrumented Systems are comprised of sensors, logic solvers, and final control elements which are separate from all basic process control system elements, and the logic solver drives the final control elements to the state required to provide a safe state if the inputs indicate an abnormal situation.

I hope this blog post has helped you. Make sure to check back later for more awesome blogs! Thank you so much for watching, sharing and continuing to be a part of our world.

With so much love and excitement,

The RealPars Team

Join the Top 1% of Automation Engineers

Get started now

Learn from industry experts

Our step-by-step courses are designed by the top 1% engineers around
Get started now