Safety System/Emergency

Shutdown System (ESD)

P2

So what is the SIL achieved by the function? Clearly it is not

unique, but depends on the hazard and in particular whether
the demand rate for the hazard implies low or high demand
mode.
SIL is a measure of the SIS performance related only to the
devices that comprise the SIS. This measure is limited to
device integrity, architecture, testing, diagnostics, and common
mode faults inherent to the specific SIS design. It is not
explicitly related to a cause-and-effect matrix, but it is related to
the devices used to prevent a specific incident.
Further, SIL is not a property of a specific device. It is a system
property; input devices through logic solver to output devices.
Finally, SIL is not a measure of incident frequency. It is defined
as the probability (of the SIS) to fail on demand (PFD). A
demand occurs whenever the process reaches the trip
condition and causes the SIS to take action.

The new ANSI/ISA S84.01 standard requires that assign a

target safety integrity level (SIL) for all safety
instrumented systems (SIS) applications.
The assignment of the target SIL is a decision requiring the
extension of the process hazards analysis (PHA)
process to include the balance of risk likelihood and
severity with risk tolerance.
Since SIL 4 is rarely used. SIL 3 is typically the highest
specified safety level. Of the three commonly used
levels, SIL3 has the greatest safety availability (RSA),
and therefore the lowest average probability of failure on
demand (PFD). Required Safety Availability (RSA) is the
fraction of time that a safety system is able to perform its
designated safety function when the process is
operating.

A determination of the target safety

integrity level requires:
1. An identification of the hazard involved.
2. Assessment of the risk of each of the
identified hazard. In other words, how bad
is each
hazard and how often is it expected to occur.
3. An assessment of other Independent
Protection Layers (IPLs) that may be in
place.

Risk Level Factors Based On Frequency

Risk Level Factors Based On Severity

Safety Architectures
Several system architectures are applied in
process safety applications, including
single-channel systems to triple redundant
configurations. Control engineers must
best match architecture to operating
process safety requirements, accounting
for failure in the safety system.

One concern is that many safety systems in

operation, or under construction, do not follow
basic protection principles. Unsafe practices
include:
Performing the safety shutdown within the basic
process control systems (BPCS) or distributed
control systems (DCS).
Using conventional programmable logic
controllers (PLCs) in safety critical applications
(Safety PLCs) are certified to meet safety critical
applications to SIL2 and SIL3.)
Implementing single element (non redundant)
microprocessor- based systems on critical
processor.

The conventional PLC architecture

provides only a single electric path.
Sensors send process
signals to the input modules. The logic solver evaluates
these inputs, determines if a potentially hazardous
condition exists, and energizes or de-energizes the solidstate output. (Fire and gas detection systems, for
example, use the energized to trip philosophy.)
Suppose the safety system de-energizes the output to
move the process to a safe state. Suppose also that one
of the components in the single path fails so that the
output cannot be de-energized. Then the conventional
PLC wont provide its desired safety protection function.

A special class of programmable logic controllers,

called safety PLCs, represents an alternative.
Safety PLCs provide high reliability and high
safety via special electronics, special software,
pre-engineered redundancy, and independent
certification.
The safety PLC has input/output circuits designed
to be fail-safe, using built-in diagnostics. The
central processing unit (CPU) of a safety PLC
has built-in diagnostics for memory, CPU
operation, watchdog timer, and communication
systems.

 Accurately evaluating the safety level for a specific

control device in the context of a potential hazardous
event poses a major and difficult problem for many
control engineers. Associations and agencies
worldwide have made considerable progress toward
establishing standards and implementation guidelines
for safety instrumented systems. These standards
attempt to match the risk inherent in a given situation
to the required integrity level of the safety system.
Unfortunately, many of these guidelines and
standards are not specific to a particular type of
process and deal only with a qualitative level of risk.
Control engineers must use considerable judgment in
evaluating risk and applying instrumentation that
properly addresses established design procedures
with budget restraints.

Typical Applications
A fault-tolerant control system identifies and compensates
for failed control system elements and allows repair
while continuing assigned task without process
interruption. A high integrityn control system is used in
critical process applications that require a significant
degree of safety and availability. Some typical
applications are:
1- Emergency Shutdown
2- Boiler Flame Safety
3- Turbine Control Systems
4- Offshore Fire and Gas Protection

1- Emergency Shutdown
Safety instrumented system provides continuous protection for safetycritical units in refineries, petrochemical/chemical plants and other
industrial processes. For example, in reactor and compressor units,
plant trip signals for pressure, product feed rates, expander
pressures equalization and temperature are monitored and
shutdown actions taken if an upset condition occur.
Traditional shutdown systems implemented with mechanical or
electronic relays provide shutdown protection but can also cause
dangerous nuisance trips. Safety instruments provide automatic
detection and verification of field sensor integrity, integrated
shutdown and control functionality, and direct connection to the
supervisory data highway for continuous monitoring of safety
critical functions.

2- Boiler Flame Safety

Process steam boilers function as a critical component in
most refinery applications. Protection of the boiler from
upset conditions, safety interlock for normal startup and
shutdown, and flamesafety applications are combined by
one integrated safety instrument system.
In traditional applications, these functions had to be
provided by separate, non-integrated components. But
with fault tolerant, fail safe integrated controller, The
boiler operations staff can use a critical resource more
productively while maintaining safety at or above the
level of electromechanically protection systems.

3- Turbine Control Systems

The control and protection of gas or steam turbines
requires high integrity as well as safety. The continuous
operation of the fault tolerant integrated controller
provides the turbine operator with maximum availability
while maintaining equivalent levels of safety.
Speed control as well as start-up and shutdown sequencing
are implemented in a single integrated system.
Unscheduled outages are avoided by using hot spares
for the I/O modules. If a fault occurs in a module, a
replacement module is automatically activated without
operator intervention.

4- Offshore Fire and Gas

Protection
The protection of offshore platforms from fire and gas
threats requires continuous availability as well as
reliability. The safety instrument system provides this
availability through online replacement of faulty modules;
field wiring and sensors are managed automatically by
built-in diagnostics.
Analog fire and gas detectors are connected directly to the
controller, eliminating the need for trip amps. An operator
interface monitors fire and gas systems as well as
diagnostics for the controller and its attached sensors.
Traditional fire and gas panels can be replaced with a
single integrated system, saving costly floor space while
maintaining high levels of safety and availability.