Intrinsic Safety

Reader Feedback: The SIS Focus Should Be on Verification

The what-if analysis (fault tree analysis) is the key, and SIS standards committee are a long way from understanding that.

By Paul Gruhn, P.E., ISA Fellow

I am writing in response to Béla Lipták's article "SIS: Standards by Committee" in the November issue of Control. I suggest Control print a retraction of his article. I am not the only long standing ISA 84 committee member that will state what he has written is incorrect and a gross disservice to the industry.

"ANSI/ISA 84.00.01-2004 is a ‘relaxed version of IEC 61508/61511 (1996)." The first edition of ANSI/ISA 84 (Application of Safety Instrumented Systems for the Process Industries) was released in 1996. IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems) was first released in parts between 1998 and 2000 (not 1996). It was intended as a high level standard and the foundation for industry specific standards that were in development at the time (e.g., process, nuclear, machinery, medical, etc.). The second edition of 61508 was released in 2010. IEC 61511 (Functional safety – Safety instrumented systems for the process industry sector) was first released in 2003 (not 1996). Members of the ISA 84 committee participated in the development of IEC 61511. The ISA 84 committee voted to accept IEC 61511 as the next edition of ISA 84 (rather than try and update the original version of 84), with the addition of clause 1.y (the grandfather clause), which is a single sentence coming from the US process safety management regulation. That is the only difference between ISA 84 and IEC 61511. In fact, ISA 84 has "(IEC 61511 Mod)" in its very title. It is not a ‘relaxed version' in any sense of the word.

"The main problem with the PFD values is they're determined by self-certification by the manufacturer or by the manufacturer's hired evaluation firm, and this ‘certification' doesn't need to be approved by any safety authority." Probability of failure on demand values are derived from failure rate, failure mode, and diagnostic coverage factors that are usually determined by the manufacturer through failure modes and effects analysis (as no one knows the product better than they do). These analyses are then reviewed by external certification agencies recognized around the world (e.g., TÜV, exida). Vendors do not 'self-certify' anything, and third party certification involves much more than a review of PFD values. I'm not sure what ‘safety authority' Béla might have in mind, but I don't think we need yet another government authority overseeing the design of commercial products used by industry.

"The standard doesn't even apply to pneumatic or hydraulic logic systems, nor does it apply to fire and gas systems, safety alarms, safety controls or to plants that were in operation before 1996." The standard does apply to other technology systems (as clearly stated in the introduction), it does apply to mitigation systems (as shown in Figures 4, 5 and 9) such as fire and gas systems (hence technical report TR84.00.07 "Guidance on the Evaluation of Fire, Combustible Gas and Toxic Gas System Effectiveness"), it does apply to safety controls (as shown in Figures 4, 5 and 9, Table 4, and clauses 3.2.43.2, and 3.2.69), and does apply to systems installed prior to the first release of the standard (which is precisely why the grandfather clause (1.y) was included in the 1996 and 2004 versions of the standard). Alarms are a topic covered by the ISA 18.2 standard.

"SIL = (SFF)(PFD)" While safe failure fraction is included in the standard, it has no direct relationship between safety integrity level and probability of failure on demand. SIL is simply a number between 1 and 4. Safe failure fraction is a percentage between 0 and 100. Probability numbers are just that. To understand and utilize these numbers does not take "an IRS consultant and a rather "flexible" consultant, whose conclusions might just happen to coincide with the plant's views." In order to utilize a performance based standard, one needs to understand the performance terms and measures. 

"SIS doesn't do that (bring the plant to a safe state as a overrule safety control (OSC)) because the committee that developed it still lives in a "manual culture". They still trust men more than machines… the men who design the OCSs are not panicked operators running around in the dark at 2 a.m." A safety instrumented system is not an alarm that must be responded to manually. As Béla stated earlier in his article, a safety instrumented system consist of a sensor, logic solver, and final element. These are automated functions. They are exactly the sort of overrule safety control that Béla seems to be asking for.

"The what-if analysis (fault tree analysis) is the key, and SIS standards committee are a long way from understanding that." Considering that the hazard and risk analysis is the very first step described in the safety life cycle, and it is the foundation upon which the entire safety system design depends, such a statement is both incorrect and unfounded.

"What's probably the worst aspect of SIL ratings is that they do not apply to entire unit operations such as boilers or distillation columns. In fact, it's quite possible to at a boiler with a SIL 3 steam overpressure protection systems can also have a SIL 1 low water level protection loop." Safety Integrity Level does not apply to a plant, a unit, a boiler, a distillation column, or a 200 I/O system. SIL is a measure of the probability of failure on demand of a single safety instrumented function. A boiler and a distillation column consist of multiple safety functions, each protecting against different hazardous events, hence each has its own performance requirement. These functions cannot be combined, added, or averaged together to give a meaningful number any more than the speed of all the vehicles in a parking lot (including a Corvette and a scooter) can be combined, added, or averaged together.