HOME BUYERS_GUIDE REGISTRATION STANDARDS UTILITIES_UK JOKECIRCLE LINKS NEWSGROUP CONTACT US
 
 
STANDARDS / SAFETY INTEGRITY LEVELS ANSI/ISA S84.01 & DRAFT IEC 61508
 
HOW THIS STANDARD WILL AFFECT YOUR BUSINESS
 
KEYWORDS
 
Safety Integrity Level, Process Hazards Analysis, ISA S84.01 S84.01/ IEC 61508
 
INTRODUCTION
 
If your company is planning an expansion, retro-fit, grass roots facilities, or simply modifying a process unit, and the process hazard analysis (PHA) indicates you need a safety instrumented system (SIS) as a protective layer, then you need to comply with ANSI/ISA S84.01. Why? Because in February 1996, the "Application of Safety Instrumented Systems for the Process Industries" was approved and will be enforceable under OSHA 29 CFR Part 1910. There are at least five (5) references in this Federal Register that state "...accepted engineering standards and practices". For example :
 
1 Page 6404 Para. (3)(H)(ii) Safety Systems (e.g. interlocks, detection or suppression systems)
2 "The employer shall document that the equipment complies with recognised and generally accepted good engineering practices."
 
Furthermore, EPA 40 CFR Part 68 has at least ten (10) references to "...accepted engineering standards and practices" for mitigation or protective systems designed to prevent an EPA incident. Both OSHA and EPA make references to National Standards e.g. American National Standards Institute (ANSI). ISA is an American National Standards Institute (ANSI) accredited organisation.

With over 100 user companies represented on the S84 Committee, a standard was produced that represents a consensus of users and vendors.. A unanimous vote from the Committee and the ISA membership, endorsed the document as an "accepted industry standard". Most companies found little or no conflict with their own internal engineering practices for safety systems, but others with no formal engineering guidelines, will have to modify their practices. This standard joins the other industry accepted standards e.g. ASME vessel codes, NFPA for burner management, IEEE for electrical systems, or other civil and building codes / standards. User companies have strict compliance policies for these standards and would rarely if ever violate their requirements. The new S84.01 standard is no different, its requirements insure a design that will meet the process safety integrity level. In addition, US companies should be aware of the increasing threat of litigation by overzealous attorneys and juries that have no sympathy for companies who do not follow standards in their designs. The punitive sanctions of OSHA or the EPA are insignificant as compared to the class action awards plaintiffs are receiving.

What is also new to users, is the assignment, and verification of the SIS safety integrity level (SIL). Assigning and qualifying safety integrity levels, is undoubtedly the one requirement of S84.01 that companies are having the most difficulty with. SIL will be discussed below

 
TECHNIQUES FOR ASSIGNING A TARGET SAFETY INTEGRITY LEVEL
 
The new ANSI/ISA S84.01 standard requires that companies assign a target safety integrity level (SIL) for all safety instrumented systems (SIS) applications. The assignment of the target SIL is a decision requiring the extension of the process hazards analysis (PHA) process to include the balance of risk likelihood and severity with risk tolerance. This paper examines the three most common techniques currently utilised by many process industries: the risk matrix, the IEC 61508 methodology, and a strict policy choice.

The OSHA Process Safety Management (PSM) and EPA Risk Management Program (RMP) dictate that a process hazards analysis be used to determine the protective measures necessary to protect workers, the community and the environment. A compliant program will incorporate "good engineering practice," which means that the program follows the codes and standards published by such organisations as the American Society of Mechanical Engineers, American Petroleum Institute, American National Standards Institute,National Fire Protection Association, American Society for Testing and Materials, and National Board of Boiler and Pressure Vessel Inspectors.

In February 1996, the Instrument Society of American published a standard ISA S84.01, "Application of Safety Instrumented System for the Process Industries". This standard will become an American National Standards Institute (ANSI) standard early this year. With its acceptance as an ANSI standard, it will be enforceable under OSHA PSM and EPA RMP.

The new ANSI/ISA S84.01 and the draft IEC 61508 standard require that a target safety integrity level (SIL) be assigned for the safety instrumented system (SIS) for any process in which the process hazards analysis (PHA) has determined that the mechanical integrity of the process and the process control are insufficient to mitigate the potential hazard. The SIS consists of the instrumentation or controls that are installed for the purpose of mitigating the hazard or bringing the process to a safe state in the event of a process upset.

The safety integrity level designations, provided in ISA S84.01 and IEC 61508 (draft), can be correlated to SIS availability requirements. As shown in the Figure, IEC 61508 (draft) recognises SIL 4, which the U.S. domestic standard ISA S84.01 does not consider.

 
What does SIL mean? It should be understood that SIL and availability are simply statistical representations of the integrity of the SIS when a process demand occurs. The acceptance of a SIL 1 SIS means that the level of hazard or economic risk is sufficiently low and that a SIS with a 10% chance of failure (90% availability) is acceptable. For example, consider the installation of a SIL 1 SIS for a high level trip in a liquid tank. The availability of 90% would mean that out of every 10 times that the level reached the high level trip point there would be one predicted failure of the SIS and subsequent overflow of the tank. Is this an acceptable risk?

A qualitative view of SIL has slowly developed over the last few years as the concept of SIL has been adopted at many chemical and petrochemical plants. This qualitative view can be expressed in terms of the impact of the SIS failure on plant personnel and the public or community.

 
4 Catastrophic Community Impact.
3 Employee and Community Protection.
2 Major Property and Production Protection. Possible injury to employee.
1 Minor Property and Production Protection.
 
The above qualitative view leaves much open for discussion. What is minor? What is major? At what point, will a theoretical injury or fatality occur? There are no regulations that assign a SIL to particular processes or chemical operations. There are no standards to follow that recommend specific SILs for certain process hazards.

The assignment of SIL is a corporate or company decision based on risk management and risk tolerance philosophy. The caveat is that ANSI/ISA S84.01 does mandate that companies should design their safety instrumented systems (SIS) to be consistent with similar operating process units within their own companies and at other companies. Likewise, in the U.S., OSHA PSM and EPA RMP require that industry standards and good engineering practice be used in the design and operation of process facilities. This means that the assignment of safety integrity levels must be carefully performed and thoroughly documented.

Safety integrity levels are assigned after the process hazards analysis (PHA) has concluded that a safety instrumented system is required. A PHA is performed to identify potential hazards in the operation of a chemical process. PHAs range from the very simple screening analysis to the complex Hazard and Operability Study (HAZOP). The HAZOP is a systematic, methodical examination of the process design that utilises a multi-disciplinary team to identify hazards or operability problems that could result in an accident. The HAZOP provides a prioritised basis for the implementation of risk mitigation strategies, such as safety instrumented systems (SIS) or emergency shutdown systems (ESD).
When the HAZOP is completed, the risk associated with the process, in terms of severity and likelihood should be understood. The event severity is established based on some measure of the anticipated impact or consequence. This can include:

  • On-site consequences
    • worker injury or death
    • equipment damage
  • Off-site consequences
    • community exposure, including injury and death
    • property damage
  • Environmental impact
    • emission of hazardous chemicals
    • contamination of air, soil, and water supplies
    • damage to environmentally sensitive area
 
The risk likelihood is determined by estimating the probability of expected occurrence. The likelihood is classified as high, medium or low rate of occurrence. This is often determined based on company operating experience or competitor operation history.

There are several methods of converting HAZOP data into safety integrity levels (SIL). The methods range from making a corporate decision on all safety system installation to more complex techniques such as the IEC 61508 risk graph.

One of the most common techniques, among U.S. chemical and petrochemical companies, uses a risk matrix that is developed based on a corporate risk management philosophy. The risk matrix is a correlation that presents the required risk reduction that is necessary to decrease the perceived process risk to an acceptable level. The risk likelihood and risk severity determined during the HAZOP is plotted on the risk matrix to determine the required risk reduction or safety integrity level (SIL) for that specific hazard event. An example of a risk matrix is shown below

 
QUALITATIVE RANKING OF RISKS
 

 

When there is no corporate risk matrix, the best method is the IEC 1508 risk graph technique. Although still in draft form, IEC 61508 does provide a rigorous technique for determining the SIL for a specific process unit risk. This technique is based on determining four factors:
 
1 consequence (C),
2 frequency and exposure time (F),
3 possibility of avoiding the hazardous event (P),
4 probability of the unwanted occurrence (W).
 
This method is a qualitative technique that requires a multi-disciplinary team to ensure that the four parameters listed above are properly chosen. The optimum time to make the parameter selection is during the HAZOP process when many of the process risks are well documented and the risk likelihood and severity have been discussed.

However, the IEC 61508 methodology is more than just an extension of the HAZOP process, because it focuses most of the evaluation on an individual person’s risk. The consequence, exposure time, possibility of escape and probability of occurrence are evaluated from the point of view of a theoretical person being in the incident zone.
Thus, the consequence is not simply defining the incident in terms of loss of containment, fires or chemical releases, as defined in the PHA process. It is examining the incident from the exposed person’s perspective in terms of an injury or fatality. For the consequence, the following questions should be evaluated for the incident:

 
» Is there a potential for injury or fatality?
» Can the exposed person recover?
» Can the exposed person return to normal activities?
» Are the effects acute or chronic?
 
For the exposure frequency, the process unit must be evaluated in terms of the personnel presence and activity in the unit. The questions for this parameter should address the following:
 
» Is the process unit remote or in the main personnel traffic area?
» How close are operation and maintenance stations?
» How often are operation’s staff in the vicinity?
» What about support staff, such as maintenance crews or engineering personnel?
» Is this a main travel area for access to other process units?
 
Possibility of escape can be difficult for the hazards evaluation team to agree upon, because, as engineers and risk assessment people, there is a tendency to want to believe that people can always escape if there are alarms. However, time becomes an important factor in the escape. The question that should be asked is, "How easy is it to escape from the hazardous area?" Typical issues that should be addressed are as follows:
 
» Are the escape routes well marked?
» Can personnel in the exposure area readily recognise that a hazardous situation exists?
» Are there alarm sirens?
» Have personnel been through accident scenario training?
 
The probability of occurrence is an easier parameter to evaluate since most process hazards analysis already uses the occurrence frequency to prioritise HAZOP results. The likelihood of the event should be evaluated without taking into account any existing safety instrumented systems.
Once these factors are determined, the risk graph in IEC 61508 is utilised to determine the minimum risk reduction level and associated SIL.
 
Necessary Minimum Risk Reduction Level
Safety Integrity Level
   
- No safety requirements
a No special safety requirements
b,c 1
d 2
e,f 3
g 4
h An E/E/PES SRS is not sufficient
 
The least time consuming method is one being adopted by many small, speciality chemical plants that do not have the manpower to devote to the IEC 61508 or risk matrix methodologies. This method recognises that the greatest increase in cost occurs when you make the decision that the SIL must be higher than SIL 1. The selection of SIL 2 or SIL 3 forces the SIS design toward device redundancy and diversity. With this recognition, many companies are taking the approach that "a safety system is a safety system and therefore should be SIL 3". This eliminates the arguments about whether escape is possible, someone will be injured or killed or the impact will be on-site and/or off-site. It saves time in the PHA process, reduces documentation in justifying the SIL choice, and ensures consistency across process units.
Unfortunately, there is no easy answer when it comes to assigning SILs. The choice involves examining safety, community, environmental, and economic risks. Multi-disciplinary teams must be involved in the process to ensure that the choice of SIL is consistent with a company’s risk management philosophy and loss prevention goals.
 
THE RELATIONSHIP BETWEEN TUV CLASS AND SIL
 
ANSI/ISA S84.01-1996 and draft IEC 61508 require the assignment and verification of safety integrity levels (SIL) for any safety instrumented system (SIS). Programmable Electronic Systems (PES) are often used as the logic solver in SIS applications. The PES is certified by TUV to meet certain TUV classes. With the increased interest in SIL, many Users are now asking about the relationship between TUV Class and SIL. This technical letter will provide an introduction to the origin of TUV classes and SIL and demonstrate the importance of these acronyms to SIS design.

Following the catastrophic incidents in Seveso Italy, Flixborough UK, and Bhopal India, there was rapid movement in many countries to develop standards and regulations that would minimize the impact of industrial accidents on citizens. In Germany, the methodology of defining the risk to individuals was established in DIN V 19250, "Control technology; fundamental safety aspects to be considered for measurement and control equipment." DIN V 19250 established the concept that safety systems should be designed to meet certain designated classes, Class 1 through Class 8. The choice of the class was made dependent on the level of risk posed by the process. Therefore, DIN V 19250 was simply an attempt to force Users to look at the hazards involved in their processes and to determine the integrity of the safety-related system that would be required.

As PES use in safety system designs became prevalent, there was increased concern about how to determine whether the design of the PES was sufficiently rigorous for the application and for the DIN V 19250 class. The standard DIN V VDE 0801 was developed to address these concerns. "Principles for computers in safety-related systems," DIN V VDE 0801, sets forth the following specific measures that are to be utilized in the evaluation of PES:

 
» Design,
» Coding (system level),
» Implementation and Integration, and
» Validation.
 
Within the standard, each measure is broken down into specific techniques that can be thoroughly tested and documented by independent organizations. Thus, DIN V VDE 0801 provided a means of determining that the PES met certain DIN V 19250 classes.

DIN V 19250 related risk to class and DIN V VDE 0801 related class to PES requirements. Now the remaining piece was a certifying body to ensure that the PES met the class by the measures and techniques presented in DIN V VDE 0801. TUV is a German regulatory body, which some people compare to OSHA in the United States, since one of the divisions of TUV has regulatory authority over industry in Germany. However, this comparison is overly simplistic, because TUV’s impact on worldwide safety system design is through its certification division. TUV tests and certifies PESs for DIN V 19250 class or TUV Class. While there are other certifying organisations in the world that are important for certain applications or in certain countries, TUV is currently the internationally recognised certification body for PES.
It must be acknowledged that the achievement of TUV Class is not absolute. Due to the complexity of PES, all TUV certifications are rewarded based on particular design, diagnostic, operational, testing, and maintenance restrictions. These are documented in the certification report from TUV. All PES have restrictions for TUV Class 5 and 6. Some of these restrictions can result in the requirement that the PES operate in a configuration that is different from the advertised product. These restrictions must be examined carefully toensure that the PES meets the required TUV class in the configuration that will be used in operation.

The two German standards provided a mechanism for relating risk to PES integrity, but it was always understood that risk reduction had to include the evaluation of the complete safety-related system or safety instrumented system (SIS). Draft IEC 61508, "Functional Safety: Safety Related Systems," is an international standard, designed to address the complete SIS in the process, transit and medical industries. The standard introduces the concept of a safety lifecycle model to illustrate that the integrity of a SIS is not limited to device integrity, but is also a function of design, operation, testing, and maintenance.

The draft IEC 61508 standard created 4 safety integrity levels (SIL) that were indexed to specific probability to fail on demand ranges (Table 1). According to the standard, a SIL is assigned based on the required risk reduction as determined from a process hazards analysis. From an overall viewpoint, SIL was established as the litmus test of whether the SIS design, operation, testing, and maintenance was acceptable. The SIL encompasses device integrity, architecture, voting, diagnostics, systematic and common cause failures, testing, operation, and maintenance. Since the original DIN V 19250 related risk to TUV class, the draft IEC 1508 standard provides a correlation between SIL and TUV class.

 
Table 1. Safety Integrity Level with Probability to Fail on Demand (PFD)
 

Safety Integrity Level

Probability to Fail on Demand

IEC

61508

4

E-005 to < E-004

ISA

S84

3

E-004 to < E-003

2

E-003 to < E-002

1

E-002 to < E-001

 
ANSI/ISA S84.01-1996 is the United States’ standard for safety systems in the process industry. The SIL classes (Table 1) from draft IEC 61508 were utilised and the TUV class relationships were maintained. ANSI/ISA S84.01-1996 did not incorporate the highest SIL class, SIL 4. The S84 Committee felt that SIL 4 was very applicable for medical and transit systems in which the only layer of protection is the safety instrumented layer. In contrast, the process industry can incorporate many layers of protection in the design of the process. The overall risk reduction from these layers of protection is equal to or greater than that of other industries.

The graphic in Figure 1 provides a view of the relationship of TUV classes and SIL. As the required SIL increases, the SIS integrity, as measured by probability to fail on demand or availability, must also increase. Since SIL is a measure of the overall system integrity, the PES chosen for the application must meet the required SIL and, therefore, must meet a specific TUV class.

The relationship between TUV classes and SIL is extremely important and should not be overlooked. These designations were developed in response to serious incidents that resulted in the loss of life. Finally, these designations are intended to serve as a foundation for the effective selection and appropriate design of safety instrumented systems.

 
Figure 1. Cross Reference between SIS Class and Standards
 
IEC International Electrotechnical Commission
 
 
 
   
© 2017 Design copyright Instrument-Net.co.uk Names, pictures and logos - owner copyright,. Details for informational use and subject to change without notice Instrument-Net.co.uk 2017 Telelephone: 0191 261 0919 Fax: 0191 261 0919 Email: info2017@Instrument-Net.co.uk
    "the UK resource centre and online buyers guide for all interested in the UK instrument industry" |