1

IMPACTS OF DEMAND RATES ON SIF/SIS DESIGN

AND MECHANICAL INTEGRITY

Geoffrey Barnard, P.E., CFSE

aeSolutions

Houston, TX

KEYWORDS

Safety Instrumented Systems (SIS), Layer of Protection Analysis (LOPA), Safety Integrity Level

(SIL) Determination, Safety Integrity Level (SIL) Verification, Demand Rate, Demand Mode,

Continuous Mode

ABSTRACT

IEC 61508 and IEC 61511 (ANSI/ISA 84) impose certain requirements for design and

verification of Safety Instrumented Functions (SIFs) based on the assigned Safety Integrity Level

(SIL), as well as the expected Demand Rate and Mode of Operation. It is often said that SIFs in

Process Industry applications overwhelmingly fall into a Low Demand Mode of operation, but

what exactly does this mean? What assumptions lead to this belief, and when do these

assumptions hold true?

This paper examines the differences between Low Demand, High Demand, and Continuous

Mode SIFs, and provides examples and practical guidance for SIL Determination, conceptual

design, SIL Verification, and long-term Mechanical Integrity considerations for each.

INTRODUCTION

When the risk of a particular hazard cannot be reduced sufficiently through other means, a Safety

Instrumented Function (SIF) is often specified to close the gap. As many of us are all too

familiar, IEC 61511 (ANSI/ISA 84) places certain requirements on the design, operation, and

maintenance of Safety Instrumented Functions (SIFs) based on their Safety Integrity Level (SIL).

The required SIL of a SIF is determined within the context of the hazardous outcome it is

intended to prevent, the tolerability of such an outcome, the other available protection layers that

prevent the hazardous outcome, and the frequency of events or conditions that may lead to the

hazard in the first place.

2

Layer of Protection Analysis (LOPA) is a widely used methodology for SIL determination

because its semi-quantitative nature lends itself to establishing quantitative integrity targets; a

critical step in the Safety Instrumented System (SIS) design process upon which many other

assumptions will be based. When speaking of Safety Integrity Levels and SIL determination

many of us jump immediately to average Probability of Failure on Demand (PFDavg). The terms

have become nearly synonymous in the industry. However, reading carefully in the standard we

find that this term is valid only in the case of Demand Mode SIFs.

A majority of technical resources on the subject of SIS refer to the fact that process industry SIFs

fall overwhelmingly into a Demand Mode, or Low Demand Mode of Operation. Does the

ubiquity of such a prediction lead to its own accomplishment? With so much depending on this

initial phase of the process, it is critical to understand this assumption, when it is valid, and how

to adjust the process when it is not valid. The following sections will explore the meaning of a

Demand on a safeguard, as well as impacts the frequency of demands has on SIL determination,

conceptual design, SIL verification, and long-term Mechanical Integrity of a SIF.

DEMANDS

A Demand is placed on a safeguard when process conditions require the safeguard to function in

order to prevent a hazard. In a simple example, a pressure relief valve on a vessel experiences a

demand when the vessel pressure exceeds the set pressure of the relief valve. When the relief

valve lifts, the vessel is protected from overpressure. If the relief valve fails to lift, it can be said

to have failed dangerously and the vessel is now at risk of overpressure if further action is not

taken.

On the other hand, if the relief valve lifts below the set pressure it could be said to have failed

spuriously. In this case, the relief valve took action unnecessarily when the vessel was not at risk

and therefore no demand took place.

SIF demands can be explained in much the same way. When a hazardous condition is present

that a SIF sensor is designed to detect, and the SIF action is required to prevent the progression

to a hazardous event, a demand has been placed on that SIF.

Often times within an SIS many additional actions must take place to safely shutdown all related

process equipment. Not all of these actions must take place to prevent the first or most

immediate hazard but may be done to avoid secondary hazards or conditions that may place

demands on other SIFs or safeguards. If a SIF (or a final element of a SIF) is activated by

another SIF internally to the logic solver, or manually by an operator, this would generally not be

considered a demand.

In the example below, Pressure Vessel V-100 operates with a normal liquid level of 50%

controlled by basic process control loop LC-100. Transfer Pump P-200 sends excess liquid to

3

Atmospheric Storage Tank T-300. Should a failure occur in the process equipment or the

process control loop resulting in a loss of liquid level, high pressure gas may escape through the

transfer line, resulting in the rupture of T-300 with the potential for injury or toxic exposure to

plant personnel.

Figure 1 – Example System 1 Piping & Instrumentation Diagram

In one particular scenario, control loop LC-100 malfunctions, allowing LV-100 to go wide-open

leading to a decrease in level in V-100. If the level reaches the low trip point of SIF-1, a demand

is placed on SIF-1 which must close XV-101 to prevent the hazardous event.

One may also notice that upon closure of XV-101 a new hazard is created. Blocked suction of

the Transfer Pump P-200 may lead to cavitation, seal failure, and potential for toxic exposure to

plant personnel. SIF-2 will shut off the pump when the discharge flow drops below a threshold

indicating that continued operation will lead to damage. Rather than allowing the automatic

closure of XV-101 to induce a secondary hazard, SIF-1 should be specified with a secondary

action to stop pump P-200. Whenever possible it is a good practice to coordinate such actions to

avoid secondary hazards and avoid placing unnecessary demands on other safeguards and

protection layers, preventing hazards before the hazardous conditions arise.

DEMAND RATE

IEC 61511 (ANSI/ISA 84) requires consideration of potential Sources of Demand and probable

Demand Rates of SIFs during the Hazard and Risk Assessment [1, clause 8.2.1], Allocation of

Safety Functions to Protection Layers [1, clauses 9.2.3, 9.2.4], development of the Safety

Requirements Specification (SRS) [1, clause 10.3.1], Design and Engineering [1, clauses

11.2.10, 11.3.2, 11.3.3, 11.9], Operation and Maintenance [1, clause 16.2.2], and Modification

4

[1, clause 17.1.1]. What exactly are sources of demand, and why are demand rates important to

so many stages of the safety lifecycle?

Sources of Demand for a particular SIF may be relatively easy to identify. When a SIF is

specified as a protection layer against a hazardous event, each of the causes or initiating events

that lead to this hazardous event would be among the SIF sources of demand. Specific causes of

all credible hazard scenarios or conditions should be considered as part of the Hazard and Risk

Assessment and documented as sources of demand in the SRS.

The Demand Rate of a SIF is the total frequency from all sources of demand upon which

hazardous process conditions will call for the SIF to act. While we often estimate initiating

event frequencies as part of the SIL determination process, the actual demand rate of a SIF may

be much more difficult to predict.

Often times a SIF may be one of several Independent Protection Layers (IPLs), each capable of

preventing a particular hazardous event. Unless the SIF is the first or only layer to act in

response to each initiating event, simply summing the initiating event frequencies is likely to

over-estimate the actual demand rate the SIF will experience. When other IPLs are designed to

complete their respective actions first, demands experienced by the SIF can be expected to

decrease dramatically.

Figure 2 – Sequenced IPL Response Times

Figure 3 – Non-Sequenced IPL Response Times

Initiating Event Hazardous Event

Initiating Event Hazardous Event

5

In order to more precisely estimate a SIFs demand rate one could consider the sequence of IPLs

in each hazard scenario by multiplying the initiating event frequency by the PFD of any IPL

designed to complete action prior to initiation of the SIF. Analysts should be cautioned that this

may require substantial effort very early in the design process. Without careful consideration of

process dynamics and the available response times of each IPL within the context of the overall

process safety time, results may under-estimate the actual demand rate the SIF will experience.

𝐸𝑠𝑡𝑖𝑚𝑎𝑡𝑒𝑑 𝑆𝐼𝐹 𝐷𝑒𝑚𝑎𝑛𝑑 𝑅𝑎𝑡𝑒 = ∑[𝐼𝑛𝑖𝑡𝑖𝑎𝑡𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 ×

∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 𝑐𝑜𝑚𝑝𝑙𝑒𝑡𝑖𝑛𝑔 𝑎𝑐𝑡𝑖𝑜𝑛 𝑝𝑟𝑖𝑜𝑟 𝑡𝑜 𝑆𝐼𝐹 𝑖𝑛𝑖𝑡𝑖𝑎𝑡𝑖𝑜𝑛]

Equation 1 – Estimated SIF Demand Rate with consideration of response times and process safety time

It is easy to imagine how attempts to precisely estimate SIF demand rates on paper can be quite

problematic. Absent sufficient operating history to directly measure SIF demand rates,

reasonable and conservative assumptions will need to be made. Like all data assumed

throughout the design and analysis process, SIF demands should be tracked and investigated so

actual operating history can be used to validate that SIF design criteria is sufficiently

conservative, and that all sources of demand have been anticipated and analyzed.

Though often overlooked, expected and actual SIF demand rates are of critical importance to the

basis of SIF design and mechanical integrity. Improperly estimating demands can lead to

misapplication of the SIL determination process, improper design and SIL verification,

inappropriate maintenance intervals, and ultimately SIFs that do not adequately protect against

the given hazards.

NOTES ON SIF MODES OF OPERATION

Before beginning a more detailed exploration of SIF Modes of Operation, it is important to note

that definitions in the current version of IEC 61511 [1] defer from that of the parent standard,

IEC 61508 [2], leaving only a distinction between Demand Mode (protection layer) and

Continuous Mode (safety critical control). Development of the second edition of IEC 61511 [3]

is currently underway, drafts of which feature Modes of Operation defined in more close

alignment with the second edition of IEC 61508 published in 2010. For clarity, this document

applies the current state-of-the-industry approach defining three modes of operation, but with

specific references to applicable clauses of the current edition of IEC 61511 expected to remain

in effect through at least 2014.

6

LOW DEMAND MODE

In order to be considered in a Low Demand Mode of Operation, the SIF must meet three basic

criteria:

SIF dangerous failure does not initiate a hazard scenario without subsequent

failure in the process or BPCS [1, Part 1 clause 3.2.43.1], and;

Demand rate no greater than once per year [1, Part 1 clause 3.2.43.2], and;

Demand interval at least twice the proof test interval [4, Annex I].

First, the SIF acts only as a safeguard. The process is normally capable of being operated within

its safe upper and lower limits without the SIF; the SIF only exists to reduce the frequency of a

hazardous event initiated by some sort of failure of process equipment, failure of the BPCS, or

failure of a human to follow intended procedures. A dangerous failure of the SIF has no impact

on the process or the BPCS and cannot be the cause of a hazard scenario. SIFs that do not meet

this requirement should be considered to operate in Continuous Mode.

Second, the expected demand rate of the SIF is infrequent; once per year or less. Although the

one-year threshold may seem somewhat arbitrary, a SIF experiencing such frequent demands

would suggest that the process may not be adequately controlled to begin with. In such cases the

actual hazard frequency will be more closely related to the dangerous failure frequency of the

SIF; meaning it would normally be most appropriate to consider the SIF to operate in High

Demand Mode.

The third requirement for Low Demand SIFs is that the expected demand rate is infrequent

relative to the proof test interval. In other words, a dangerous failure of the SIF is more likely to

be uncovered by a proof test than a demand. If this condition is not met, proof testing should not

be considered effective in uncovering dangerous failures, and SIL determination and SIL

verification in terms of PFDavg (where proof test interval is a key component) are no longer

applicable. For this reason, when the demand interval is less than twice the proof-test interval it

would generally be more appropriate to consider the SIF to operate in the High Demand Mode.

Though undoubtedly your company’s or client’s risk management policies and LOPA/SIL

determination procedures will vary, the typical approach to SIL determination and SIL

verification that most process industry analysts are familiar with is that of Low Demand Mode.

This process begins with the estimation of the initiating event frequency of a particular hazard,

and the allocation of non-SIF protection layers that reduce the frequency of the outcome. When

compared against the tolerability of such an outcome (most often expressed in terms of a

Tolerable Event Frequency in events per year), any remaining gap in risk reduction may be

assigned to a SIF.

7

𝑀𝑖𝑡𝑖𝑔𝑎𝑡𝑒𝑑 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 𝑦𝑒𝑎𝑟) = 𝐼𝑛𝑖𝑡𝑖𝑎𝑡𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 𝑦𝑒𝑎𝑟) × ∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 ×

∏ 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠 𝑜𝑓 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡𝑠 𝑜𝑟 𝐶𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛𝑠 × 𝑆𝐼𝐹 𝑃𝐹𝐷𝑎𝑣𝑔

Equation 2 –Mitigated Event Frequency for Low Demand SIFs

𝑇𝑎𝑟𝑔𝑒𝑡 𝑆𝐼𝐹 𝑃𝐹𝐷𝑎𝑣𝑔 =𝑇𝑜𝑙𝑒𝑟𝑎𝑏𝑙𝑒 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 𝑦𝑒𝑎𝑟)

𝐼𝑛𝑖𝑡𝑖𝑎𝑡𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 × ∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 × ∏ 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠

Equation 3 – Target PFDavg for Low Demand SIFs

Once the target PFDavg and Safety Integrity Level has been determined, design of the SIF may

proceed with the appropriate architectural constraints according to IEC 61511 [1] Part 1 Tables 5

and 6, or IEC 61508 [2] Part 2 Tables 2 and 3. For SIFs operating in Low Demand Mode, SIL

verification may consider automatic diagnostics for reducing the effective dangerous failure rates

of individual devices, and periodic proof testing and repair may be considered for reducing

PFDavg. For further guidance on the basics of Low Demand Mode SIL verification, refer to IEC

61508 [2] Part 6 Annex B, or ISA Technical Report TR84.00.02 [6] Parts 1 through 5.

Low Demand Mode Example:

Consider again the example system in Figure 1. The LOPA Team identified one credible

initiating event that could lead to the hazardous event of loss of level in V-100 and gas blow-by

to T-300; LV-100 malfunctioning open – BPCS failure frequency no less than 1x10-5 per hour,

approximately 0.1 per year, or once in 10 years. According to the requirements above, such a

demand rate allows SIF-1 to operate in Demand Mode [1], or Low Demand Mode [2, 3] with a

maximum proof test interval of 5 years.

Based on the consequence severity of the storage tank rupture, the example plant risk

management policy dictates the Mitigated Event Frequency must not exceed a Tolerable Event

Frequency of 1x10-3 events per year. The LOPA team has also assumed a probability of

occupancy of 0.1 for the area surrounding T-300 as the only enabling condition for this scenario.

1 × 10−3per year

[1 × 10−1per year] × [1 × 10−1]= 1.0 × 10−1

Applying Equation 3, the PFDavg of SIF-1 must be less than 1.0x10-1; SIL 1 according to IEC

61511 [1] Part 1 Table 3 for Demand Mode SIFs and thus not requiring hardware fault tolerance

per IEC 61511 [1] Part 1 Table 6.

8

SIL Target PFDavg Target Risk Reduction SIL Minimum HFT

1 ≥10−2 to <10−1 >10 to ≤100 1 0

2 ≥10−3 to <10−2 >100 to ≤1000 2 1

3 ≥10−4 to <10−3 >1000 to ≤10,000 3 2

4 ≥10−5 to <10−4 >10,000 to ≤100,000 4 (see IEC 61508)

Table 1 – Low Demand Mode Safety Integrity Table 2 – Minimum Fault Tolerance

from IEC 61511-1:2003 Table 3 from IEC 61511-1:2003 Table 6

Using simplex components throughout, the following failure rates were collected:

Remote Diaphragm Seals and Capillaries: 3x10-7 dangerous failures per hour

Differential Pressure Transmitter: 8x10-7 dangerous failures per hour

Logic Solver System: 9x10-8 dangerous failures per hour

Solenoid Valve: 6x10-7 dangerous failures per hour

Ball Valve and Actuator: 2x10-6 dangerous failures per hour

𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑃𝐹𝐷𝑎𝑣𝑔 = ∑𝑆𝑢𝑏𝑠𝑦𝑠𝑡𝑒𝑚 𝐷𝑎𝑛𝑔𝑒𝑟𝑜𝑢𝑠 𝐹𝑎𝑖𝑙𝑢𝑟𝑒 𝑅𝑎𝑡𝑒𝑠 × 𝑃𝑟𝑜𝑜𝑓 𝑇𝑒𝑠𝑡 𝐼𝑛𝑡𝑒𝑟𝑣𝑎𝑙𝑠

2

Equation 4 – Simplified Achieved PFDavg for Low Demand SIFs

[1.1 × 10−6per hour × 43,800 hours

2] + [

9 × 10−8 × 43,800

2 ] + [

2.6 × 10−6 × 43,800

2] = 8.30 × 10−2

Using the simplest form of the PFDavg equation and assuming only end-to-end proof testing, the

SIF achieves a PFDavg of 8.30x10-2 at a 5-year proof test interval; within the constraints for a

Low Demand SIF in this scenario.

HIGH DEMAND MODE

In order to be considered in a High Demand Mode of Operation, the SIF must meet only one

basic requirement:

SIF dangerous failure does not initiate a hazard scenario without subsequent

failure in the process or BPCS [1, clause 3.2.43.1].

As with Low Demand Mode, the SIF must act only as a safeguard and its dangerous failure

cannot be the cause of a hazard scenario. SIFs that do not meet this requirement should be

considered to operate in Continuous Mode. Assuming the above requirement is satisfied, a SIF

should be considered in High Demand Mode if either of the two remaining Low Demand Mode

criteria is violated; that is if the SIF has:

9

Demand rate greater than once per year [1, Part 1 clause 3.2.43.2], or;

Demand interval less than twice the proof test interval [4, Annex I].

High Demand Mode requires a significant shift away from the typical assumptions applied to the

design and verification of Low Demand Mode SIFs. Before proceeding with the design of a

High Demand Mode SIF it is recommended that the process first be re-examined for the

practicality of employing an inherently safer process design with a lower initiating event

frequency [4, Annex J].

As SIF demands increase relative to the proof test interval there is a transition where the product

of demand rate and PFDavg no longer reasonably approximates the hazard frequency. In some

instances, the estimated hazard frequency can exceed the overall dangerous failure frequency of

the SIF – something that is impossible in reality. As such, High Demand and Continuous Mode

SIFs are verified against a target Frequency of Dangerous Failure (FDF) [1], or average

Probability of Dangerous Failure per Hour (PFH) [2], with the understanding that the hazard

frequency cannot be greater than the SIF dangerous failure frequency.

Figure 4 – Estimated Hazard Frequency (with 1 year test interval)

More importantly, when demands occur as often as or more often than proof tests, such testing

should not be considered effective in uncovering dangerous failures prior to a demand. When

the basis for using PFDavg (of which proof test interval is a key component) as a measure of risk

reduction has been violated, the actual hazard frequency will be much more directly related to

the SIF dangerous failure frequency. For this reason, it may be more appropriate to consider

SIFs that are demanded more often than twice the proof test interval to operate in the High

Demand Mode.

10

To determine the required safety integrity of a High Demand Mode SIF in terms of PFH the

normal LOPA process must be modified and the sequence of IPLs must be considered. When a

SIF genuinely operates in the High Demand Mode it is likely because one or more initiating

events occur very frequently and there are no other effective protection layers that can prevent

the hazard prior to activation of the SIF*. If this is true a dangerous SIF failure is not the

initiating event itself, however we may replace the initiating event frequency with the SIF PFH.

This is the same process used with Continuous Mode SIFs, and is the reason why the standards

make little distinction between High Demand and Continuous Modes of Operation.

Non-SIF IPLs that are designed to act only after a SIF failure, and any scenario enablers and

conditional modifiers (all probabilities) may be applied against the Tolerable Event Frequency in

events per hour. Because the overall hazardous event frequency from any and all sources of

demand (initiating events) cannot exceed the dangerous failure frequency of the SIF, we solve

for the maximum tolerable SIF dangerous failure frequency.

𝑀𝑖𝑡𝑖𝑔𝑎𝑡𝑒𝑑 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 ℎ𝑜𝑢𝑟) = 𝑆𝐼𝐹 𝑃𝐹𝐻 × ∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 𝑎𝑐𝑡𝑖𝑛𝑔 𝑎𝑓𝑡𝑒𝑟 𝑆𝐼𝐹 ×

∏ 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠 𝑜𝑓 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡𝑠 𝑜𝑟 𝐶𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛𝑠

Equation 5 – Mitigated Event Frequency for High Demand & Continuous Mode SIFs

𝑇𝑎𝑟𝑔𝑒𝑡 𝑆𝐼𝐹 𝑃𝐹𝐻 =𝑇𝑜𝑙𝑒𝑟𝑎𝑏𝑙𝑒 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 ℎ𝑜𝑢𝑟)

∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 × ∏ 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠

Equation 6 – Target PFH for High Demand & Continuous Mode SIFs

Using Table 4 of IEC 61511 [1] we can determine the SIL of the SIF in High Demand or

Continuous Mode and proceed with a design with the appropriate architectural constraints

according to IEC 61511 [1] Tables 5 and 6, or IEC 61508 [2] Part 2 Tables 2 and 3.

Recalling that it is the total demand rate that is of interest when determining the SIF Mode of

Operation, not simply the initiating event frequency of each scenario in isolation, it is possible

that no single cause-consequence scenario will force a SIF into a High Demand Mode on its

own. It is important to allot time near the conclusion of the SIL determination process to

examine overall SIF demand rates and possibly re-evaluate scenarios where a SIF is found to be

operating in the High Demand Mode.

When verifying the PFH target of High Demand SIFs the usual SIL verification process and

assumptions must be modified as well. Because dangerous failures in High Demand Mode SIFs

are more likely to be uncovered by a demand than a proof test, proof testing is considered largely

ineffective. Although test interval is a variable considered in the verification of fault tolerant

architectures, it is not a mechanism for significantly reducing PFH.

* If a non-SIF IPL is effective in preventing a high frequency hazard prior to activation of the SIF, this IPL should

be considered to operate in the High Demand Mode and the SIF would likely fall into the Low Demand Mode.

See reference [8] Appendix F for further details on the treatment of IPLs with high initiating event frequencies.

11

Automatic diagnostics may be credited in High Demand Mode SIFs when the system is

configured to move to the safe state in response to a detected dangerous failure, provided the

diagnostic interval is significantly less than the expected demand rate (factor of 100 or more [2,

Part 2 clause 7.4.5.3]). Diagnostics used to initiate repair rather than immediate safe action may

be considered in High Demand Mode applications when fault tolerant redundancy is employed.

In these cases, achieved safety integrity is much more sensitive to Mean Time To Restore

(MTTR) than in a similar PFDavg calculation where this factor typically has very low sensitivity.

Achieved PFH equations can be found in IEC 61508 [2] Part 6 Annex B.

High Demand Mode Example:

A batch reactor undergoes a 4 hour manual cleaning process following the completion of each

batch, once every 28 to 32 hours, up to 250 times per year. At the conclusion of the cleaning

operation, all valves and manways must be closed and reactor purged with nitrogen prior to

restarting the process as the reactants form a highly flammable vapor. An investigation team has

been formed following an incident where a manway was not fully sealed and a significant

quantity of flammable vapor was released into the reactor enclosure. This is the second such

incident in a matter of weeks. The team concludes that existing procedures are adequate but not

effective enough in preventing human error, and recommends the addition of an automated

pressure test to ensure all valves and manways are sealed prior to charging the reactor.

A SIF is designed such that the two fail-closed reactant charge valves are to remain de-energized

and closed until the test pressure is satisfied and held for at least three minutes. A successful test

allows the process to proceed by energizing the charge valve solenoids, releasing them to BPCS

control. A failure aborts the sequence until all equipment can be inspected and retested.

Based on the consequence severity, the example plant risk management policy dictates the

Mitigated Event Frequency must not exceed a Tolerable Event Frequency of 1x10-3 events per

year. The LOPA team has also assumed a probability of occupancy of 0.1 for the reactor

enclosure and a probability of ignition of 0.5. The human error frequency is estimated to be

1x10-2 per opportunity with eight manual valves and manways involved in the procedure.

1 × 10−3 per year

250 batches per year × 8 valves × [1 × 10−2error frequency] × [1 × 10−1PFD] × 0.5 × 0.1 = 1.0 × 10−3

Following the normal process for Low Demand Mode SIL determination leads to a surprising

result. The SIF would be in the SIL 3 range with a PFDavg target less than 1x10-3; a risk

reduction factor target greater than 1,000.

Re-examining the scenario, the team recognizes that the estimated Demand Rate of 20 per year

places the SIF into the High Demand Mode. Because the hazard cannot occur at a frequency

12

higher than the failure frequency of the SIF, the team determines the PFH target of the SIF as if it

were the initiating event.

1 × 10−3 per year

0.5 × 0.1 × approx 10,000 hours per year= 2.0 × 10−6

Applying Equation 6, the PFH of the permissive SIF must be less than 2.0x10-6; within the SIL 1

range according to IEC 61511 [1] Part 1 Table 4 for High Demand/Continuous Mode SIFs and

thus not requiring hardware fault tolerance per IEC 61511 [1] Part 1 Table 6.

SIL Target FDF/PFH (per hour) SIL Minimum HFT

1 ≥10−6 to <10−5 1 0

2 ≥10−7 to <10−6 2 1

3 ≥10−8 to <10−7 3 2

4 ≥10−9 to <10−8 4 (see IEC 61508)

Table 3 – High Demand & Continuous Mode Table 2 – Minimum Fault Tolerance

Safety Integrity from IEC 61511-1:2003 Table 4 from IEC 61511-1:2003 Table 6

The system will be designed with a single pressure transmitter, a single logic solver, and two

solenoid valves, both required to de-energize. Valves and Actuators are not included as any

dangerous failure allowing measurable leakage will be detected by the pressure test and sequence

will not proceed. The following failure rates were collected:

Remote Diaphragm Seal and Capillary: 3x10-7 dangerous failures per hour

Differential Pressure Transmitter: 8x10-7 dangerous failures per hour

Logic Solver System: 9x10-8 dangerous failures per hour

Solenoid Valve: 6x10-7 dangerous failures per hour

𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑆𝐼𝐹 𝑃𝐹𝐻 = ∑ 𝑆𝑢𝑏𝑠𝑦𝑠𝑡𝑒𝑚 𝑃𝐹𝐻

Equation 7 – Achieved PFH for High Demand and Continuous Mode SIFs

𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑃𝐹𝐻1oo1 = 𝜆𝐷

Equation 8 – Simplified Achieved PFH for 1oo1 High Demand and Continuous Mode Subsystems

𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑃𝐹𝐻2oo2 = 2𝜆𝐷

Equation 9 – Simplified Achieved PFH for 2oo2 High Demand and Continuous Mode Subsystems

[1.1 × 10−7] + [9 × 10−8] + [1.2 × 10−6] = 1.4 × 10−6 per hour

13

Using simplified failure assumptions the SIF achieves an overall dangerous failure frequency of

1.4x10-6 per hour, less than the failure frequency target and within the requirements for a SIL 1

High Demand Mode SIF.

CONTINUOUS MODE

A dangerous failure of any SIF or SIF component that may initiate a hazard scenario without

subsequent failure in the process or BPCS must be considered to operate in the Continuous Mode

[1, clause 3.2.43.1].

Upon first thought, some may wonder if a SIF that can initiate its own hazard scenario, or any

other hazard scenario for that matter, should be considered a safety function at all. While many

simple examples of Continuous Mode SIFs are actually better examples of poor design or

inadequate separation of control and safety, there are rare but legitimate applications where

Independent Protection Layers are ineffective or impractical to install. In such cases a basic

process control loop (normally limited to an initiating event frequency no less than 10-5 per hour)

may be implemented in the SIS and managed as a Safety Instrumented Control Function [1], or

what ANSI/ISA 84.91 would describe as a Safety Critical Control [5]. Designing and managing

a control loop as a Continuous Mode SIF allows for the reduction of the initiating event

frequency (SIF Frequency of Dangerous Failure) to a tolerable level.

Obviously a design that places the competing priorities of control and safety in a single system

should be approached with caution. Just as with High Demand Mode SIFs, it is strongly

recommended that alternatives in process design be considered before proceeding with the

design of a Continuous Mode SIF. Overall hazardous event frequency can generally be reduced

much more simply through multiple diverse protection layers that are completely independent of

the initiating event. After due diligence has been done, if a Continuous Mode SIF is found to be

the best option there are additional rules and considerations for design and verification.

To determine the required safety integrity of a Continuous Mode SIF the normal LOPA process

must be modified. Considering that the hazardous condition is always present, there are no

sources of demand or a demand rate to record. This is because a Continuous Mode SIF does not

act as a protection layer, but rather as the initiating event itself.

Non-SIF IPLs that are designed to act only after a SIF failure, and any scenario enablers and

conditional modifiers (all probabilities) may be applied against the Tolerable Event Frequency in

events per hour. Because the overall hazardous event frequency cannot exceed the dangerous

failure frequency of the SIF, we solve for the maximum tolerable SIF dangerous failure

frequency.

14

𝑀𝑖𝑡𝑖𝑔𝑎𝑡𝑒𝑑 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 ℎ𝑜𝑢𝑟) = 𝑆𝐼𝐹 𝑃𝐹𝐻 × ∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 𝑎𝑐𝑡𝑖𝑛𝑔 𝑎𝑓𝑡𝑒𝑟 𝑆𝐼𝐹 ×

∏ 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠 𝑜𝑓 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝐸𝑣𝑒𝑛𝑡𝑠 𝑜𝑟 𝐶𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛𝑠

Equation 5 – Mitigated Event Frequency for High Demand & Continuous Mode SIFs

𝑇𝑎𝑟𝑔𝑒𝑡 𝑆𝐼𝐹 𝑃𝐹𝐻 =𝑇𝑜𝑙𝑒𝑟𝑎𝑏𝑙𝑒 𝐸𝑣𝑒𝑛𝑡 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 (𝑒𝑣𝑒𝑛𝑡𝑠 𝑝𝑒𝑟 ℎ𝑜𝑢𝑟)

∏ 𝑁𝑜𝑛𝑆𝐼𝐹 𝐼𝑃𝐿 𝑃𝐹𝐷𝑠 × ∏ 𝐸𝑛𝑎𝑏𝑙𝑖𝑛𝑔 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠

Equation 6 – Target PFH for High Demand & Continuous Mode SIFs

Using Table 4 of IEC 61511 [1] we can determine the SIL of the SIF in High Demand or

Continuous Mode and proceed with a design with the appropriate architectural constraints

according to IEC 61511 [1] Tables 5 and 6, or IEC 61508 [2] Part 2 Tables 2 and 3.

SIL verification of Continuous Mode SIFs is performed in much the same way as with High

Demand SIFs but with additional restrictions. The dangerous failure of a Continuous Mode SIF

will be self-revealing, directly and often immediately initiating the hazard scenario. Automatic

diagnostics may only be considered in very limited circumstances involving fault tolerant

redundancy, or when the sum of the diagnostic interval and SIF response time is less than the

process safety time [2, Part 2 clause 7.4.5.3]. This restriction may limit the effectiveness of

diagnostics in many situations. For this reason, it is often said that diagnostics may not be

credited in the verification of Continuous Mode SIF integrity.

Test interval is considered in the verification of fault tolerant architectures, but again is not a

mechanism for significantly reducing PFH. Achieved PFH equations can be found in IEC 61508

[2] Part 6 Annex B.

Continuous Mode Example:

A centrifugal compressor is equipped with a performance controller that executes a series of

complex control routines at very high speed, keeping the compressor operating at maximum

efficiency in a wide range of load conditions. Among other things, the control system

continuously modulates a recycle valve that allows a portion of the discharge to flow back to the

compressor’s suction. In the event that the compressor operating point approaches the surge line,

the controller will open the recycle valve to prevent catastrophic damage to the compressor. Due

to the quantity of measurements, the complexity of the control routines, and the speed at which

the evaluations must be made, it is common to combine compressor performance control and

certain complex protective functions in a single logic solver system.

The example plant risk management policy considers catastrophic compressor failure to be

tolerable at a frequency no more than 1x10-4 events per year as the compressor enclosure is

occupied as much as 2 hours per day. The LOPA team has determined that the normal range of

operating conditions can induce compressor surge without a failure in the process, meaning the

15

dangerous failure of anti-surge control function itself is an initiating event. An independent

machinery protection system is capable of shutting down the steam turbine via the trip and

throttle valve by measuring shaft displacement at the thrust bearing, however this is not an SIS

system and its probability of failure on demand can be no less than 1.0x10-1. The team

determines that another automated system would be impractical to install and would not be

effective in all scenarios. For this reason the surge control will be considered to be a Continuous

Mode SIF, and the performance controller hardware will be designed and managed as an SIS.

1 × 10−4 per year

[1 × 10−1] × [1 × 10−1] × approx 10,000 hours per year= 1.0 × 10−6 per hour

Applying Equation 6, the target probability of failure is less than 1.0x10-6 per hour, or SIL 2

according to IEC 61511 [1] Part 1 Table 4 for Continuous Mode SIFs. SIL 2 will require fault

tolerance in each subsystem according to IEC 61511 [1] Part 1 Table 6, or sufficiently high safe

failure fraction according to IEC 61508 [2] Part 2 Tables 2 and 3.

SIL Target FDF/PFH (per hour) SIL Minimum HFT

1 ≥10−6 to <10−5 1 0

2 ≥10−7 to <10−6 2 1

3 ≥10−8 to <10−7 3 2

4 ≥10−9 to <10−8 4 (see IEC 61508)

Table 3 – High Demand & Continuous Mode Table 2 – Minimum Fault Tolerance

Safety Integrity from IEC 61511-1:2003 Table 4 from IEC 61511-1:2003 Table 6

Type A Safe

Failure Fraction

Hardware Fault Tolerance Type B Safe

Failure Fraction

Hardware Fault Tolerance

0 1 2 0 1 2

< 60% SIL 1 SIL 2 SIL 3 < 60% N/A SIL 1 SIL 2

60% – < 90% SIL 2 SIL 3 SIL 4 60% – < 90% SIL 1 SIL 2 SIL 3

90% – < 99% SIL 3 SIL 4 SIL 4 90% – < 99% SIL 2 SIL 3 SIL 4

≥ 99% SIL 3 SIL 4 SIL 4 ≥ 99% SIL 3 SIL 4 SIL 4

Table 4 – Architectural Constraints on Type A Table 5 – Architectural Constraints on Type B

Safety-Related Subsystems Safety-Related Subsystems

from IEC 61508-2:2010 Table 2 from IEC 61508-2:2010 Table 3

The system will be designed with 1oo2 voted flow sensors (Type B, SFF > 60%, 10% Beta), a

single logic solver (Type B, SFF > 90%), and single valve assembly (Type A, SFF > 60%) with a

5 year test interval. The following failure rates were collected:

Impulse Lines: 4x10-7 dangerous failures per hour

16

Differential Pressure Transmitter: 8x10-7 dangerous failures per hour

Logic Solver System: 9x10-8 dangerous failures per hour

Digital Valve Controller: 4x10-7 dangerous failures per hour

Anti-Surge Valve and Actuator: 3x10-7 dangerous failures per hour

𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑆𝐼𝐹 𝑃𝐹𝐻 = ∑ 𝑆𝑢𝑏𝑠𝑦𝑠𝑡𝑒𝑚 𝑃𝐹𝐻

Equation 7 – Achieved PFH for High Demand and Continuous Mode SIFs

𝐴𝑐ℎ𝑖𝑒𝑣𝑒𝑑 𝑃𝐹𝐻1oo2 = 2[(1 − 𝛽)𝜆𝐷]2 [𝑇𝑒𝑠𝑡 𝐼𝑛𝑡𝑒𝑟𝑣𝑎𝑙

2] + 𝛽𝜆𝐷

Equation 10 – Simplified Achieved PFH for 1oo2 High Demand and Continuous Mode Subsystems

[1.71 × 10−7] + [9 × 10−8] + [7 × 10−7] = 9.61 × 10−7 per hour

Using very simplified failure assumptions the SIF achieves an overall dangerous failure

frequency of 9.61x10-7 per hour, less than the failure frequency target and within the

requirements for a SIL 2 Continuous Mode SIF.

DEVICE SELECTION AND MECHANICAL INTEGRITY

A Mechanical Integrity program is a fundamental element of an overall process safety

management system. Long-term safety depends on continuous and proactive inspection,

preventive maintenance, and functional testing, promoting the ongoing performance of

equipment involved in the processing and storage of hazardous materials. SIS and SIF

Mechanical Integrity planning begins in the design phase with proper device selection, the

specification of appropriate inspection and testing intervals, the development of specific

inspection and testing procedures, and training for the personnel carrying out these procedures

over the life of the plant.

Due to the prevalence of Low Demand Mode SIFs, the majority of IEC 61508 certified

instruments may provide failure rate data appropriate only for Low Demand applications.

Selection of instrumentation in more frequent or continuous use presents a challenge for High

Demand and Continuous Mode SIFs, particularly with final elements, as the failure

characteristics and the definition of useful life will most certainly be different. Always consult

Safety Manuals and other manufacturer documentation for any devices under consideration to

ensure they are intended for use in the required service, and that all of the manufacturer’s

requirements can be addressed in the design and mechanical integrity plan. When certified

devices are not available, a prove-in-use justification should carefully consider differences in

application and frequency of operation.

In Low Demand SIFs, aside from the dangerous failure rate itself, proof test interval is the

variable that has the largest impact on achieved safety integrity. For this reason the SIL

17

verification frequently becomes the deciding factor in how often each device must be tested and

what on-line testing facilities must be included in the design. Unlike Low Demand Mode SIFs,

such an interval is not always considered in the PFH calculation for High Demand and

Continuous Mode SIFs. This does not suggest, however, that High Demand and Continuous

Mode devices are free to operate indefinitely without preventive maintenance. Periodic

inspection, functional testing, and restoration to new or like-new condition must be regarded as

basic requirements for SIFs of all operating modes, and all devices must be operated within their

useful life where random failures can be assumed to occur at a constant rate. Keep in mind that

Low Demand Mode assumes that dangerous failures are more likely to be uncovered by a proof

test than a Demand (i.e. mean demand interval is at least twice the proof test interval). If online

testing and repair cannot take place according the assumptions made during the analysis phase,

the SIF Mode of Operation may need to be reconsidered.

Finally, as demands are more likely to arise Mean Time To Restore (MTTR) becomes a much

more critical variable in the achieved safety integrity. Not only may the quantity of spare parts

need to be adjusted to ensure timely replacement of faulty devices, but so may the training of

maintenance personnel and the methods for identification of priorities.

For further information and recommended practices regarding SIS Mechanical Integrity, refer to

ISA Technical Report TR84.00.03 [7].

KEY TAKE-AWAYS

Demand Rate must be estimated prior to determination of target safety integrity; the

determination method and the measure of safety integrity change as demand rate

increases.

PFDavg cannot be converted to PFH, or vice-versa. These metrics are completely

unrelated as different assumptions and variables are involved in both the

determination of integrity target and verification of achieved integrity.

Achieved PFH in the High Demand Mode is not necessarily equal to achieved PFH in

the Continuous Mode. Different assumptions and variables may be involved in the

verification of achieved integrity.

Purely qualitative SIL determination methodologies may not adequately address SIF

Demand Rates.

The LOPA methodology based on the Event Tree analysis technique is capable of

addressing the sequence of protection layer demands, providing a mechanism for

greater precision in demand rate assessments. The sequence of IPLs may be

considered in Demand Rate assessments if sufficient data is available to support

estimation of the overall process safety time and the available response time allocated

to each protection layer.

18

SIL determination techniques do not readily account for dependencies between

initiating events and protection layers. Failure to fully separate BPCS and SIS

instrumentation may inadvertently place a SIF into the Continuous Mode [1, Part 1

clauses 11.2.10; 3.2.43.2].

Demand Rates should be monitored and analyzed to validate assumptions made

during the Hazard and Risk Assessment and SIL determination stages. Investigating

the causes and frequencies of safety system demands is key in the continuous

improvement of a safety management system. [1, Part 1 clause 5.2.5]

The meanings of Low Demand, High Demand, and Continuous Modes of SIF

Operation must be understood by process risk analysts, design engineers, unit

operators, and maintenance personnel.

Just as with Safety Integrity Level, the Mode of Operation is applied to the SIF in its

entirety and not individual components.

Safety Instrumented Functions are completely customized for each application; there

can be no single collection of predetermined requirements. Design constraints and

mechanical integrity practices must be determined in the context of the process and

the process risk, of which Demand Rate is a key consideration.

CONCLUSIONS

Many of us more readily associate Safety Integrity Levels with the severities of the particular

consequences SIFs are designed to prevent. This is of course only half of the equation as risk is

the product of consequence severity and likelihood. Hazard scenarios may require risk reduction

not only due to high consequence severity, but also due to a high frequency of occurrence. The

ratio of demand interval and proof test interval are of critical importance to assigning the

appropriate SIF Mode of Operation and determining the applicable measure of safety integrity.

Ever-increasing safety and economic targets place competing pressures on plants and projects to

design SIFs that provide for greater risk reduction, extended proof test intervals, and tighter

integration with the BPCS. While the overwhelming majority of SIFs are assumed to be

operating in the Low Demand Mode of Operation, the criteria that allow this to be true cannot be

overlooked in favor of expedience or convenience.

Improperly estimating demand rates can result in incorrect specification and verification of

safety integrity; the basis for many subsequent decisions in the SIS design process. Long term

mechanical integrity may also suffer due to improperly selected field devices and inappropriate

maintenance practices, ultimately resulting in over-confidence that risk tolerance targets are

being achieved and sustained over time. To combat these effects, careful and conservative

demand rate estimation should take a more prominent role in the determination of SIF integrity

requirements.

19

REFERENCES

[1] IEC 61511:2003. Functional safety – Safety instrumented systems for the process

industry sector, Parts 1–3. Geneva: International Electrotechnical Commission. 2003.

or

ANSI/ISA-84.00.01-2004 (IEC 61511 Mod). Functional Safety: Safety Instrumented

Systems for the Process Industry Sector, Parts 1–3. Research Triangle Park:

Instrumentation, Systems, and Automation Society. 2004.

[2] IEC 61508:2010. Functional safety of electrical/electronic/programmable electronic

safety-related systems, Parts 1–7, Edition 2.0. Geneva: International Electrotechnical

Commission. 2010.

[3] Committee Draft IEC 61511 edition 2. Functional safety – Safety instrumented systems

for the process industry sector, Parts 1–3. Geneva: International Electrotechnical

Commission. 2012.

[4] ISA-TR84.00.04-2011. Guidelines for the Implementation of ANSI/ISA-84.00.01-2004

(IEC 61511 Mod). Research Triangle Park: International Society of Automation. 2011.

[5] ANSI/ISA-84.91.01-2012. Identification and Mechanical Integrity of Safety Controls,

Alarms, and Interlocks in the Process Industry. Research Triangle Park: International

Society of Automation. 2012.

[6] ISA-TR84.00.02-2002. Safety Instrumented Functions (SIF) - Safety Integrity Level

(SIL) Evaluation Techniques. Research Triangle Park: International Society of

Automation. 2002.

[7] ISA-TR84.00.03-2011. Mechanical Integrity of Safety Instrumented Systems (SIS).

Research Triangle Park: International Society of Automation. 2011.

[8] Layer of Protection Analysis: Simplified Process Risk Assessment. New York: Center

for Chemical Process Safety of the American Institute of Chemical Engineers, 2001.

[9] Henley, Ernest J. and Hiromitsu Kumamoto. Reliability Engineering and Risk

Assessment. New York: Prentice-Hall. 1981.