Figure 1-1 shows a control function and a safety instrumented function. As the name implies, control functions control pressure, level, temperature, flow, and the like. Early systems in the process industries were purely mechanical/pneumatic, then electronic, and are now software based. Do you believe control functions are perfect and will never fail? (That question usually draws giggles and grins in classes.) Do you believe designers and engineers can envision every possible hazardous situation that could occur and design control systems to prevent all of them? If that were the case, we would not need to install alarm systems (as there would never be an alarm), relief valves (as there would never be an overpressure), flare systems (as there would never be a process upset), or fire and gas systems (as there never would be a release). We obviously don’t live in such a dream world. There are many reasons why process facilities are designed with multiple layers of protection.

When a control function fails, the next layer of defense is often a safety instrumented function. The safety instrumented function in the process industry by and large does not control anything. It monitors many of the same variables, but only takes actions when a variable is outside its normal range, which generally means the control function has failed. The typical action of the safety function is to shut down the process or bring it to a predetermined safe state (e.g., recycle). This is a fundamentally different strategy compared to some other industries, such as aircraft. We don’t really want to shut down the flying process at an altitude of 35,000 feet!

Control function failures most often conjure up notions of “things” breaking down (e.g., pressure transmitter electronics burning out or going out of calibration). However, as modern digital electronics have become more reliable with respect to random faults, other classes of failure may be prevalent. Systematic failures and human actions may be the initiating causes for a potential hazard. Furthermore, as the software-based control systems become more complex, hazards are frequently emergent properties and may not be related to any physical/permanent fault (i.e., a transient interaction between the process, control system, safety function, and the human operator). Questions may then include, “Does the safety function guard against these types of failures? Has the safety function been designed to be robust with respect to systematic failures?”

Systems performing safety functions have gone by many different names: emergency shutdown system, safety shutdown system, instrument protection system, safety interlock system, safety instrumented system, and more. Different companies within the process industry still use a variety of names for these systems. The shortest and perhaps most generic term might be safety system, but this too means different things to different people. For many chemical engineers, “safety systems” refer to management procedures and practices, not instrumented systems. One very common term has been emergency shutdown system (ESD), but to electrical engineers, ESD means electrostatic discharge. To some, ESD is a means of manually shutting down the process independent to the safety system. Many don’t want the word emergency in the name at all, due to its negative connotation.

When the American Institute of Chemical Engineers’ Center for Chemical Process Safety (AIChE CCPS) published the first edition of Guidelines for Safe Automation of Chemical Processes in 1993 [1], the term it used was safety interlock system—SIS. Some members of the ISA84 committee thought the term “interlocks” was only one subset of many different types of safety-related systems.

The ISA84 committee settled on the term safety instrumented system in order to keep the same acronym used in the AIChE text—SIS. A related AIChE CCPS text titled Layer of Protection Analysis released in 2001 also uses the acronym SIS, but uses the more recent terminology of “safety instrumented system.”

The first edition of the ISA-91 standard, ANSI/ISA-91.01-1995, Identification of Emergency Shutdown Systems and Controls That Are Critical to Maintaining Safety in Process Industries, published in 1995 used the phrase emergency shutdown system with the following definition: “Instrumentation and controls installed for the purpose of taking the process, or specific equipment in the process, to a safe state. This does not include instrumentation and controls installed for nonemergency shutdowns or routine operations. Emergency shutdown systems may include electrical, electronic, pneumatic, mechanical, and hydraulic systems (including those systems that are programmable).” In other words, these systems are designed to respond to conditions of a plant, which may be hazardous in themselves, or if no action were taken could eventually give rise to a hazardous event. They must generate the correct outputs to prevent or mitigate the hazardous event.

The international community has other ways of referring to these systems. The International Electrotechnical Commission Standard 61508-1 (IEC 61508-1:2010), Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems – Part 1: General Requirements [2], first published in 1998 used the term safety-related systems, but also introduced the combined acronym E/E/PES. As used in the title, E/E/PES stands for electrical, electronic, and programmable electronic. In other words, relay, solid-state, and software-based systems.

The standards generally focus on systems related to personnel safety. However, the same concepts apply to systems designed to protect equipment, the environment, and company reputation. After all, there are more things at risk to a company than just people.

As with any subject, there are a variety of acronyms and technical terms. Some terms do not have complete agreement or common usage in industry and different texts. This naturally adds to the confusion. Unless otherwise noted, all the terms used in this text are defined in ISA-61511-1-2018, Functional Safety – Safety Instrumented Systems for the Process Industry Sector – Part 1: Framework, Definitions, System, Hardware and Application Programming Requirements [3]. Acronyms are typically defined the first time they are used and other terms are explained where appropriate.

This book is intended for the thousands of professionals employed in the process industries who are involved with safety instrumented systems in any way and who are expected to follow the appropriate industry standards. These individuals are employed by end users, engineering firms, system integrators, consultants, and vendors. Managers and sales individuals will also benefit from a basic understanding of the material presented.

The first edition of the ISA-84 standard, ISA-84.01-1996, Application of Safety Instrumented Systems for the Process Industries, was published in 1996 and defined the intended audience as those who are involved in areas of “design and manufacture of SIS products, selection, and application, installation, commissioning, and prestart-up acceptance testing, operation, maintenance, documentation, and testing.” Basically, if you’re involved with safety systems in any way, there are portions of the standards and this book that will be of interest to you.

The first edition of the standard also defined the process industry sector as “those processes involved in, but not limited to, the production, generation, manufacture, and/or treatment of oil, gas, wood, metals, food, plastics, petrochemicals, chemicals, steam, electric power, pharmaceuticals, and waste material(s).” Following editions had similar definitions.

Would you rather learn from the mistakes of others, or make them all yourself? We learn better when we make our own mistakes. However, we’re engineering industrial processes—and using computer-based systems to control them—that have the potential for large-scale destruction. Single accidents are often disastrous and have resulted in multiple fatalities and significant financial losses. We simply do not have the luxury of learning process safety by trial and error. We must try to anticipate and prevent accidents before they occur. This has been one of the hard lessons learned from past accidents and why various process safety legislation has been passed in different parts of the world. Similarly, many U.S. states passed legislation requiring the involvement of Professional Engineers after various engineering disasters that resulted in the deaths of hundreds of people. Hopefully this book, in its own little way, will help make the world a safer place.

This book is a practical “how to” on the analysis, specification, selection, design, installation and maintenance of safety instrumented systems. It includes practical knowledge needed to apply safety instrumented systems. It will hopefully serve as a guide for implementing the procedures outlined in various standards.

Aren’t the standards alone enough? The answer depends upon you and your company’s knowledge and experience. The normative (mandatory) portion of ISA-84.01-1996 was only about 30 pages long, with about 80 pages of annexes and informative material. While committee members knew what certain phrases and requirements meant, not everyone else did. Some committee members wanted certain wording to be specifically vague in order to have the freedom to be able to implement the requirements in different ways. Others wanted clear-cut prescriptive requirements. The second edition of the standard contained much more detail. Part 1 of the standard—the normative portion—was over 80 pages in length. Part 2—the informative portion on how to implement Part 1—was also over 80 pages. Part 3 of the standard summarized various safety integrity level selection techniques and was over 60 pages in length. The ISA84 committee felt additional material was still needed. At the time of this writing, eight additional technical reports have been written, totaling over 500 pages. Topics of the technical reports include system modeling, mechanical integrity, guidelines on implementing the standard, burner management systems, safety fieldbuses, fire and gas systems, wireless, and cybersecurity. Many of the technical reports have gone through multiple revisions.

Standards aren’t written to teach. They tell you what to do, but not necessarily why, or even how to do it. They are often dry, boring, and downright painful to read. This book is intended to both explain and teach, and do it in a manner that is easier and more enjoyable to read. (Earlier variations of this book have consistently received high ratings and received “best seller” awards.) This book covers the entire life cycle of safety instrumented systems, from determining what sort of systems are required through decommissioning. It covers the difference between process control and safety control, the separation of control and safety, independent protection layers, determining safety integrity levels, logic system and field device issues, installation, maintenance, and management of change—...