Bill Murphy outlines how to determine a safety instrumented function, a set of components to prevent hazard risk by shifting from an operational to a safe process state

Pilz Ireland, in conjunction with Engineers Ireland and the Institution of Chemical Engineers (IChemE), presented a seminar on 26 April on ‘Process Safety’ to an audience made up of EHS and engineering leaders from across the process sector including pharma, healthcare, medical devices, energy, food and beverage and education.

As the latest and practical methods for process-safety analysis and implementation continue to be a crucial aspect of health and safety in the process industry, Denis Ring of IChemE (UCC) and Cillian O’Sullivan of Engineers Ireland (CIT) requested Pilz to host a seminar for an industry audience on its methodology and experience in the delivery of its safety consultancy and engineering services to process-related companies all over the world. The central question posed by the seminar was do I need a safety instrumented function?

Process-safety experts from Pilz including Benny McHugh (senior automation engineer), Darragh O’Brien (senior process engineer) and Aisling O’Leary (process engineer) outlined industry best practice, not only in identifying the need for a safety instrumented system in a process environment, but also how to implement the best solutions by using the process-safety lifecycle.

Process-safety lifecycle

Pilz process services

CLICK TO ENLARGE: Pilz process services

By following this lifecycle approach from the hazard and operability study (HAZOP), layer of protection analysis, through the design phases to implementation and validation of the safety functions, a successful process-safety project can be conducted in a structured and fully traceable manner to achieve the optimum result.

A safety instrumented function (SIF) is a set of components used to mitigate the risk posed by a major hazard by transitioning from an operational to a safe process state, when certain safety parameters are breached or exceeded. Without engaging this safe state, anomalies or failure may occur and this could cause system damage or serious injury, as well as possible environmental impact.

Examples of SIF include all the instrumentation including sensors, controls and actuators associated with the safety function such as a temperature monitor to measure overheating and an isolation valve to isolate the system, should the temperature level exceed a specified level.

The unique safety challenges of process production in industries such as pharmaceuticals have been well known over the years and the consequence of not having adequate safety functions have been contributory factors in high-profile incidents such as Buncefield, Bhopal and BP Texas City. While the concept of SIFs within the process industries may be well known, the level of understanding can vary, especially in the latter phases of the process-safety lifecycle such as validation, maintenance and inspection.

The basis of process safety is founded upon relevant health and safety legislation, primarily EU Directives such as the ATEX, Machinery, Pressure Equipment and Seveso III Directives. In this jurisdiction, provisions of the Safety, Health and Welfare at Work Act 2005 are also relevant in so far as they relate to the general duties of an employer in regards to the safety of its workers.

Compliance with these primary legal obligations are supported by international standards which specifically relate to process safety such as IEC 61882. This serves as an application guide for HAZOP studies and IEC 61511 for the process industry, which covers functional safety through safety instrumented systems throughout the whole process lifecycle.


safety instrumented function

L-r: Cilian Ó Súilleabháin, Michael Guilfoyle, Denis Ring, John McAuliffe at the Pilz event

The Pilz seminar set out the features of an effective HAZOP study, which is the first step in the process-safety lifecycle and acts as a qualitative method of identifying process-related hazards. Such hazards typically include the release of toxic, flammable or explosive substances which could result in a range of consequences from a disruption to damage, both material and environmental, and even serious injury or death.

A well-structured HAZOP will identify how deviations from the design intent of the process may result in adverse effects on the operability of the process and pose such potential hazards. The construction or addition of any new chemical processes should be the subject of a HAZOP, as well as any process changes. All the equipment associated with the change such as centrifuges, dryers, distillation columns, solvent transfer systems as well relevant utilities, such as a cooling water supply, should be included within the scope of the HAZOP study.

The study itself should follow a highly structured, risk-assessment methodology carried out by a multi-discipline team of relevant technical personnel to identify all process-related hazards. Initially, scoping the ‘design intent’ for the system by examining design-related technical documentation such as piping and instrumentation drawings, process flow, electrical and loop schematics as well as original equipment manufacturer (OEM) specifications and certificates of compliance will create a more comprehensive and focused study.

It is also important to include all relevant ancillary systems such as utilities, vents and drains and to cover all process stages from start-up to maintenance, servicing and cleaning. The study can be significantly undermined if the HAZOP group does not include the right participants with the best knowledge of the existing or planned process project. With all the relevant information and expertise in place within a properly scoped study, the process-related hazards or deviations can be identified and tabulated according to frequency and severity. Cross referencing these parameters will lead to a risk matrix which will flag issues ranging from low-to-high-consequence scenarios.

Under the safety process model, those hazards identified as having potential for high-consequence scenario should be further examined under the layer of protection analysis (LOPA). For example, a process deviation such as a temperature increase caused by the failure of a control valve which, according to the HAZOP, could lead to a scenario of excess heating or exothermic reaction may be assessed as having a high severity level.

Such high-consequence scenarios should be subject to further assessment under LOPA and recommend the measures for reducing the risk posed by these scenarios to an acceptable level. Therefore, only a subset of hazards should be carried to the LOPA phase. While it could be proposed that all hazards could be considered under LOPA this would represent an inappropriate application of such a quantitative method, leading to over-specification or duplication of safety measures that are not required and which may actually create hazards of their own.

Layer of protection analysis


Attendees listen to speakers at the Pilz event

LOPA is methodology commonly used internationally, but is not so widely implemented within the Irish process industry. As a quantitative engineering tool that can be used to ensure process risks are successfully and cost-effectively mitigated to an acceptable level, the Pilz process safety experts highlighted the value of LOPA to a process manufacturer in establishing the most appropriate safety solutions.

While the HAZOP creates a set of prioritised deviations through the hazard-rating analysis, LOPA examines in detail the relevant safeguards or protection layers in place to mitigate only the high-consequence hazards identified and make recommendations accordingly. Companies, in their process-safety lifecycle, who move from the HAZOP phase to implementing SIF without properly analysing the high-consequence hazards in the context of layers of protection, are missing a valuable method of enhancing safety in a cost-effective manner.

By proceeding without this interim step process companies may tend to address every hazard identified in a way that is not only costly, but also adds unnecessary protections that compromise operability and may even introduce extra, unidentified hazards and unsafe practices. Similarly, some high-consequence hazards that are not evaluated in terms of layers of protection or the gaps that may exist in mitigating such hazards may lead to under-specification of processes and leave the process safety exposed.

Using the cause and consequence pairings of the high-consequence hazards from the HAZOP and any other available risk assessment documentation those hazards are further evaluated, calculating their frequency and severity. The consequences – be they safety, environmental or economic – of these hazards must be mitigated to the point of acceptable risk with reference to relevant process-safety standards or any corporate standards.

If the risk is not determined to be acceptable, then the layers of protection must be examined and the likelihood of their failure analysed. Independent layers of protection may be required to mitigate the risk and they must be recommended on the basis of their complete independence from the initiating or causal event.

The performance of a SIF is measured using a safety integrity level (SIL) analysis of the function and which acts as a reference for its design, operation and maintenance as prescribed by IEC 61511. The SIL is established by assessing the probability of the safety function’s failure under demand with four reference levels. A higher SIL level indicates a lower probability of failure and, therefore, the better the system performance. Any increase in SIL usually involves greater complexity with the safety function and, therefore, may have cost implications.


While LOPA can be applied to both new and existing process projects, the relevant documentation such as OEM specification for new components e.g. a pressure sensor and its associated controllers, is usually more available and accurate in new projects. For existing components, a degree of investigation may be involved if OEM documentation is missing or out of date and, therefore, the availability of comprehensive and accurate technical data on the process and supporting utility-related components can have an effect on the efficacy of the LOPA study.

There are clear benefits of using LOPA as the high-consequence scenario analysis as the study can identify significant process-safety aspects not necessarily revealed under a qualitative analysis. As LOPA represents both a compliant and industry best-practice approach, it results in an objective and statistical determination of the protection required and a direct, clear specification of the most effective SIF and associated SIL. Because of this clarity and consistency, LOPA also can identify other responses or measures such as adding more layers of protection, process modifications or changes in procedure.

Once a well-executed LOPA study has been implemented, it enables all stakeholders to appreciate fully the benefits and performance of the process and safety functions so as to select the best safety solution based on an objective and traceable basis.

The seminar was well received by all attendees who welcomed the opportunity to consider the most current international industry practice and how it relates to ensuring compliance and safety for those who work in the Irish process manufacturing sector. The emphasis on the process-safety lifecycle enabled the attendees to gain a greater understanding of all the steps that need to be considered when planning and implementing a process safety project.

Pilz Ireland Safety Services

Pilz Ireland specialises in providing project management and essential, professional safety consulting and engineering services to the manufacturing, process and other industry sectors locally in Ireland. Pilz offer a portfolio of services enabling companies comply with statutory regulations and achieve planned safety goals. Clients include global manufacturers within the typical industrial sectors served by the group, in particular the pharmaceutical, medical device and food & beverage sectors. The business areas within the services group are:
► Automation;
► Process automation safety;
► Machinery safety services;
► Process safety services;
► Project management; and,
► Safety training. O'RiordanChemCIT,Cork,Pilz Ireland,safety,UCC
Pilz Ireland, in conjunction with Engineers Ireland and the Institution of Chemical Engineers (IChemE), presented a seminar on 26 April on ‘Process Safety’ to an audience made up of EHS and engineering leaders from across the process sector including pharma, healthcare, medical devices, energy, food and beverage and education. As...