When people think of automation applied to industry, they think of increased productivity and profits. But, when specialized systems are applied for the purpose of critical control, the goal is not solely one of protecting the bottom line. Instead, the goal is achieving the delicate balance between safety and productivity. One extreme can drive you to over-instrument a process, resulting in increased safety while sacrificing profits and competitive advantage, and the other extreme can drive you to invest less capital and under-instrument a process at the expense of plant safety. So, where is the balance?

Many factors, including operating philosophies, industry mandates and tools like the HAZOP (Hazards and Operability) study, affect the application of safety technologies and components to a particular process. Industry mandates, operating philosophy, acceptable "fatal accident rate" (FAR), demand rate, "mean time between failure" (MTBF) data, and severity of service all play a part in safety instrumented system (SIS) development. By examining each of these factors independently, you can quickly become overwhelmed, but by assembling them as if pieces to a puzzle, the whole picture soon becomes clear.

As an example, a recent survey of 16 municipal transit systems revealed the standard application of safety integrity level (SIL) at 0 for third rail power de-energization and "stuck in door" detection systems. Historically, relay-based systems with an unspecified test frequency (>5years) were the standard for these transportation industry applications. Now, although many of these systems are being upgraded to programmable logic controllers, common practice continues to implement non-redundant technologies with an "energize to trip" methodology. These systems, used almost exclusively for "human life protection." would be assigned much higher SIL status in other industries.

While some municipalities (<30% of survey) are upgrading to high-tech, voted redundancy systems, the majority still operate with the "energize to trip" philosophy that overrides system shut down upon a failure of the human life protection system. Additionally, many of these systems have a variety of "common mode failures" (CMF) points including untested, non-redundant field sensors and control devices. Ultimately, these agencies assume the risk for a traveler, security officer, or maintenance worker contacting the 750-volt third rail. This has been justified by accepting a higher FAR and applying a low demand rate to the statistically based system performance calculation. The result is a very low SIL requirement level.

At the other end of the spectrum, an industry such as petrochemicals operating in a manufacturing process environment must accept industry established guidelines and mandated "best engineering practice." For safety applications, their operating philosophy is typically "de-energize to trip," which can shut down the process automatically in the event of a human life protection system failure. These industries traditionally accept very low FARs, which alone can drive all applications to the highest SIL levels. In addition, process industry engineering guidelines can also bring to light other issues such as MTBF data sources and severity of service issues, whereby simply using the most favorable MTBF data for a device and disregarding the severity of the environment in which the device is being used, can drive down the SIL requirement of the safety instrumented system.

For example, a control device tested at room temperature, under moderate conditions, will perform according to the published MTBF data if the device is later applied under those same conditions. Problematically, that same unit, asked to perform in extreme temperatures within a corrosive atmosphere, will logically not produce the same MTBF. To counteract the negative effects of improper use of MTBF data and environmental severity issues, the user must apply redundancy and some form of dynamic testing at a frequency that maintains the required level of safety integrity system performance.

While these two scenarios are based upon divergent industry philosophies, they still serve to emphasize the fact that the effectiveness of the SIS can be affected in many ways. In the final review, it is the integrity of the hazardous risk analysis, combined with the reliability of the applied data, that will strike the balance and define the applications true SIL value. Only then can an appropriately rated SIS be specified and correctly applied.

In qualitative terms SILs are defined as: