B.4.1 Safety Instrumented Systems (SIS) can be developed using Electrical, Electronic or Pro- grammable Electronic (E/E/PE) technologies.
B.4.2 A hybrid scheme combining technologies (e.g., PE, Electrical, etc.) may be used to develop a SIS.
B.4.3 There are other technologies that can be used other than E/E/PE in the design of an SIS, such as pneumatics, hydraulics, etc. These technologies are outside the scope of this standard
(see 1.2.9).
B.4.4 Electrical technology used in SISs B.4.4.1 Direct-wired systems
B.4.4.1.1 Direct-wired systems have the discrete sensor directly connected to the final element. This technology can only be used in the simplest applications. There is minimal diagnostic cov- erage, so proof testing frequency may have to be increased.
ANSI/ISA-S84.01-1996 61
B.4.4.2 Electromechanical devices
B.4.4.2.1 Electromechanical devices include relays and timers. Relays are often used where simple logic functions are adequate to provide the necessary safety logic. Extensive operating experience with relays and their mature technology make acceptance of this device in a SIS widespread.
B.4.4.2.2 Standards and guidelines for implementing electromechanical relays in SIS applications are available to users (see Reference C.4). Unsafe failure modes of relays can also be quantified. B.4.4.2.3 Successful users of relays in safety applications have followed some simple guidelines. They include using a relay that
a) has a good in-plant track record;
b) has the proper "fail-to-shelf" position (e.g., position when completely disconnected) characteristics when installed;
c) is found reliable through life-cycle testing; d) is user approved for safety applications; and
e) is suitable for the environment in which it is placed (e.g., hermetically sealed). B.4.4.2.4 The relay SIS has other attributes that should be considered:
a) The on/off status can be readily obtained by checking contact position (e.g., open or closed).
b) Its interconnected logic is very difficult to change (requires rewiring).
c) It is simple and understood by plant personnel and can be easily supported. d) It is easily identified and secured as a critical control device.
e) It has failure modes that can be isolated to reduce common mode failures.
B.4.4.2.5 Relay logic should not be considered inherently fail-safe. Even if the relays are properly selected and applied, the contacts may weld and the spring may not return the switching contacts to the de-energized position.
B.4.4.2.6 Electromechanical relay logic systems should consider the following criteria: a) Contacts open on coil de-energization or failure.
b) The coil has gravity dropout or dual springs. c) Contacts are of proper material and rating.
d) Energy limiting load resistance is installed to prevent contacts from welding closed. e) Proper arc suppression of the contacts is provided for inductive loads.
B.4.4.2.7 There are low energy loads (e.g., 50 volts or below and/or 10 mA or below) that require special contact materials or designs (e.g., hermetically-sealed contacts) to eliminate oxidation build-up on contacts resulting in unreliable operation (e.g., load dropout). This is referred to as contact-wetting. When utilizing these special contacts, specific failure mode analysis is needed for these contacts to ensure that a fail-safe electromechanical system is being designed.
COPYRIGHT 2003; The Instrumentation, Systems, and Automation Society Document provided by IHS Licensee=Technip Abu Dabhi/5931917101, User=,
B.4.4.2.8 Electromechanical relays may not be suitable for SIS applications with a) high duty-cycles resulting in frequent state changes;
b) timers or latching functions; c) complex math functions; d) analog measurements; and e) large logic applications. B.4.4.3 Motor driven timers
B.4.4.3.1 Motor driven timers provide acceptable performance for key safety applications such as burner purge timing. Most motor driven timers require a locking device or appropriate modification to eliminate tampering with critical settings. Motor driven timers are limited in timing resolution and the ability to handle high duty cycles.
B.4.5 Electronic technology used in SISs B.4.5.1 Solid state relays
B.4.5.1.1 Solid state relays are used in high duty-cycle application and have unsafe failure modes that can be identified and quantified. Appropriate design features should be added to handle these unsafe failure modes. Some additional applications of solid state relays are described in the following paragraphs.
B.4.5.2 Solid state timers
B.4.5.2.1 Solid state timers are used where the application’s complexity does not warrant a PES. Solid state timer technology can be categorized as either Resistor-Capacitor (RC) circuit or pulse counting. RC timing devices may not be suitable for safety applications because of poor repeat- ability and unsafe failure modes. Note that RC circuitry is often used in the time setting portion of pulse-counting timers; this does not preclude the use of these timers.
B.4.5.2.2 The pulse-counting timer, sometimes referred to as a digital timer, can use a number of methods to achieve pulse counting. These include
a) a line frequency (50 or 60 Hz); b) an electronic oscillator; and c) a quartz crystal oscillator.
B.4.5.2.3 A user-approved safety crystal oscillator (e.g., quartz) timer is recommended because of high repeatability and good reliability.
B.4.5.3 Solid state logic
B.4.5.3.1 Solid state logic refers to the transistor family of components like Complimentary Metal Oxide Semiconductor (CMOS), Resistor-Transistor Logic (RTL), transistor-transistor logic (TTL), and High Noise Immunity Logic (HNIL). These components are assembled in stand-alone modules, plug-in board modules, or in highly integrated, high-density chips. They differ from typical com- puter-type equipment in that they have no Central Processing Unit (CPU). They perform according to the logic obtained by the direct-wiring techniques of interconnecting the various logic components such as ANDs, ORs, and NOTs. These systems have limitations in fail-safe requirements (e.g., indeterminate failure modes) that should be recognized.
ANSI/ISA-S84.01-1996 63
B.4.5.3.2 Solid state logic has generally been integrated with direct-wiring and relay schemes for SIS. Solid state logic is not recommended for SISs unless provided with additional diagnostics to test for unsafe failure modes. PESs are sometimes used as a diagnostic tool to make solid state logic systems suitable for SIS.
B.4.5.4 Pulsed electronic logic
B.4.5.4.1 Pulsed electronic logic generates pulses with a specified amplitude and period. A pulse train is recognized as a logic "true” or "one," while all other signals (e.g., grounds, non-specified pulses, and continuous "on" or "off") are recognized as a logic "false" or "zero."
B.4.5.4.2 Pulsed electronic logic can be considered in a SIS if it meets the requirements noted in this standard and is user approved.
B.4.5.4.3 Pulsed electronic logic can offer high safety integrity. However, PES designs offer some functions that may not be available with pulsed solid state systems or electronic logic such as calculation capability, improved communications, and networking.
B.4.6 PES technology used in SIS
B.4.6.1 The PES can be a programmable controller, a distributed control system controller, or an application-specific stand alone microcomputer. Caution should be used when using personal computers, since they generally do not have the safety integrity required for SIS applications. B.4.6.2 The use of PES results in many difficult to recognize failure modes, many of which can be unsafe.
B.4.6.3 Some techniques that can be used to minimize the unsafe failure modes of PES are a) extensive diagnostics to detect covert faults (see B.9 for guidance);
b) use of redundancy, fault tolerance (e.g., 2oo3), and similar architectures; c) use of Watchdog Timers, both internal and external; and
d) use of outputs with diagnostics to detect output module failures. B.4.6.4 Select PES technology for SIS when
a) there are large numbers of Input/Output, or many analog signals;
b) logic requirements are complex, or the logic includes computational functions; c) extensive data communications with the BPCS is required; and
d) different trip points are required for different operations (e.g., batch application recipe selection).