IPE-TM-600 Instruments
Implementation of Safety Instrumented System Design
IPE-TM-600-15
1. Purpose
This procedure is a continuation of Procedure HSE-13 ( ) concerning the Safety Instrumented System (SIS) design and Safety Integrity Level (SIL) verification steps. After completing this procedure Schedule A designs will include reasonable process control and safety representations. This gives our customers a basis to begin the detailed design stage.
2. Inputs
Follow this procedure only after Procedure HSE-13 has been completed. As an output of the Health Safety & Environmental (HSE) activities, the required SIL will be defined. The purpose of each SIS should be clearly stated allowing for this procedure to be easily incorporated.
3. Output
After following this procedure the items specified in 660- Logic Systems that are categorized as SIS will be completed. Only Project Specifications are to be offered outside Inflection Point Engineering. Detailed analysis information such as fault trees and internal reports shall be maintained for internal use only.
4. Specific Procedure
4.1 Follow the general procedure from Procedure HSE-13, “Determination and Use of Safety Integrity Levels Required for Safety Instrumented Systems”.
(Specific instructions for steps 3.9 – 3.12 of HSE-13 are included below.)
4.2 (3.9) Design an SIS to Mitigate Hazard
Based on the purpose of each SIS, the Process Technology Lead (PTL) from PC&I group shall define the system inputs and outputs required to mitigate the safety hazard. A breakdown of the system is required to evaluate the integrity level necessary to ensure the system will provide adequate risk reduction.
By classifying the shutdown actions within a Cause & Effect table the evaluation of each shutdown node is most easily handled.
An example Cause & Effect table for a forced draft heater firing fuel gas and fuel oil is shown on the following page.
Table 1 - Example Cause Effect
Purpose: To avoid an unsafe condition in the heater firebox.
The individual safety instrumented functions (SIFs) required to mitigate the hazard stated in the purpose have been assigned SILs. Functions of the Cause & Effect table that are not considered safety are not assigned a SIL.
4.3 (3.10) Evaluate Each SIS to Verify it Meets the SIL
A quantitative method is used to calculate the effectiveness of the SIS, which has been designed. Check each SIF of the Cause & Effect table with a SIL, to verify it will meet the required SIL. The PTL is responsible for reviewing and documenting the calculations used to verify the SIL is being met for each SIF.
With a commonly used shutdown valve and logic solver, the bulk of the calculation will be repetitive. For documenting these calculations, construct a fault tree of the dormant failure rate of the system showing the availability has been met.
The logic solvers specified by Inflection Point Engineering are designed for use in safety applications with a very low unavailability due to the diagnostics and redundancy.
The testing frequency is documented in the 660 project specification under General Requirements.
The repair rate (MTTR) is estimated as 8 hours. The duration of each functional test is assumed to be one hour and, therefore, included in this 8-hour repair time used in calculating the unavailability of the system.
In the above example, the SIL required for low pilot gas pressure has been established as SIL 2. Therefore, the SIS unavailability target is 10-2 to 10-3.
4.4 (3.11) Modify the P&ID to Show the SIS
The PCC is responsible for the details of the SIS represented on the P&ID.
Once the Inflection Point Engineering’s final Safety Instrumented System design has been established, modify the P&ID to show the design, which will be implemented to meet the required SIL. The SIL is noted on the Cause & Effect diagram for each specific SIF along the row and column on the P&ID only. The SIL is not shown in the project specifications.
The customer may request the addition of SIFs after the Inflection Point Engineering Schedule A is issued. Inflection Point Engineering will only update our Schedule A for these new functions on the basis of a change order.
4.5 (3.12) Create Schedule A Project Specifications for Each SIS
Details of the design will be shown in the 660 project specifications. The SIS includes other instrumentation such as transmitters (603 and 604, primarily) and valves (616), therefore, review all of these sections when creating the Schedule A for a SIS.
5. Specific Use of Fault Tree Plus by Inflection Point Engineering
This section will aid those using Isograph’s Fault Tree + software. At Inflection Point Engineering this software is used for determining the SIL of a SIS. This software is also used for SIL verification.
5.1 Definitions
| SIL Verification | SIL Verification |
|---|---|
| SIL | Unavailability (Q) |
| 1 | 10-1 to 10-2 |
| 2 | 10-2 to 10-3 |
| 3 | 10-3 to 10-4 |
- Unavailability and Probability of Failure on Demand (PFD) are mathematically the same value.
- Availability = 1 - Unavailability
- Availability is the fraction of time that a system is able to perform its designated service when process is operating.
- Probability of failure on demand (PFD) – The probability of a system failing to respond to a demand in a specified time interval.
- The data provided in this document is specifically for use in the models noted. The fixed and dormant models have dimensionless inputs so the fault tree can be used to calculate the top event frequency as noted below.
5.2 Typical Input Data
Use the data below in the Fault Tree + software. The data has been harmonized by Inflection Point Engineering based on available industry data. This listing will be updated periodically by having the PCC forward any known deviations, with an explanation, to the IPE-TM-600-15 sponsor for necessary review and revision.
The software has many model types with FIXED, DORMANT, RATE, and MTTF (mean time to fail) most often used by Inflection Point Engineering. Different models are used depending on whether you are determining the SIL for an SIS or if you are verifying that the SIF meets the SIL.
Once an event is selected the software opens a data entry box. Either a generic model can be selected or manual input of the model for this event is entered from this data entry box.
a. SIL Determination
In general the FIXED model is used when evaluating the process hazards (see Procedure HSE-13). Once the model has been selected or input, verify that the initiator or enabler box is checked before closing this data entry box and moving to the next event. Typical classifications of initiator or enabler are listed in the table below. The fixed model is used for all initiators within a fault tree.
In determining the process risk our goal is to calculate the failure frequency of the top event, typically a loss of containment. The fault propagation modeling includes failure of events that are initiators of the top event and enablers. These should be identified in the software to insure proper statistical models are generated.
(1) Fixed Model
Use the Fixed model for items that have a fixed failure frequency. Use this model for items that do not have a changing failure rate over time. Failure probability is set per demand.
| Name | Failure Frequency/ Unavailability | Initiator/ Enabler | Explanation |
|---|---|---|---|
| Annunciator or Alarm | 0.02 | E | |
| Check Valve | 0.05 | I | Normal service check valve leaking |
| Controller | 0.02 | I | |
| Delayed ignition | 0.1 | I | |
| F.G. Header low pressure | 0.05 | I | |
| Filter/Strainer | 0.04 | I | |
| Flame Detector | 0.01 | E | Once in facility lifetime |
| Flame impingement | 1 | E | For Platforming heaters this will occur during normal operation |
| Forced Draft Mechanical Failure | 0.02 | I | |
| Fuel Gas Supply | 0.05 | I | Fuel Gas supplies are considered very reliable. |
| Inerts in Fuel Gas | 0.01 | I | Once in facility lifetime |
| Loss of Flow from Main Air Blower | 0.2 | I | |
| Operator error | 0.01 | I | Error by operator doing a manual task |
| Operator response | 0.1 | E | < 20 minutes to respond (immediate) |
| Operator response | 0.01 | E | >20 minutes to respond (non-immediate) |
| Power Failure | 0.20 | I | General Power failure is modeled as once per 5 years |
| Pump Failure | 0.25 | I | This value is based on all causes |
| Regulator | 0.05 | I | Mechanical device |
| Safety PLC | 0.00001 | E | The safety PLC has a fixed Probability of failure on demand due to diagnostics |
| SIS Installed | 0.0001 | I | For interaction between systems this number of 1 in 10000 is used |
| Start-ups (used for Fired Heaters) | 0.01 | I | |
| Transmitter | 0.02 | I | |
| Valve | 0.02 | I |
b. SIL Verification
Use the DORMANT model to verify the shutdown system availability. The failures of this type include all failures, which would compromise the shutdown system. The MTTF model is used for items that have diagnostics to reveal all failures.
(1) Dormant
Failure data used in this model is only the failures which are not immediately known (or revealed). All transmitters and final elements used within a shutdown system are assumed to not have revealed failures. No diagnostics for these devices are part of Inflection Point Engineering’s design.
| Name | Failure Rate | MTTR (years) | Inspection Interval |
|---|---|---|---|
| Transmitter | 0.02 | 0.0009 | 1 |
| Shutdown valve | 0.02 | 0.0009 | 4 |
| Solenoid valve | 0.02 | 0.0009 | 1 |
| Manual block valve | 0.02 | 0.0009 | 4 |
| Limit stop | 0.001 | 0.0009 | 3 |
| Manual throttling valve | 0.02 | 0.0009 | 2 |
| Sensor/vibration sensor | 0.05 | 0.0009 | 1 |
| Annunciator | 0.025 | 0.0009 | 1 |
| Spare pump not started | 0.01 | 0.0009 | 0.08 |
(2) MTTF (mean time to fail) Model
As shown below both the failure and repair times must be entered into the model. Within one shift an operating facility will repair items such as transmitters, valves or control equipment, therefore, the Mean Time To Repair (MTTR) is set as 0.0009 years (8 hours). Both values are entered in terms of YEARS.
| Name | MTTF (years) | MTTR (years) | Comments |
|---|---|---|---|
| Transmitter | 40 | 0.0009 | |
| Valve | 50 | 0.0009 | |
| Alarm | 100 | 0.0009 | Used in Platforming |
| Manual valve | 50 | 0.0009 |
c. Other uses of this data
It is common for questions about how often a valve or other piece of equipment fails. Although a failure rate of 0.02 is mathematically the same as 50 years, it should also be stressed that this data is used for statistical calculations and does not represent the failure expectations of any specific valve or piece of equipment.
A failure rate of 0.02 is also interpreted to mean in a population of 100 valves 2 will fail every year, however this does not indicate when a particular valve will fail.
© 2026 Inflection Point Engineering, LLC. All rights reserved. The content of this page — including calculation methods, reference data, written analysis, interactive tools, and source code — is the intellectual property of Inflection Point Engineering, LLC and is protected under applicable copyright, trademark, and trade secret laws. Unauthorized reproduction, redistribution, modification, or derivative use in whole or in part is prohibited without prior written consent.
Disclaimer. This material is provided for informational and educational purposes only and does not constitute professional engineering advice. Calculations, reference data, and methodologies are based on published standards and accepted engineering practice but are not a substitute for engineering judgment, site-specific analysis, or review by a licensed Professional Engineer. Inflection Point Engineering, LLC makes no warranties, express or implied, regarding the accuracy, completeness, or fitness for a particular purpose of any content presented here, and shall not be liable for any direct, indirect, incidental, or consequential damages arising from its use. Users assume all risk associated with applying this content to real-world design, operations, or decisions.
© 2026 Inflection Point Engineering, LLC. All rights reserved.