Process control systems such as those used in chemical, petroleum, and other processes, typically include one or more controllers communicatively coupled to at least one host or user workstation and to one or more field devices via analog, digital, or combined analog/digital bus(es). The field devices, which may include, for example, control valves, valve positioners, switches, and transmitters (e.g., temperature, pressure and flow rate sensors), perform functions within the process such as opening or closing valves and measuring process parameters. The process controller receives signals indicative of process measurements made by the field devices and/or other information pertaining to the field devices, and uses this information to implement a control routine to generate control signals, which are sent over the bus to the field devices to control the operation of the process. In the event that a field device fails, the operational state of the entire process control system can be jeopardized.
A safety instrumented system (SIS) may be utilized to safeguard the process control system to prevent a dangerous event, such as a release of toxic, flammable, or explosive chemicals. The SIS is a distinct, reliable system used to complement the process control system and take action to bring the process control system to a safe state when necessary. The SIS utilizes sensors, logic solvers, and actuators to implement a safety instrumented function (SIF) to reach or maintain a safe state. A safety integrity level (SIL) is a statistical representation of the integrity of the SIS and can be defined in terms of a risk reduction factor (RRF). In other words, the SIL is one way to indicate the tolerable failure rate of a particular safety function. The inverse of the RRF is the probability of failure on demand (PFD) and several discrete SIL levels are associated with a PFD wherein SIL level 1 represents the highest level of acceptable risk and SIL level 4 represents the lowest level of acceptable risk.
The SIS may typically be comprised of two types of devices, equipment, subsystems, or modules; namely, Type A and Type B. In general, Type A classified units are devices without a complex processor on board and all possible failures of each component, e.g., valves, relays, solenoids, switches, etc., can be defined. Type B classified units include at least one component having a failure mode that is not well defined, e.g., microprocessors, application specific integrated circuits (ASICs), “smart” transmitters. In terms of safety, failures can be divided into two categories: safe failures and dangerous failures. Safe failures are those failures at the level of the modules and subsystems inside the device that lead to a safe state and which may or may not be detected by internal diagnostics. A dangerous failure is a failure that does not lead to a safe state. However, a dangerous failure may be detected by internal diagnostics, which alert the user to the failure and allow timely repair such that the probability of failure on demand (PFD) is not impacted as it would be if the failure could occur without detection. A safe failure fraction (SFF) parameter indicates the fraction of the overall failure rate of a device that results in a safe failure as compared to all failures. The SFF can be defined as 1−(dangerous undetected failures)/(total failures), wherein total failures includes detected safe failures, undetected safe failures, detected dangerous failures, and undetected dangerous failures. Undetected dangerous failures adversely affect the PFD and/or SFF associated with the device.