Sluit dit zoekvak.

What is...

Technical Glossary

Looking for explanations of technical terms? We are happy to provide you with text and explanations.

Functional safety (functional safety) refers to instrumentation systems intended to perform a safety function.

Instrumented systems consist of sensors (signaling devices), logic (decisive components) and actuators intended to perform a control or a safety function for processes in the chemical, petrochemical or other process industries.

Instrumented systems designed to perform a safety function are generally referred to as Safety Instrumented Systems (SIS). These systems must comply with IEC 61508, the international standard for Safety Instrumented Systems.

A safety function is substantially different in concept from a control function:

  • The purpose of a control function is to bring a process to its optimum state (the most effective or efficient combination of process conditions);
  • A safety function monitors the limits or range of permissible process conditions;
  • A safety function generally operates in on/off mode. In other words, it intervenes forcefully or not at all, but it will not intervene gradually;
  • The settings of a safety function are normally fixed and follow from the process design while the settings of a control function vary depending on the actual process conditions.

A SIS performs an important role in containing chemicals and high pressures and as such, it serves as an important protection in preventing unsafe conditions leading to an incident.

Example layer of protection analysis (LOPA).

In the above scheme of several layers of protection, the SIS responds when both the control system (process control) and operator intervention fail to resolve a problem. The failure of the SIS will in turn likely lead to an uncontrolled discharge to the flare or to the vent and perhaps even to an even more dangerous situation. For this reason, the SIS must meet very strict requirements and criteria regarding availability, reliability and probability of failure on demand.

We are engaged in the design and construction of safety systems (SIS).

The term Functional Safety Management (FSM) is used to describe the processes, systems and (organizational) procedures used in the design and construction of a safety system.

The minimum required processes and systems are described in IEC 61508, the international standard for developing safety systems or "Electrical/ Electronic/ Programmable Electronic Systems that perform a Safety Function," as they are called in the standard.

The 'daughter' standard IEC 61511 is derived from IEC 61508 and is specifically applicable within the process industry. Because these standards are the norm for many of our customers, we have integrated them into our project execution and project management processes. These processes have been checked for compliance with IEC 61508 and certified by an independent third party.

Within the context of IEC 61508, the design and construction of a safety system constitute the realization phase ("realization phase") of the FSM life cycle:


We have detailed how we realize an E/E/PES or safety system, how we plan it, how we manage scope changes, how we ensure quality, and how we verify and validate the system.

The Safety Integrity Level (SIL) is a measure of how reliably a safety function is performed.

There are four levels, with the highest level describing the most reliable execution of a safety function, in other words having the lowest failure probability (probability of failure on demand). The following table applies to typical applications in the process industry (typified by IEC 61511 as "low demand mode" processes):


Definitions of SIL levels

The "probability of failure on demand" represents the probability that the system will not perform the safety function when it is needed. In other words, not doing what is expected at the time it is needed.

As an example, the probability that a SIL-3 system will not shut down the process when necessary is less than one in a thousand or 0.1 percent. In other words, the availability of the safety function is better than 99.9 percent. Put another way, the risk reduction is at least a factor of 1,000.

It is important to distinguish between realized SIL level and required SIL level. The required SIL level is derived from an assessment of risks and hazards, for example using a HAZOP or FMEA study. The required SIL level is determined separately for each safety function.

Important considerations are the probability of a hazard occurring and the impact of the hazard. A risk matrix usually helps determine the required SIL level for each safety function.

The realized SIL level of a safety function, on the other hand, is the actual SIL as it is realized in practice. It depends on, among other things:

  • the transmitters used
  • the configuration of the transmitters (1oo1, 1oo2, 2oo3, etc.)
  • the use of barriers, isolators, relays
  • the logic solver or safety system used (e.g. PLC)
  • the actuator(s): valves, valve positioner, etc.
  • the configuration of the valves, e.g. single block or double block

For each component mentioned above, a PFD is required after which the overall PFD of the complete safety function is calculated and thus the realized SIL level is known. We are familiar with performing these calculations and estimating the PFD values of legacy ("brownfield") sensors and actuators.

A Safety Instrumented System (SIS) performs a safety function by using instrumentation rather than physical hardware.

In this context, instrumentation includes sensors (including transmitters), logic solvers and actuators (such as valves). IEC 61508 refers to these systems through the term Electrical/Electronic/Programmable Electronic Systems (E/E/PES) that perform a functional safety function.

Examples of Safety Instrumented Systems are:

  • Emergency Shutdown and Depressurization Systems (ESD/EDP);
  • Unit Safeguarding Systems (SGS);
  • High Integrity Pressure Protection Systems (HIPPS);
  • Burner Management Systems (BMS);
  • Boiler Protection Systems (BPS);
  • Fire & Gas systems (F&G).

An SIS reduces risk by reducing the probability that a hazardous event will occur. An SIS does not reduce the impact of the event if it does occur. Graphically, this can be represented as follows:


Take the case that a HAZOP reveals; that there is an unacceptably high risk of explosion due to pressure buildup in a vessel. The use of pressure relief valves, serving as a last resort, blowing off the contents of the vessel to the flare, reduces the probability (frequency) of an explosion, but not the impact (severity) of the explosion, should it occur.

The impact can be reduced by building the plant in a remote location and placing the control room far away from the vessel. Finally, an SIS can prevent pressure buildup in the vessel by timely stopping the chemical reaction, for example, or limiting the inflow into the vessel or, conversely, speeding the outflow from the vessel.

The combined effects of these three safety features can reduce the risk of this particular scenario to a tolerable or even acceptable level.

An SIS must be viewed in the context of a specific plant, with its specific hazards and precautions. Therefore, the desired SIL level of a safety function can only be determined by the process owner and not by the supplier of an SIS.

Familiar with the practical implications of this, we are happy to collaborate on HAZOPs and similar exercises to determine the risks of a process and thus arrive at the required SIL level for each safety function.

The Probability of Failure on Demand (PFD) is a measure of the effectiveness of a safety function.

It expresses the probability that a system designed to prevent a hazardous situation will fail at the very moment a claim is made on this function.

The PFD of a safety function depends on the failure probabilities of all components of the function. To calculate the failure probabilities for sensors, logic solvers and actuators, data must be collected on all possible failure states, including those states that can be detected, those that cannot be detected (by the built-in diagnostic software), states that cause the component as a whole to go to a safe state, and states that cause a hazardous state to occur for the entire component.

In practice, this data is known for new "SIL-compliant" components, but often not for older components.

Another important factor for the PFD is the frequency with which the system is tested. It is assumed that faults detected by the component itself (through its built-in diagnostic software) are quickly repaired. However, faults that are not detected by the component become visible only during a complete system test.

In the period between the occurrence of the fault and the execution of the test, the system is unavailable if the preventive function is invoked.

As an example, consider the following two components (e.g., pressure switches) that are characterized by the failure probabilities λdu and λdd, and for which no redundant switches are installed (i.e., no voting), which are subjected to a system test (Proof Test Interval) every six months, and which require approximately 8 hours to repair a switch (Mean Time To Repair):


Example PFD calculation
Component A and B have similar failure rates of 4.0-10-6 per hour. Yet, component B is of better design quality because the built-in diagnostic software detects more faults. As a result, the PFD value of component B is much lower.

Related to the Safety Integrity Level (SIL), both components can be used in a SIL-2 function (PFD is higher than 0.001 but lower than 0.01), provided, however, that the other components in the safety function (e.g., logic solver, barriers, actuators) do not add too much to the total of dangerous errors so that the PFD of the complete function remains lower than 0.01.

We are happy to help you with all the necessary calculations so you only have to focus on the application. We indicate what information we need and make practice-based assumptions if information is not available. You can also leave the interpretation and explanation of the results to us. In addition, we will provide advice on how to improve the PFD of the various functions with minimal impact on your budget.

Similar to probability of failure on demand is the "probability of failure to safety" (PFS); a measure of the effectiveness of a safety function.

It expresses the probability that a safety function will invoke when it is not requested. In other words, it is a measure of the probability of unwanted trips (spurious trips).

Unwanted trips regularly cause operators and maintenance personnel headaches. First, because they can severely disrupt the process. Second, because it is usually difficult to prove that a trip was indeed unwanted and not caused by some other valid reason.

For this reason, we often design our systems with redundancy. Redundancy ensures that multiple channels are available for the same safety function. If one channel fails, the other channel can still perform the function when requested. This reduces the chance of a trip of the entire process and improves availability.

As an example, consider the configuration of a number of transmitters in the same pipeline, all measuring the same process value. In this example, we will go up to three transmitters.

There are several configurations for the transmitters. For the configuration used, we use the term voting expressed in MooN (M out of N), where M trip signals must come through N channels before the safety function triggers. Thus, a 2oo3 voting means that at least two of the three transmitters must measure an unsafe process value before the safety function triggers. In other words, if one of the channels is faulty or "stuck" in its "safe" position, the safety function of the system is not affected.

At the same time, the probability of unwanted trips is minimized because there should be two channels that fail in a safe position before the safety function triggers. The downside of such a solution is the cost associated with installing multiple transmitters:


We are aware of the fact that in every project the trade-off between cost and availability (preventing unwanted trips) is made again. We can advise you regarding the degree of redundancy suitable for your situation, as well as calculate the improvement in probability for each option.

A free translation of Safety Requirement Specification (SRS) is Safety Requirement Specification and includes a high-level description of safety functions and the requirements for each required safety function.

For example, it may include the description "Measure the temperature in vessel V-1202 and if it exceeds 60 °C, stop the pump P-103 to the reactor within 2 seconds with a Safety Integrity Level SIL-3.

This description contains all the essential basic information to design a safety function:

  • The location and function of sensors and actuators related to a P&ID;
  • The required SIL level, determined from a HAZOP/ZIL exercise;
  • The required response time, determined from a HAZOP/ZIL exercise.

A number of choices can now be made for the security function:

  • The required SIL level determines the maximum PFD (Probability of Failure on Demand) for the complete loop;
  • The required SIL level also determines the minimum SFF (Safe Failure Fraction) for all components in the complete loop;
  • If one of the selected components does not meet the minimum SFF requirement, it may be necessary to apply voting. For example, two transmitters can be applied in a 1-out-of-2 voting (1oo2) because a single transmitter has too low an SFF value and the voting configuration does meet the required SIL level.

A complete specification for a safety system includes, in addition to the above:

  • redundancy requirements, to improve availability;
  • maintenance override functions;
  • communication with other systems;
  • any preferred brands and models of the components, for example, the safety PLC, power supplies, isolators, barriers, etcetra;
  • panel layout requirements such as, for example, location, dimensions, spare capacity;
  • hardware requirements: ATEX classification, materials to be used, wire colors;
  • user interface: graphical screens, philosophy on alarm handling, buttons and lights.


We are happy to help with setting up an SRS and all other design choices related to a safety system.

A risk matrix is a simple tool for identifying risk in the context of a process plant, where risk is defined as the product of:

  • The probability of a hazardous situation (hazard) occurring, and
  • the impact of that situation, when it occurs, on the plant, personnel and the environment.


Usually process owners have a risk matrix for their plant already prepared. It applies to a wide range of safety-related issues such as work permits, process safety, assessment of safety-related investments. The same risk matrix can be used for functional safety.

By defining probability (frequency) and impact (severity of consequences), a risk matrix can be used to determine the minimum necessary SIL level for each safety function. Below is a simple example:


Note that the estimation of a risk, using the risk matrix, is best done by the process owner and not the safety system supplier (SIS), as local and plant-specific characteristics and hazards must be taken into account. We are happy to support the above analysis with our knowledge and experience of industry-typical approaches.

A Burner Management System (BMS) is a safety system that performs two key tasks:

  • It is responsible for burner system start-up sequences including purge steps, monitoring the closed position of the double block valves and fuel valves, monitoring the open position of the vent valves, selection or de-selection of individual burners, ignition and monitoring of the ignition burner and of the main burner.
  • During operation of the burners, it is also responsible for monitoring the flame, the presence of sufficient air and for the safe shutdown of the burner.


A Burner Management System can be very complex for this reason. This, while a burner is essentially relatively simple and often controlled by only one control with a single setpoint (the load factor).

This load factor controls the optimum air to fuel ratio for the heat load requested. The air to fuel ratio is critical for safe and efficient burner operation. Too much air? The flue gas does not reach the required temperature. Too much fuel? Combustion is incomplete, leaving flammable hydrocarbons in the system.

The key to a good fuel-to-air ratio is to measure airflow and fuel flow. If the fuel flow is difficult to measure but the venturi in the burner nozzle is constant, then the fuel pressure can give a good indication. If airflow is difficult to measure, the burner will have to operate with excess air at all times.

If the fuel to air ratio is difficult to determine, for example due to variable fuel composition, other measures will have to be taken to ensure that complete combustion takes place. This can be done, for example, by measuring the amount of O2 in the flue gases or installing in-line analyzers in the fuel supply.

We are happy to share our knowledge, gained over many years of supplying Burner Management Systems for both new construction and for the replacement market of burners for power plants, for example. We make systems that function both safely and reliably for many years without interruption.

A gas turbine with a Heat Recovery Steam Generator (HRSG) is a system that generates energy in two ways.

  • The gas turbine drives a mechanical load, such as a generator
  • The hot exhaust gases from the turbine are used to produce steam, which in turn drives a steam turbine coupled in to a generator or other mechanical load.

The HRSG is basically a large steam boiler where the hot exhaust gases from a gas turbine are used to produce the steam. The HRSG may also be equipped with a set of burners (also known as duct burners) to provide additional heating of the exhaust gases, or in other words generate additional heat for steam production.

Depending on the design of the HRSG, the burners can also be used to generate the heat required for steam production when the gas turbine is out of service.

Since the gas turbine exhaust normally contains sufficient oxygen (12-16 percent) for proper fuel combustion at the burners, additional combustion air (such as ambient air) is needed only when the gas turbine is not in operation.

The Burner Management System monitors all functions and as such must be continuously aware of the state of the gas turbine and of the boiler. The interaction between the BMS and the gas turbine also ensures that the purge sequences are performed properly.


In terms of sequences, an HRSG is clearly more complicated than a conventional burner. In addition to the functions for a conventional burner, the BMS for an HRSG must also provide for the purge of the burner, of the gas turbine and of the HRSG in combination. The air dampers (including bypass damper, inlet damper and ambient air 'ambient air' damper) must all be operated but also the positive must be monitored.

The gas turbine should be informed that conditions are safe to start and the gas turbine should inform the BMS when it is operating at "cranking speed" (due to purging), when it is in normal operation, whether it has successfully ignited and so on. However, when the gas turbine unexpectedly goes offline or when one of the vaporizers leaves its position, the BMS must quickly switch and put the vaporizers in the correct position to continue operation as much as possible and to reduce possible production loss. Of course in a safe way.

We have designed the Burner Management System to include all of the above requirements, and more, as standard. For example, we offer a complete and intuitive user interface through our graphical HMI (Human-Machine Interface). We offer unambiguous and complete status and alarm management including first-up alarms (first-up: showing the first occurring alarm).

Furthermore, it is possible to select which burners are operating or not, and the fuel-to-air ratio can be adjusted.

In addition, the BMS can communicate with other systems (such as a DCS) in a safe and reliable manner. And because we have extensive knowledge of the applicable standards, we also guarantee that the BMS will pass any certification procedure without problems.

A High Integrity Pressure Protection System (HIPPS) is a system used to prevent the pressure in a pipeline from exceeding the maximum allowable operating pressure.

A HIPPS is commonly installed in oil and gas export pipelines and sometimes in flowlines that must be protected from exposure to high pressures. These pressures can originate from wells (wells), which when enclosed can reach a Closed In Tubing Head Pressure (CITHP), which exceeds downstream pipe specifications.

Functionally, a HIPPS is a very simple system: in case of high pressure, it closes one or more valves. These valves can be pneumatically or hydraulically driven.

A HIPPS is often considered an alternative to mechanical means, such as pressure relief valves, to prevent excessive pressures.

The mechanical resources required can be very costly compared to a HIPPS. Obviously, the requirements for both the SIL level and availability of the HIPPS are very high.

For SIL levels up to SIL-3, we have a solution. We have supplied HIPPS systems for offshore installations, both installed on the platform and built into systems located on the seabed (subsea). We are familiar with the practical and environmental constraints caused by subsea installations as well as the effects of shock waves created by the rapid closure of valves.


An Emergency Shutdown (ESD) system is a safety system that encloses an entire plant or process.


Combined with an Emergency Depressurization (EDP) system, it ensures that all process parts are depressurized in a controlled and safe manner by directing the process substances (e.g., gas or oil), to a flare.


An ESD system is an important component in preventing the escalation from an unsafe condition to an accident:

  • by enclosing a process it stops the buildup of pressure;
  • By switching off electrical power, it prevents ignition of leaked and flammable hydrocarbons;
  • by blocking key process pipelines at strategic locations, the system reduces the amount of process dust directed to a flare;
  • by depressurizing the process (EDP) protects the piping from rupture;
  • by directing process substances to the flare (EDP) prevents the uncontrolled release of hydrocarbons and the freezing of vent lines (relief lines);
  • by starting a diesel fire pump (offshore) it shortens the time of rescue and extinguishing operations.
  • An ESD can be activated by transmitters (e.g. high-pressure strip), switches, local push buttons or push buttons in a central control room. Different levels of ESD (such as a local ESD, Unit ESD, Plant ESD, Plant EDP) are distinguished depending on the requirements.


Obviously, an ESD action has a major impact on process stability and is therefore only used as a last resort. When nevertheless necessary, the proper operation and thus reliability of the system is paramount. Therefore, in addition to being safe, these systems must also be highly available. In other words, both the Probability of Failure on Demand (PFD) and the Probability of failure to Safety (PFS) must be as low as possible.

We would be happy to discuss your requirements for ESD/EDP system as well as all your design considerations.

We calculate PFD and PFS values for alternative designs. We can include automatic test sequences and establish an annual valve stroke test (valve stroke test) for regulatory reasons. We enable communication with other systems in such a way that the integrity of the ESD system is not affected.

And of course, we discuss your Cause- & Effect diagram (C&E) in detail and are a discussion partner for HAZOPs and similar safety exercises.