SIS Glossary

12 Sep 2024
9 Minutes to read
Contributors

Print
Dark
Light
PDF

SIS Glossary

Updated on 12 Sep 2024
9 Minutes to read
Contributors

Print
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

Below you will find the definition / meaning for the relevant IMS SIS terminologies. Do you need help with another acronym? The definition of all IMS related acronyms can be found in the IMS Glossary.

B

Term	Meaning
Barrier	See Safeguard.
Basic Process Control System (BPCS)	This is the first LOP. The BPCS controls pressure, level, temperature, flow, etc.

C

Term	Meaning
Cause	The Cause is also known as the Initiating Event or Threat. It is the process conditions or measurements that indicate the process or equipment are operating outside the operating envelope. The Initiator may include equipment failure, abnormal or unexpected process conditions, or external conditions such as environment. Examples are operator error during manual switches, valve failure, compressor failure, loss of power, etc.).
Consequence	The Consequence is the potential adverse effect of a Hazard on People (P), the Community (C), the Asset (A) or the Environment (E). It can be physical injury or damage to the (long term) health of People (P), damage to the Community (C), damage to the Asset (A) or the Environment (E).

Term

Meaning

Cause

The Cause is also known as the Initiating Event or Threat. It is the process conditions or measurements that indicate the process or equipment are operating outside the operating envelope. The Initiator may include equipment failure, abnormal or unexpected process conditions, or external conditions such as environment. Examples are operator error during manual switches, valve failure, compressor failure, loss of power, etc.).

Consequence

The Consequence is the potential adverse effect of a Hazard on People (P), the Community (C), the Asset (A) or the Environment (E). It can be physical injury or damage to the (long term) health of People (P), damage to the Community (C), damage to the Asset (A) or the Environment (E).

D

Term	Meaning
Dangerous Fault Tolerance (FT)	The minimum degree of dangerous fault tolerance for each Subsystem is a function of the integrity level required and is verified against the Success Criteria. (SIF Analysis)
Deviation	The HAZOP method focuses on Deviations from design intent, because they represent potential problems that could lead to a hazard, for example, lack of flow in a transfer line or over-pressuring a vessel, that may result in hazard and operability scenarios.

E

Term	Meaning
Evergreen	In IMS a HAZOP Type can either be Evergreen, MOC, or Project. The goal of an Evergreen HAZOP is to maintain a full and comprehensive overview of the hazards in a design. In this, any modification to the plant/unit must be assessed in the context of the overall plant/unit, and Deviations upstream and downstream of the modified equipment revisited to ensure that changes are adequately assessed. In IMS, Evergreen HAZOP are indicated with.

Term

Meaning

Evergreen

In IMS a HAZOP Type can either be Evergreen, MOC, or Project. The goal of an Evergreen HAZOP is to maintain a full and comprehensive overview of the hazards in a design. In this, any modification to the plant/unit must be assessed in the context of the overall plant/unit, and Deviations upstream and downstream of the modified equipment revisited to ensure that changes are adequately assessed. In IMS, Evergreen HAZOP are indicated with

F

Term	Meaning
Failure Mode Effect analysis (FMEA)	FMEAs are done on the Equipment level (when the Equipment is being defined, i.e., when a Master Equipment is connected to the Equipment). By default, for each Equipment, three Failure Modes (FMs) are defined and analyzed: FMC: Failures common to identical devices. FMCC: Failures common to diverse devices within the same Equipment family (e.g., pneumatic, and electronic smart pressure transmitters are both “pressure sensing devices”). FMO: Other failures not covered by any of the other specified failure modes. For each FM, the Equipment’s overall random failure rate λ is split into a safe (λ_s) and dangerous failure rate (λ_d). Safe failures are failures that may result in a too early or immediate but inadvertent acting of the SIF. These failures are also known as “spurious” failures. Dangerous failures are failures that result in a too late or no acting of the SIF. These failures are also known as “unrevealed or dormant” failures. Coverage factors (“L” and “H”) are defined for each of the Equipment’s defined Tests (e.g., “Full Functional Test” or “Overhaul Test”), per FM. When a Diagnostic in combination with a Response on Failure is added to a FM the maximum safe and dangerous Diagnostic Coverage Factors (DCFs) are determined.
Fault Tolerance (FT) check	Each Subsystem has a Fault Tolerance. This depends on the Equipment design, as well as the integrity requirements and the Success Criteria. The Fault Tolerance and implementation check considers: Base fault tolerance - Based on integrity requirement, i.e., the SIL, as defined in the Ruleset. E.g., for SIL 2 the Base fault tolerance = 1 (based on the “IEC-61511 acc to Shell” Ruleset). Fault tolerance modifier - the maximum of the modifiers (fail save, prior use, write protect) – defined on the Equipment Details page Inherent fault tolerance - defined on the Equipment Details page Fault tolerance required – the sum of above > 0 Equipment type allowance - is the Equipment type allowed Energize to trip (ETT) allowance - Based on integrity requirement, i.e., the SIL, as defined in the Ruleset. E.g., “IEC-61511 acc to Shell” Ruleset states that below SIL 2, ETT is ok. Dangerous fault tolerance – This checks Success Criteria. It can be overridden. For more information see Verifying SIF Design Dangerous Fault Tolerance requirements.

Term

Meaning

Failure Mode Effect analysis (FMEA)

FMEAs are done on the Equipment level (when the Equipment is being defined, i.e., when a Master Equipment is connected to the Equipment).

By default, for each Equipment, three Failure Modes (FMs) are defined and analyzed:

FMC: Failures common to identical devices.
FMCC: Failures common to diverse devices within the same Equipment family (e.g., pneumatic, and electronic smart pressure transmitters are both “pressure sensing devices”).
FMO: Other failures not covered by any of the other specified failure modes.

For each FM, the Equipment’s overall random failure rate λ is split into a safe (λ_s) and dangerous failure rate (λ_d). Safe failures are failures that may result in a too early or immediate but inadvertent acting of the SIF. These failures are also known as “spurious” failures. Dangerous failures are failures that result in a too late or no acting of the SIF. These failures are also known as “unrevealed or dormant” failures.

Coverage factors (“L” and “H”) are defined for each of the Equipment’s defined Tests (e.g., “Full Functional Test” or “Overhaul Test”), per FM. When a Diagnostic in combination with a Response on Failure is added to a FM the maximum safe and dangerous Diagnostic Coverage Factors (DCFs) are determined.

Fault Tolerance (FT) check

Each Subsystem has a Fault Tolerance. This depends on the Equipment design, as well as the integrity requirements and the Success Criteria.

The Fault Tolerance and implementation check considers:

Base fault tolerance - Based on integrity requirement, i.e., the SIL, as defined in the Ruleset. E.g., for SIL 2 the Base fault tolerance = 1 (based on the “IEC-61511 acc to Shell” Ruleset).
Fault tolerance modifier - the maximum of the modifiers (fail save, prior use, write protect) – defined on the Equipment Details page
Inherent fault tolerance - defined on the Equipment Details page
Fault tolerance required – the sum of above > 0
Equipment type allowance - is the Equipment type allowed
Energize to trip (ETT) allowance - Based on integrity requirement, i.e., the SIL, as defined in the Ruleset. E.g., “IEC-61511 acc to Shell” Ruleset states that below SIL 2, ETT is ok.

Dangerous fault tolerance – This checks Success Criteria. It can be overridden.

For more information see Verifying SIF Design Dangerous Fault Tolerance requirements.

H

Term	Meaning
Hazard	An agent with the potential to cause harm to people, damage to assets, or an impact on the environment or community.

I

Term	Meaning
Initiating Event	Many Initiating Events have been pre-defined in IMS in terms of their frequency of occurrence. These frequencies are based on industry-accepted and standards-compliant data for each device, system, or human. See also Cause.

L

Term	Meaning
Layers of Protection (LOP)	The Layers of Protection (LOP) are independent layers that serve to either prevent an Initiating Event (e.g., loss of cooling) from developing into a top event (e.g., a release of a dangerous substance), or to mitigate the consequences of a top event once it occurs.
Layer of Protection Analysis (LOPA)	A Layer of Protection Analysis (LOPA) is a risk management technique to provide a detailed, semi-quantitative risk assessment. The Initiating Event frequency, the Consequence Severity, and the likelihood of failure of the layers of protection are all assessed, to approximate the risk of the hazard scenario. The primary purpose of LOPA is to determine the adequacy of existing or proposed layers of protection against a hazard scenario.
Linked Objects (Cards)	It is possible that different Causes can have the same Consequence. In this case you can create a copy of the first Consequence and then link the Consequences (manually). The Consequence's child objects (Existing safeguards and Recommendations) will then automatically be replicated and linked as well (even when you create a new child object, it will also be replicated and linked). When objects are linked, they will always be synced, with one exception: On the Existing safeguard the Validation section remains unlinked. This way it is possible to indicate that an Existing safeguard is "Not Valid" for a specific Cause-Consequence combination. When a LOPA is connected to a Consequence, it will thus also automatically be connected to all linked Consequences and their associated Causes. All the associated Causes will be copied to the LOPA as Initiating Events. (Nodes, Deviations and Causes cannot be linked.)
Logic Solver	The portion of an SIF that performs the application logic function. The Logic Solver excludes trip amplifiers, input cards and output cards. Examples are electromechanical relays, solid-state/magnetic-core logic and the Central Processing Unit (CPU) section of programmable electronic systems.

M

Term	Meaning
Mitigation	The action of making a Consequence less severe or relieving Consequences.

N

Term	Meaning
Node	The HAZOP technique is based on breaking the overall complex design of the process into several simpler sections, called Nodes, which are then individually reviewed. The Nodes should be chosen so that, for each, a meaningful design intent can be specified. They are commonly indicated on piping and instrumentation diagram (P&IDs) and Process Engineering Flow Sheets (PEFS). The extent of each Node should be appropriate to the complexity of the system and the magnitude of the hazards it might pose.

Term

Meaning

Node

The HAZOP technique is based on breaking the overall complex design of the process into several simpler sections, called Nodes, which are then individually reviewed. The Nodes should be chosen so that, for each, a meaningful design intent can be specified. They are commonly indicated on piping and instrumentation diagram (P&IDs) and Process Engineering Flow Sheets (PEFS). The extent of each Node should be appropriate to the complexity of the system and the magnitude of the hazards it might pose.

P

Term	Meaning
Performance	The SIF Analysis Performance check in IMS considers two criteria: Sensor Accuracy Tight Shut-Off (TSO) for valves In addition to the performance check, IMS also checks the overall function Response Time. For more information see Verifying SIF Response Time.
Probability of Failure on Demand (PFD)	The probability of the protective layer (e.g., the SIF) failing to respond to a Demand. Dimensionless.
Public	When harm to the general public is expected, you can select Public, which will add extra safeguard with regards to the People Assessment (the Tolerability Criteria (TC) for the People Assessment will be decrease with 1E-01.). See LOPA - Assessment Summary.

Term

Meaning

Performance

The SIF Analysis Performance check in IMS considers two criteria:

Sensor Accuracy
Tight Shut-Off (TSO) for valves

In addition to the performance check, IMS also checks the overall function Response Time.
For more information see Verifying SIF Response Time.

Probability of Failure on Demand (PFD)

The probability of the protective layer (e.g., the SIF) failing to respond to a Demand. Dimensionless.

Public

When harm to the general public is expected, you can select Public, which will add extra safeguard with regards to the People Assessment (the Tolerability Criteria (TC) for the People Assessment will be decrease with 1E-01.). See LOPA - Assessment Summary.

R

Term	Meaning
Risk	The frequency at which a Hazardous Situation occurs (Likelihood) multiplied by the Consequence of the Hazardous Situation.

S

Term	Meaning
Safeguard	Safeguards can either prevent the Top event from occurring or mitigate the result after the Top event occurs. There are three Types of Existing safeguards that can be selected in IMS SIS: Control Barrier (CB), Conditional Modifiers (CM), and Recovery Measure (RM). In LOPAs they are called Barriers.
Safety Instrumented Functions (SIF)	A SIF is a Control Barrier, as Safeguard. It comprises out of three elements: sensors (e.g., a flowmeter) and logic solvers (e.g., a safety PLC) that detect dangerous conditions, and final control elements (e.g., a valve) that are manipulated to achieve a safe state. SIFs respond to specific, defined hazards, by implementing specific actions to put the equipment into (or maintain) a safe state to provide a defined degree of risk reduction.
Safety Instrumented System (SIS)	A safety instrumented system (SIS) consists of an engineered set of hardware and software controls which are especially used on safety critical process systems. A SIS does not control anything. It monitors many of the same variables as the BPCS. A SIS typically contains multiple Safety Instrumented Functions (SIF).
Safety Integrity Level (SIL)	The risk reduction required from a SIF is characterized by the SIL. The SIL indicates the degree of risk reduction, provided by a SIF, implemented by a SIS, within a given process. In other words, SIL is a measure of the SIF’s performance, in terms of Probability of Failure on Demand (PFD) and dangerous fault tolerance requirements. When designing a SIF, the appropriate SIL is crucial for achieving the required level of safety. IEC 61508 defines four SIL levels. The higher the SIL level, the higher the associated safety level, and the lower probability that a system will fail to perform. Normally, a higher SIL level means a more complex system and higher installation and maintenance costs. Process plants typically only require SIL 1 and SIL 2 SIFs.
Safety Lifecycle	The process where hazards are identified and analyzed for the initial design of safety critical systems. The Safety Lifecycle also includes the feedback loop of real-life plant data into the initial design to assess whether assumptions and/or data used in the initial design need to be updated to match the real-life plant data. This is an ongoing process for any plant and has periodic reviews (e.g., once every 5 years) of the collected real life plant data to be held against the data used during analysis and design.
Severity	The Severity of a Consequence. This is rated from 1 (least severe) to 5 (most severe).
Subsystem	A Subsystem is defined as a complete set of Equipment that together make up a sensor (SE) Subsystem, or logic solver (LS) Subsystem or a final element (FE) Subsystem. Each Subsystem has a Fault Tolerance (Design).
Success Criteria (SC)	The Success Criteria is defined in terms of the Equipment-Actors. You can define Success Criteria for each Subsystem for achieving the safety mission. E.g., for a 1oo2 sensor Subsystem, the Success Criterion would be “sensor A OR sensor B should work to achieve the safety mission.” IMS SIS has 2 layers of Success Criteria: High level Success Criteria, per Subsystem type Lower level Success Criteria, per Subsystem For more information see Defining SIF Success Criteria.

T

Term	Meaning
Test Coverage Factor	The test coverage factor reflects the effectiveness of testing and maintenance activities in detecting and preventing failures within the SIF. It quantifies the probability that a diagnostic test will detect a dangerous failure before it affects the SIF’s performance. Test coverage is typically expressed as a percentage, ranging from 0% (no test coverage) to 100% (perfect test coverage).
Tolerability	Either Tolerability 2017 or Tolerability 2020 can be selected for the LOPAs in IMS SIS. This will determine the available Severities that can be selected, as well as their associated Tolerability Criteria (TC). (This is a Shell specific feature in IMS SIS).
Top Event	This is the moment when control over the hazard is lost. It is usually what we consider to be an unsafe state that is not yet an accident. Therefore, Top events, while not being disasters themselves, have the potential to become one if nothing is done to control them. See the figure below. IMS SIS has the following default Top events for defining Consequence in the HAZOP: Damage, Exposure, Human error, Loss of Containment, Loss of Control, and Loss of Primary Containment. For some the Hazard(s) must also be specified, e.g., Loss of Containment. In Settings\Maintenance\SIS Specific data\HAZOP\Top event the SIS ADMIN can list your site’s Top events and define which require a Hazard.

Was this helpful? Click to add feedback comments

What's Next

SIS User Roles

Table of contents