May/June 2012
System Integration

The coming wave of process safety system migration

Systems changes require rigorous hazards analysis

Fast Forward

  • ARC estimates approximately $8 billion of the installed base of legacy process safety systems will need to be migrated to current technology in the near future
  • Safety systems tend to remain in place longer than other plant systems, often resulting in support issues, both internal and external to the company
  • Unlike DCS upgrade projects, most safety system migrations require a rigorous hazards analysis
By Dave Woll 


ARC has written extensively about the rapidly aging installed base of process automation systems that are approaching the end of their useful life, but the same principle applies to other systems, most notably process safety systems. Wave1ARC estimates that the value of the installed base of process safety systems reaching the end of their useful life could be in the neighborhood of $8 billion worldwide. Replacing or migrating process safety systems, however, carries with it a unique set of concerns and considerations compared to process automation systems. Conforming to international safety standards, such as IEC 61511, means that end users must conduct a hazards and risk analysis in addition to allocating safety functions to protection layers. Users should also consider the benefits of remote diagnostics provided by today's intelligent safety instrumented system (SIS) devices and control valves.

Aging installed base of safety systems

ARC estimates that the value of installed base of process automation systems nearing the end of their useful life is around $65 billion. The overall market for process safety system is much smaller, but even if the aging installed base of safety systems is just 12 percent that of distributed control systems (DCSs), it still represents around $8 billion worldwide. Users installed the first wave of process safety systems soon after the first wave of DCSs.

Existing safety systems need to be replaced for many of the same reasons users need to replace their existing DCSs. Suppliers may no longer support the systems, parts may be difficult to obtain, or the system may be running in a degraded state. Unlike DCSs, safety systems do not actively perform process control. Instead, they just wait for an abnormal situation to occur and then quickly shut down the process or take the plant to a safe state.

Logic solvers in safety systems tend to be very reliable. For this reason, many safety systems are left in place for a long time, perhaps even longer than legacy process automation systems. A fair number of legacy safety systems in place still have MS-DOS interfaces and other very old technologies. If the system is very old, there may be only a couple of people in a given plant who are even familiar with it, and it can be difficult to train new engineers and technicians to work on an old safety system. A sizable installed base of old relay-based safety systems still also exists and are past due for replacement.

Several incentives have been in place for users to hold on to their legacy safety systems. The grandfathering clause in the ISA-84 standard, for example, allows end users to keep their old safety instrumented systems as long as they were designed using previous good engineering practices.

Unique considerations in safety system migration
Companies must consider several important points when modernizing their process safety systems and safety instrumented systems. Unlike DCS upgrade projects, SIS upgrade projects typically include the safety instruments, control valves, and the process safety system. Many end users now take advantage of the diagnostics included in HART-compatible safety devices.

New safety system installations must also conform to standards such as ISA-84 and IEC 61511. ISA-84 is essentially the same as IEC 61511, except for the grandfather clause in the former. ANSI has also adopted ISA-84. U.S.-based process manufacturers must follow ISA-84 when implementing a new process safety system to comply with OSHA requirements.


The IEC 61511 lifecycle

The IEC 61511 standard has a specific lifecycle management process that companies must follow when installing a new safety instrumented system. The IEC 61511 standard specifies 12 steps in the safety lifecycle. These are segmented into four phases: Analysis, Realization, Maintenance, and Ongoing Functions. Let us take a look at the Analysis phase, which includes the initial planning, identification, and specification of safety functions required for the safe operation of a manufacturing process, including documentation of the safety requirements. Specific activities include:

  • Perform hazard and risk analysis
    Determine hazards and hazardous events, the sequence of events leading to a hazardous condition, the associated process risks, the requirements of risk reduction, and the safety functions required.
  • Allocate safety functions to protection layers
    Check the available layers of protection. Allocate safety functions to protection layers and safety systems.
  • Specify requirements for safety system
    If tolerable risk is still out of limit, then specify the requirements for each safety system and respective safety integrity levels (SIL).
  • More services required
    As the Analysis phase of 61511 alone shows, the process of implementing a process safety system involves much more complexity and requires a lot more documentation and work process management compared to a basic process control system. End users are already stretched to the limit in terms of resources, so it is natural that more of the engineering services required to properly specify and install a process safety system will be performed by automation suppliers and other third parties. It is also effective to automate as much of the lifecycle process as possible using production management, workflow, and procedural automation applications.

Functional safety and IEC 61508

IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems, is an international standard of rules applied in industry. IEC 61508 is intended to be a basic functional safety standard applicable to all kinds of industry. It defines functional safety as part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system. According to the IEC, functional safety is the detection of a potentially dangerous condition resulting in the activation of a protective or corrective device or mechanism. The objective is to either prevent a hazardous event from occurring, or provide mitigation to minimize the consequence of the hazardous event. Functional safety depends on a system or equipment operating correctly in response to its inputs. Functional safety relies on active, rather than passive, systems. For example: activating a level switch in a tank that contains a flammable liquid when a potentially dangerous level has been reached. This causes a valve to be closed to prevent further liquid entering the tank and thereby preventing the liquid in the tank from overflowing.

Last word

The wave of safety system migration is already upon us. It has been the topic of numerous end-user case studies at many of the user group meetings that ARC attended this year. Suppliers are building their service capabilities and developing new tools to make the process of ISA-84 and IEC 61511 compliance that much easier and more cost effective for end users. As you evaluate replacement safety systems and suppliers, ARC recommends strongly that-just as if you were replacing your basic process control system (DCS)-you make every effort to avoid a direct functional replacement. Instead, your new safety system should take advantage of new technologies and approaches that can make your plant safer without negatively affecting production.


Dave Woll (, VP Consulting Services, ARC Advisory Group, Dedham, Mass., is a senior member of the ARC team where he is primarily responsible for developing the strategic direction for ARC's products and services for the process industries and providing high-level consulting services for ARC clients. Dave has been with ARC since 1997 and has been defining and applying process automation for more than 35 years. This includes the marketing and application of Control, Safety, SCADA, Measurement Systems, and Business Integration. Prior to ARC, Dave held numerous positions at both The Foxboro Company and Bristol Babcock. Dave holds a BSEE from the University of Connecticut.