CFSE

Certified Functional
Safety Expert

Examination Preparation
Useful Information
Section 1: Acronyms
Section 2: Glossary

Section 3: Equations

Section 4: Figures
CFSE Prep Course Useful Information
Emerson Process Management
Acronyms

ALARP As Low as Reasonably PFD Probability of Failure on Demand

Practicable or Probability of Failure,
BLEVE Boiling Liquid-Expanding Vapor Dangerous
Explosion PSAT Pre-Startup Acceptance Test (see
BMS Burner Management System SIT)
BPCS Basic Process Control System PFDavg Average Probability of Failure on
DC Diagnostic Coverage Demand
E/E/PE Electrical / Electronic / PFD Process Flow Diagram
Programmable Electronic PFS Probability of Failure, Safe
EEGL Emergency Exposure Guidance PHA Process Hazards Analysis
Level PL Probable Loss
ERPG Emergency Response Planning PLL Probable Loss of Life
Guidelines PSI Process Safety Information
EUC Equipment Under Control PSSR Pre-Startup Safety Review
FAT Factory Acceptance Test RBD Reliability Block Diagrams
FMEA Failure Modes and Effects RR Risk Reduction (Facility)
Analysis RRF Risk Reduction Factor
FMEDA Failure Modes, Effects and SAT Site Acceptance Test
Diagnostics Analysis SF Safety Function
FSM Management of Functional SFF Safe Failure Fraction
Safety SIF Safety Instrumented Function
FTA Fault Tree Analysis SIL Safety Integrity Level
FTD Fault Tree Diagrams SIT Site Integration Test (see PSAT)
HazOp Hazards and Operability Study SLC Safety LifeCycle
IDHL Immediately Dangerous to Health SLC Safety Life Cycle
and Life SPEGL Short-term Public Exposure
LOPA Layers of Protection Analysis Guidance Level
MM Markov Modeling SRS Safety Related System
MoC Materials of Construction SRS Safety Requirements
MOC Management of Change Specification
MSDS Material Safety Data Sheet STR Spurious Trip Rate
MTBF Mean Time Between Failures TLV Threshold Limit Value
MTTF Mean Time to Failure TLV-C Threshold Limit Value-Ceiling
MTTFS Mean Time to Failure, Spurious TLV- Threshold Limit Value-Short
or Safe (False Trip Rate) STEL Term Exposure Limit
MTTFD Mean Time to Failure, Dangerous TLV- Threshold Limit Value-Time
MTTR Mean Time to Repair TWA Weighted Average
OCA Off-site Consequence Analysis WCS Worst Case Scenario (EPA)
(EPA)  Failure Rate
P&ID Piping and Instrument Diagram  Repair Rate
PEL Permissable Exposure Limit
PES Programmable Electronic System
PdF Probability of Failure, Dangerous

Page 3 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
Glossary

Absorbing State In Markov modeling, a state (represented by a circle) that can only
be entered (arc toward).
As Low as Reasonably Also called Tolerable Region. That region of risk between
Practicable Intolerable and Broadly Acceptable. Established in the UK as that
level of risk between less than 10-3 fatalities per man-year worked
(or less than 10-4 fatalities per year for the public), de manifestus,
and greater than 10-5 fatalities per man-year worked (or greater
than 10-6 fatalities per year for the public), de minimus. The de
minimus level is the background level that occurs generally in all
work places, regardless of the risks of the work place.
Attenuation Diluting or otherwise reducing concentrations, or separating the
total quantity so that the maximum event will be smaller
Availability The probability at a specific moment in time that a repairable
system will be able to operate successfully when required to, that it
is not failed or being repaired..
Complementary Events When one outcome does not occur, the other will always occur,
e.g. heads and tails in a coin toss.
P(A) = 1 – P(B), [ P(heads) = 1 – P(Tails) ]
Consequence The measure of impact in terms of expected fatalities, injuries,
environmental damage, and/or property damage; determined by
estimating the number of receptors in the effected area
“A measure of the expected effects of an outcome case (e.g., an
ammonia cloud from a 10 lb/s leak under Stability Class D weather
conditions and a 1.4-mph wind traveling in a northerly direction
will cause 50 injuries).”
–CCPS, Guidelines for CPQRA
Containment Using equipment designed or built to higher codes or standards, or
secondary containment systems capable of capturing and
managing releases.
Control Using engineered solutions, procedures, training, and management
systems to reduce or limit the demands on the process
Dangerous Failure See “Failure, dangerous”
De Manifestus The high risk bound of the ALARP region. 10-3 fatalities per man-
year worked or 10-4 fatalities per year for the public.
De Minimus The low risk bound of the ALARP region. 10-5 fatalities per man-
year worked or 10-6 fatalities per year for the public. This is the
background level that occurs generally in all work places,
regardless of the risks of the work place.

Page 4 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
Glossary

Effect Zone For an incident that produces an incident outcome of toxic release,
the area over which the airborne concentration equals or exceeds
some level of concern.
For a flammable vapor release, the area over which a particular
incident outcome case produces an effect based on a specified
overpressure criterion.
For thermal radiation effects, the area over which a particular
incident outcome case produces an effect based on thermal damage
criteria.
–CCPS, Guidelines for CPQRA
Emergency Exposure Developed by the US National Research Council and based on
Guidance Level exposure of Health Military Personnel, exposure to concentrations
at the EEGL may produce transient irritation or central nervous
system effects but should not produce effects that are lasting or
would impair performance of a task for exposures in the range of 1
to 24 hours.
Equipment Under Control The equipment, machinery, apparatus, or plant used for
manufacturing, process, transport, medical, or other activities. The
EUC control system is separate and distinct from the EUC.
ERPG-1 Exposure concentration below which, based on one hour exposure
time, there are no significant health effects. Becoming an
Industry/Government Norm.
ERPG-2 Exposure concentration below which, based on one hour exposure
time, there are no irreversible health effects. Becoming an
Industry/Government Norm.
ERPG-3 Exposure concentration below which, based on one hour exposure
time, injury results, but no life-threatening effects. More
represents potential for fatalities. Becoming an
Industry/Government Norm.
Fail-safe State In FMEA, this is the state the component goes to when the outputs
are de-energized.
Failure, dangerous A failure that does not respond to demand from the process, i.e.
being unable to go to the defined fail-safe state.
Failure, “don’t care” A component failure that is part of the safety function, but has no
effect of the safety function of the module, sub-system, or system.
Failure, not considered A component failure that is not considered in FMEDA. When
calculating the SFF, the failure rate of this failure mode is usually
divided into 50% safe failures and 50% dangerous, undetected
failures.
Failure, safe A component failure that causes the module, sub-system, or
system to go to the defined fail-safe state without a demand from
the process.
Fault Tolerance The ability of a functional unit to continue to perform a required

Page 5 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
Glossary

function in the presence of faults and errors.

Functional Safety The activities associated with equipment and process safety, as it
involves correct functioning of specific safety systems.
Hazard A potential source of harm.
–IEC, 61511-1
A chemical or physical condition that has the potential for causing
damage to people, property or the environment (e.g., a pressurized
tank containing 500 tons of ammonia).
–CCPS, Guidelines for CPQRA
Immediately Dangerous to Developed by NIOSH, “exposure is likely to cause death or
Health and Life immediate or delayed permanent health effects, or prevent escape
from such an environment” and is based on an exposure of 30
minutes.
Incident The loss of containment of material or energy (e.g. leak of 10 lb/s
of ammonia from the connecting pipeline to the ammonia,
producing a toxic vapor cloud); not all events propagate into
incidents.
-CCPS, Guidelines for CPQRA
Incident Outcome The magnitude of a specific loss of containment incident in terms
of a certain effect and the area where that effect is expected.
The physical manifestation of the incident; for toxic materials, the
incident outcome is a toxic release, while for flammable materials
the incident outcome could be a Boiling Liquid Expanding Vapor
Explosion (BLEVE), flash fire, unconfined vapor cloud explosion,
toxic release, etc. (e.g., for a 10 lb/s leak of ammonia, the incident
outcome is a toxic release).
-CCPS, Guidelines for CPQRA
Independent Event Events that do not affect each other, e.g. coin tosses, dice throws.
Inherent Risk The risk from a completed process design that contains a given
amount of process materials at given process conditions, before
mitigating or preventative safety functions are applied.
Initiating Event The first event in an event sequence (e.g., the stress corrosion
resulting in leak/rupture of the connecting pipeline to the ammonia
tank),
-CCPS, Guidelines for CPQRA
Intensification Simply using less of a hazardous chemical.
Intermediate Event An event that propagates or mitigates the initiating event during an
event sequence (e.g. improper operator action fails to stop the
initial ammonia leak and causes propagation of the intermediate
event to an incident; in this case the intermediate event outcome is
a toxic release).
-CCPS, Guidelines for CPQRA
Legislation Laws enacted by elected officials, either federal, state or local

Page 6 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
Glossary

(Clean Air Act Amendments, Local Building Codes).

Level of Concern Developed by EPA with the EPCRA Act, it is “the maximum
concentration of an extremely hazardous substance in air that will
not cause serious irreversible health effects in the general
population” and is based on an exposure of 30 minutes; compares
to IDHL.
Mutually Exclusive Events When one event occurs the other(s) cannot happen, e.g. the
outcomes of a toss of one die—1, 2, 3, 4, 5, or 6—are mutually
exclusive.
Permissible Exposure Limit Developed by OSHA and having the force of law, it is the
maximum average concentration to which workers can be exposed
over a period of 8 hours, with an effect similar to a TLV.
Permissive Set of conditions that must be met prior to an action being taken,
e.g. Purge Sequence
Probable Loss of Life The statistical number of lives that could be lost as an outcome of
an incident. Need not be a whole number, and can be greater than
one if it is probable that more than one life could be lost. This is
not a probability.
Probability of Success The chance that a system will perform its intended function when
operated within its specified limits.
Probit (Probability Unit) Method provides a generalized time-dependent relationship
between probability of fatality (injury) and amount of exposure.
Protection Provide independent active systems that override the normal
process controls when unsafe conditions are detected.
Proven in Use A means of using components in an SIS that have not been
designed and manufactured in accordance with IEC 61508-2 and
IEC 61508-3. Requires consideration of manufacturer’s quality
management and consideration of performance of device in
similare operating profile.
Random Failures A failure occurring at a random time, which results from one or
more of the possible degradation mechanisms.
Recommendation Proposed safety function or safety instrumented function for
reducing risk.
Recommended Practice Recommendations of an industry group.
Regulation Rules, which have the weight of law, through delegation of
authority (OSHA, EPA).
Reliability The probability that system will be able to operate successfully
when required to, without repairs, within a specified period of
time; that it is not failed.
Risk Integral A one-dimensional measure of the expected loss for a process that
sums the frequency and consequence for all potential loss events.
Safe Failure See “Failure, safe”
Safeguard Existing safety function or safety instrumented function for

Page 7 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
Glossary

reducing risk.
Safety Instrumented A combination of sensors, logic solver, and final elements with a
Function specified safety integrity level that detects an out-of-limit
(abnormal) condition and brings the process to a functionally safe
state. “Interlock” is an older, imprecise term for SIF.
Safety Instrumented A system of Safety Instrumented Functions composed of sensors,
System logic solvers, and final elements for the purpose of taking the
process to a safe state when predetermined conditions are violated.
Safety Integrity Level One of three (or four) discrete integrity levels (SIL 1, SIL 2, SIL 3,
and with IEC 61508, SIL 4) that correspond to orders of
magnitude reductions of risk. SIL 4 has the highest safety
integrity; SIL 1 has the lowest safety integrity.
Safety Requirements Contains
Specification 1. The Safety Functions that have to be carried out by the
safety related systems, and
2. The Safety Integrity Levels for the various Safety
functions.
Short-term Public Exposure Developed by the US National Research Council and, in general,
Guidance Level 10-50% of EEGL (for sensitive populations), exposure to
concentrations at the SPEGL are acceptable concentrations for
exposures of members of the general public for exposures in the
range of 1 to 24 hours.
Simplification Removing or minimizing opportunities for error or failure.
Standards Consensus of an industry group on lowest level of engineering
acceptable.
Substitution Using different chemicals, equipment, or technology.
Survival Providing capabilities to mitigate a release, or effective emergency
response plans which provide adequate notification and include
sheltering-in-place or evacuation.
Systematic Failures A failure related in a deterministic way to a certain cause, which
can only be eliminated by a modification of the design or of the
manufacturing process, operational procedures, documentation, or
other relevant factors.
Threshold Limit Value – Developed by ACGIH, it is the maximum concentration to which
Ceiling workers should be exposed for any period of time.
Threshold Limit Value – Developed by ACGIH, it is the maximum concentration to which
Short Term Exposure workers can be exposed for a period of up to 15 minutes without
suffering
(1) intolerable irritation,
(2) chronic or irreversible tissue change, or
(3) narcosis sufficient to increase accident prone-ness, impair
self rescue.
Threshold Limit Value – Developed by ACGIH, it is the maximum average concentration to

Page 8 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
Glossary

Time Weighted Average which workers can be exposed over a period of 8 hours.
Toxicity The ability of a substance to produce an unwanted effect when the
chemical has reached a sufficient concentration at a certain site in
the body”
-NSC 1971, Fundamentals of Industrial Hygiene
Transient State In Markov modeling, a state (represented by a circle) that can be
entered (arc toward) and exited (arc away).
Trip Conditions and action taken to move the furnace to a safe state
when a hazardous condition is detected, e.g. Master Fuel Trip
Unreliability The probability that system will fail within a specified period of
time.
Validation Activity of demonstrating, by tests, that the Safety-Related
System, before or after installation, meets the Safety Requirements
Specification.
Verification Activity of demonstrating for each phase of the Safety Lifecycle,
by analysis, tests, or both, that, for the specific inputs, the
deliverables meet the objectives and requirements set for the
specific phase.

Page 9 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
Equations

Equations
Laws > Regulations > Standards > Recommended Practice

Financial Equations
Single amounts
FV = PV x (1 + R)N
PV = FV / (1 + R)N
Where FV is the future value of a single amount
PV is the present value of a single amount
R is the interest or discount rate
N is the number of years
Annuities
FV = M x ((1 + R)N – 1) / R
PV = M x (1 - (1 + R)-N) / R
Where FV is the future value of an annuity
PV is the present value of an annuity
M is the annual amount, applied at the end of the year
R is the interest or discount rate
N is the number of years
Benefit Cost Ratio
B-Cratio=(Fnosis x EVnosis – Fsis x EVsis) / (Cost sis + Cost nt)
Where B-C Ratio is the ratio of benefits to costs.
Fnosis is the frequency of the unwanted event without a SIS.
Fsis is the frequency of the unwanted event with a SIS
EVnosis is the total expected value of loss of the event without an
SIS.
EVsis is the total expected value of loss of the event with an SIS.
Cost sis is the total lifecycle cost of the SIS (annualized).
Cost nt is the cost incurred due to nuisance trips (annualized).
Probability
For independent events
P(A and B) = P(A)*P(B)
For mutually exclusive events
P(A or B) = P(A) + P(B)
For non-mutually exclusive events
P(a OR b OR … OR n) = 1 – (1-Pa)* (1-Pb)*…*(1-Pn)

Reliability Analysis
Reliability and Unreliability
Rt = P(T > t)
Where Rt is reliability for unrepairable systems for a given period of time,

Page 10 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
Equations

T is the time of failure,

P(T > t) is the probability that a failure occurs after time, t.
Ft = P(T < t)
Where Ft is unreliability for a given period of time
1 = Rt + F t
Ft = PFD + PFS
Where PFD is the probability of failure on demand (dangerous failure)
PFS is the probability of failure, safe (nuisance trips)
RRF = 1/PFD
Where RRF is the risk reduction factor used with Safety Integrity Levels
MTTF = 1/
Where MTTF is the mean time to failure
 is the rate of failure, often assumed to be a constant rate
 = n/t
Where n is the number of failures
t is the period of time for which the failure rate is being calculated
 is the failure rate.
Rt = e-t
Ft = 1 - e-t
Where t is the period of time for which the reliability is being calculated
Ft ~ t
This approximation is good for small values of Ft ( < 0.1 )
Availability and Unavailability
1=A+U
Where A is the availability, the probability of successful operation of a
repairable system at specific moment in time, which is independent of the
period of time considered
U is the unavailability of a repairable system
MTTF = 1/
Where MTTF is the mean time to failure
 is the rate of failure, often assumed to be a constant rate
MTTR = 1/
Where MTTR is the mean time to repair
 is the rate of repair, often assumed to be a constant rate
MTBF = MTTF + MTTR
U = MTTR / (MTTF +MTTR)
U = MTTR / MTBF
U=/(+)

Page 11 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
Equations

Safe and Dangerous Failures

 = S + D
S = SD + SU
D = DD + DU
Where S is the rate of all safe failures
D is the rate of all dangerous failures
SD is the rate of all detected safe failures
SU is the rate of all undetected safe failures
DD is the rate of all detected dangerous failures
DU is the rate of all undetected dangerous failures
SFF = (S + DD) / 
SFF = (SD + SU + DD) / (SD + SU + DD + DU)
SFF = 1 – ( DU/ )
Where SFF is the Safe Failure Fraction
SFF = (S + DC x D) / 
Where DC is the Diagnostic Coverage of dangerous failures
When there are failure modes that are “not considered”:
SFF = 1 – ( ( DU + NC ) /  )
Where NC is the failure rate of failure modes not considered in FMEDA

Consequence Analysis—Probable Loss

Statistical Analysis
PL =  All losses / Total number of incidents

Consequence Analysis—Occupancy (O)

Operson=AEffect x Person
Where Operson is Occupancy.
AEffect is effect zone area.
Person is population density

Consequence Analysis—Probable Loss of life (PLL)

PLL= Operson x V
Where PLL is probable loss of life.
Operson is Occupancy.
V is vulnerability.
Consequence Analysis—Expected Value of Loss (EV)
EV = Capital density x Damaged Area x Vulnerability.

Page 12 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
Equations

Consequence Analysis—EPA Worst Case Scenarios

Vapor Cloud Explosion or BLEVE
mTNT = mflammable * (Hc / 1155) * Yf
Where mTNT is the equivalent weight of TNT, lbs
mFlammable is the flammable mass, lbs
Hc is the heat of combustion, kcal/kg
1155 is the heat of combustion of TNT
Yf is the explosive yield factor (typically 0.1 for EPA OCAs)
1/3 3.5031 – 0.7241ln(Op) + 0.0398(ln(Op)2
d = mTNT e
Where d is the distance to given overpressure, ft (a radius)
Op is the peak overpressure, psi
•5 psi – Equipment Damage
•3 psi – Fatality
•1 psi – Injury
Physical Explosion
mTNT = 9.24x10-5 * P * V * ln(P/14.7)
Where, mTNT is the equivalent weight of TNT, lbs
P is the bursting pressure of the vessel, psia
V is the volume of the vessel, ft3
*Calculate distance to peak overpressure as for Vapor Cloud Explosions.
Note: The ASME Pressure Vessel Code is based on a 4x safety factor, so
bursting pressure will be at least 4x the design pressure.
Pool Fire
d = 70.71 * (A / 1000R)1/2 * PFF
Where d is the distance to endpoint, ft (a radius)
A is the area of the pool, ft2 (area of containment, or 1 cm deep)
PFF is the Pool Fire Factor (from look-up tables)
R is the radiation intensity endpoint, kW/m2
•37.5 kW/m2 – Equipment Damage
•12.5 kW/m2 – Fatality
• 5.0 kW/m2 – Injury

Probit Analysis
Y = k1 + k2 lnV
Where V is the dose, expressed in a number of ways
k1 is a constant specific to the consequence
k2 is a second constant specific
Convert Probit, Y, to percentage by table.

Page 13 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
Equations

SIL Assignment
Frequency Based Targets
PFDSIF = Ftarget / Funmitigated event
Where PFDSIF is used to assign the SIL, per the table from IEC61511
Ftarget is target frequency of an incident outcome, from table
Funmitigated event is the frequency without an SIS being installed
Individual Risk Targets
Ftarget (tolerable) = Findiviual risk / PLL
Where Ftarget (tolerable) is the tolerable frequency.
Findiviual risk is a function of the tolerable individual risk
PLL is the Probable Loss of Life
Risk
R = CF
Where R is risk
Ci is the consequence
Fi is the likelihood, expressed as a frequency
Risk Integral
IR = CiFi
Where IR is the Risk Integral, a one dimensional indication of risk
Ci is the consequence of the individual event (in terms of fatalities
for loss of life calculations)
Fi is the frequency of the individual event
Risk Reduction Factor
RRFSIF = 1 / PdFavg
RRFSIF = Runmitigated event / Rtolerable
Where RRFSIF is used to assign the SIL, per the table from IEC61511
Runmitigated event is the risk without an SIS being installed
Rtolerable is the tolerable risk

SIL Verification
Based on Calculated Probability of Failure on Demand
SIL = -log10 (PdFavg)
Where calculated value is truncated to integer value

Multiple Failure Modes

System Reliability
R S = RA x R B
Where RS is system reliability, and RA and RB are series component
reliabilities.

Page 14 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
Equations

RS = RA(t) x RB(t) = e-t x e-t = e-(+)t

S = A + B
FS = FA x FB
Where FS is system unreliability, and FA and FB are parallel component
unreliabilities.
System Availability
AS = AA x AB
Where AS is system reliability, and AA and AB are series component
reliabilities.
Probability of Failure on Demand (Dangerous)
PFD =  /( +  ) x ( 1 – e-( +  )t )
D D S D S

PFD ~ 1 – e- t D
Where D is dangerous failure rate and S is safe failure rate.
Safe Failure Fraction (SFF)
SFF = (SD + SU + DD) / Total
SFF = 1 - (DU / Total)
Where XD is a detected failure rate and XU is an undetected failure rate.
Approximation Formulas
PFD ~ Dt only if PFD < 0.1
PFS ~ St
PFDavg ~ Dt/2
PFSavg ~ St/2
Probability Failure on Demand (max)
PFDmax = 1 - et

Beta Model of Common Cause Failure

 = N+ C
Where N is “normal”, independent failure rate
C is common cause failure rate
N = (1-)
C = 
Where  is the failure rate partition.
Markov Modeling
tmax = t/2
Where tmax is the maximum time increment that should be used
t is the shortest time span being modeled

Page 15 of 37 Revised 6/29/04

 CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

A UK study by the Health and Safety Executive (HSE) showed the following breakdown of
accident causes involving control systems:

Specification - 44%

Design and
Changes after implementation – 15%
commissioning - 21% Installation and
Operation and commissioning – 6%
maintenance - 15%

Safety Life Cycle

Concept

Scope definition

Hazard/risk analysis

Safety requirements

Safety req. allocation V

e

c
Fr

nf
ui

ci
M

m
D

S
F

O and M Validation Commissioning SRS E/E/PES

o
g
u

e
n
n
a

o
c

y
t

ut

ct

nf
t
i

planning planning planning realization

Installation and Back to

commissioning appropriate
safety
lifecycle
Safety validation
phase

Operation,
Modification
maintenance, repair
and retrofit

Decommissioning

Page 16 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

As Low As Reasonably Practicable

Levels Set per UK HSE

High Risk

Intolerable Region

10-3 / man-year (worker) 10-4 /year (public)

ALARP or Tolerable
Region

10-6 / man-year
Broadly Tolerable Region

Negligible Risk

Page 17 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Safety Integrity Level Probability of Failure on Risk Reduction Factor

(SIL) Demand (PFDAVG) (RRF)
(Demand Mode of Operation)
SIL 4 (not in ISA S84) 10-4 > PFD > 10-5 10000 < RRF < 100000
SIL 3 10-3 > PFD > 10-4 1000 < RRF < 10000
SIL 2 10-2 > PFD > 10-3 100 < RRF < 1000
SIL 1 10-1 > PFD > 10-2 10 < RRF < 100

Safety Integrity Level Probability of Failure on

(SIL) Demand (PFperHour)
(Continuous Mode of Operation)
SIL 4 (not in ISA S84) 10-8 > PF/hr > 10-9
SIL 3 10-7 > PF/hr > 10-8
SIL 2 10-6 > PF/hr > 10-7
SIL 1 10-5 > PF/hr > 10-6

Page 18 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Functional Safety Assessment

Stage 1 After PHA and risk assessment, and SRS
Stage 2 After SIS design
Stage 3 After commissioning and validation
(MINIMUM REQUIREMENT)
Stage 4 After experience in operations and maintenance
Stage 5 After modification

Fault Tree Symbols

Alternative
Incomplete Event Conditional
OR Gate
Event

Inhibit Gate Transfer In

AND Gate
Transfer Out
Trigger Event
Event or
Resulting Fault Incomplete Event
that needs attention
Conditional
Basic Event Event
Priority AND Gate
Event 1 before Event 2
1
2

PFS
Reliability (Nuisance Trip) Reliability PFS
or SIS or (Nuisance Trip)
Availability Availability

PFD
PFD

The purpose of an SIS is to increase the probability of successful operation (Reliability or

Availability) and at the same time increase that portion of the probability of failure that fails safe,
reducing the probability of failure on demand.

Page 19 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Hazard Matrix Procedure

1. Catagorize Consequence
2. Catagorize Likelihood
3. Select from Matrix
Consequence Catagories
Severity Rating Impact
Minor (M) Impact initially limited to local area of the event with potential for broader
consequence if corrective action is not taken.
Serious (S) One that could cause: Any serious injury or fatality on-site or off-site (PLL >
1), or property damage of $1 MM on-site, or $5 MM off-site.
Extensive (E) One that is five or more times worse than a SERIOUS accident
Likelihood Catagories
Type of Events Likelihood
Frequency/Year Qualitative Ranking
A failure or series of failures with a very low f < 10-4 Low
probability of occurance within the expected lifetime of
the plant.
A failure or series of failures with a low probability of 10-4 < f < 10-2 Moderate
occurance within the expected lifetime of the plant.
A failure that can reasonably be expected within the 10-2 < f High
expected lifetime of the plant.

Hazard Matrix
High
2 3 3
Likelihood
Moderate
1 2 3
Likelihood
Low
Not Rated 1 3
Likelihood
Minor Serious Extensive
Hazardous Event Severity Rating

Frequency Based Targets (use in equation: PFDSIF = Ftarget / Funmitigated event)

Event Impact Consequence Target Frequency
Level (Severity) Ftarget (per year)
Minor (M) Impact initially limited to local area of the event with 1.0 x 10-3
potential for broader consequence if corrective action is
not taken.
Serious (S) One that could cause any serious injury or fatality on-site 1.0 x 10-4
or off-site (PLL > 1), or property damage of $1 MM on-
site, or $5 MM off-site.

Page 20 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Extensive (E) One that is five or more times worse than a SERIOUS 1.0 x 10-6
accident
Risk Graph Procedure
1. Catagorize Consequence, C, Occupancy, F, Probability of avoiding the Hazard, P, and
Demand Rate, W
2. Follow C, F, and P on Risk Graph to final level XN and find SIL under appropriate
Demand Rate column
Parameter Description
Consequence C Average number of fatalities likely to result
from the hazard. Determined by calculating
the average numbers in the exposed area when
the area is occupied, taking into account the
vulnerability to the hazardous event.
Occupancy F Probability that the exposed area is occupied.
Determined by calculating the fraction of time
the area is occupied.
Probability of avoiding the hazard P The probability that exposed persons are able
to avoid the hazard if the protection system
fails on demand. This depends on there being
independent methods of alerting the exposed
persons to the hazard and manual methods of
preventing the hazard or methods of escape.
Demand Rate W The number of times per year that the
hazardous event would occur if no SIS was
fitted. This can be determined by considering
all the failures which can lead to one hazard
and estimating the overall rate of occurrence.
Parameter—Consequence Classification Comments
Average number of fatalities. CA Minor Injury 1. The classification
CB Range 0.01 to 0.1 system has been
This can be calculated by determining the average
developed to deal
number of people present when the area exposed to the CC Range > 0.1 to 1
with injury and death
hazard is occupied and multiplying by the vulnerability to CD Range > 1 to people.
the identified hazard. The vulnerability is determined by
the nature of the hazard being protected against. The 2. For the interpretation
following factors can be used. of CA, CB, CC, and
CD, the consequences
V=0.01 Small release of flammable or toxic
of the accident and
V = 0.1 Large release of flammable or toxic
normal healing shall
V = 0.5 As above but highly toxic or flammable
be taken into account.
V=1 Rupture or explosion
Parameter—Occupancy Classification Comments
This is calculated by determining the length of time the FA Rare to more often 3. The classification
area exposed to the hazard is occupied during a normal exposure in the system has been
working period. hazardous zone. developed to deal
Occupancy less
NOTE – If the time in the hazardous area is different
than 0.1.

Page 21 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

depending on the shift being operated then the maximum FB Frequency to with injury and death
should be selected. permanent to people.
exposure in the
NOTE – It is only appropriate to use FA where it can be
hazardous zone.
shown that the demand rate is random and not related to
when occupancy could be higher than normal. The latter
is usually the case with demands that occur at equipment
start-up.
Parameter—Probability of avoiding the hazard Classification Comments
If the protection system fails to operate. PA Adopted if all 4. PA should only be
conditions in selected if all the
Comment 4 are following are TRUE:
satisfied.
 Facilities are provided
PB Adopted if all the to alert the operator
conditions are not that the SIS has failed
satisfied.  Independent facilities
are provided to shut
down such that the
hazard can be avoided
or which enable all
persons to escape to a
safe area.
 The time between the
operator being alerted
and a hazardous event
occurring exceeds one
hour.
Parameter—Demand Rate Classification Comments
Without protection system. WA Demand rate less 5. The purpose of the W
than 0.03 per year. factor is to estimate
To determine the demand rate it is necessary to consider
WB Demand rate the frequency of the
all sources of failure that can lead to one hazardous event.
between 0.3 and hazard taking place
In determining thee demand rate, limited credit can be
0.03 per year. without the addition
allowed for control system performance and intervention.
WC Demand rate of the SIS.
The performance that can be claimed if the control system
between 3 and 0.3
is not designed and maintained according to IEC61511 is 6. If the demand rate is
per year.
limited to below the performance ranges associated with very high (e.g., 10 per
SIL 1. For demand rates year) the SIL has to
higher than 3 per be determined by
year higher another method or the
integrity shall be risk graph must be
needed. recalibrated. Then
the operation mode is
high demand or
continuous (IEC,
61511-1, Clause
3.1.48.2).

Risk Graph on next page.

Page 22 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

W3 W2 W1
CA X1
a --- ---
PA X2
CB
FA 1 a ---
PB X3

CC
FB
PA
2 1 a
PB X4
FA
FB PA P
3 2 1
B X5
FA
CD PA
4 3 2
X6
FB
PB b 4 3

C = Consequence parameter --- = No safety requirements

F = Exposure time parameter A = No special safety requirements
P = Possibility of failing to avoid hazard B = A single E/E/PS is not sufficient
W = Demand rate assuming no protection 1,2,3,4 = Safety Integrity Level

Page 23 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

De Morgan’s Theorem:
These Two Partial Logic Diagrams are Equivalent.

Energized = 1 Energized = 0
Logic Solver Logic Solver

1= Energized
AND OR

Energized = 1 Energized = 0

───| |───| |──────¤── ─┬─|∕|─┬────────¤───

A B C │ A │ C’
└─|∕|─┘ ──|∕|───¤───
B C’ C

Layers of Protection Analysis

LOPA Diagram

Initiating Event Prot Layer 1 Prot Layer 2 Outcome

Event

No Event
Frequency Prob(= 1) Prob(= 1) Prob(= 1) Frequency

Page 24 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Markov Models

OK FAIL OK FAIL
Unrepairable System
(This is an example of an absorbing model,
because there are one or more absorbing states.)
Repairable System
(This is an example of a regular model,
because there are no absorbing states.)

2 
2 OK 1 OK FAIL

Parallel, Redundant System

Stochastic transitional probability matrix—P matrix



 State 0 State 1 

to State 0 to State 1
1–  from State 0
P=
 1– from State 1

Page 25 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Failure Mode and Effects Analysis

FMEA Procedure
1. Define boundary of system being analyzed and what constitutes a failure.
2. List all of the components or sub-systems of the system being analyzed.
3. For each component, list all known failure modes.
4. For each component failure mode, list the effect of that failure on the higher level sub-
system/system
5. List the criticality/severity (no effect, safe, or dangerous) of the effect.
FMEA Issues
1. All components must be listed.
2. All failure modes must be listed. Failure mode references are valuable.
3. Each component must be identified uniquely.
4. “Causes” are only important if the failure mode is critical, and then to identify means of
reducing criticality. The analysis can be completed without identifying causes.
5. FMEA should be set up by groups, and reviewed by groups. The actual analysis is an
individual activity.
6. Systems are examined one component at a time. Combination failure modes are not
typically part of a FMEA.
7. Maintenance and Operational issue may be missed, unless the FMEA specifically lists
steps as components.
8. Systematic (Software) failures typically are not included.
Note: FMEA is best suited for analyzing mechanical systems.
FMEA Standards
 MIL STD 1629/1629A.
 IEC 812, 1985.
 SAE J1739.

Page 26 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Safe Failure Fraction

SFF = (SD + SU + 0.5 NC + DD) / (SD + SU + NC + DD + DU)

Relationship Between Safe Failure Fraction and Diagnostic Coverage

SFF = (S + DC x D) / total

IEC 61508 – Allowable SFF

Type A (Simple, well-characterized, e.g. sensors)

Type B (Other, e.g. logic solvers)

Page 27 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

V-Model for Verification and Validation

Product User
Product
Maintenance
Field Monitoring
Maintenance D
Field Monitoring
Change Management
Requirements Change Management V&V
Requirements
User Requirement Specification Use and Mis-Use Scenarios Validation
D Requirement Specification
V&V Plan and Procedures
Validation User
V&V V&V Plan and Procedures Validation tests os) Automated Regression Tests
Functi enari Automated Regression TestsV&V
ons an re sc
d limitati
ons (Failu

Iteration a tion te
sts .
Documentation
Valid Documentation
ional
Addit
Guidelines for installation,
Architecture Additional functions and limitations Guidelinesmaintenance
for installation,
Architecture operation,
operation, maintenance
and error handling
D
instruc tions Doc
Graphical Design Spec. Operation and exception handling and error handling
Graphical
(RT-SA,Design
UML) Spec. Posit
D ive-
(RT-SA,Spec.
Interface UML) / Ne
gativ
V&V Interface Spec. e-Te
Stati sts -
c+D Erro
ynam r han
ic An dling Integration Test
alysis Integration Test
Int User
er Tests to show the correct
fac Tests to show the correct D
eS interaction of functions
pe interaction of functions V&V
c.

Detailed Design Unit / Interface

Detailed Design Unit / Interface
Tests
UML Tests
UML
GUI
D D
GUI
Implementation
Implementation
D

Evolution over Prototypes

Requirements Tracking Defect Tracking; Configuration Management

SIL versus Compliance Effort

SIL 1 SIL 2 SIL 3
FSM Low Low Medium

H/W 1oo1D 1oo1D 1oo1D

(Fault Control) > 60% > 90% > 99%
H/W Low Low Medium
(Error Avoidance)

S/W Structured Structured Semi-formal

(Error Avoidance) methods methods CASE Tool

Page 28 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Page 29 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Detail from the Safety Life Cycle—SIS Design and Verification

Safety
Requirements
Specification

Select
Technology

Select
Architecture
SIS
Conceptual Safety
Design Determine Test System
Philosophy Design

Reliability
Evaluation

Performance
Target Met?

Yes? Go on to installation.

Page 30 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Effect of Increasing Inspection Frequency (Reducing Test Interval)

on PFDAVG

1/PFD(t)
SIL 4

SIL 3
1/PFDAVG
SIL 2

SIL 1 test interval

time

1/PFD(t)

SIL 4

SIL 3 1/PFDAVG

SIL 2
test interval
SIL 1 period
time

Page 31 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Redundant Architectures

Simplified Equations (Approximations)

Voting Average Probability of Failure Spurious Trip Rate

on Demand (PFDAVG) (STR)
1oo1 D T / 2 S
2
1oo2 (DT) / 3 2S
2oo2 DT 2
2S / ( 3S + 2/T )
2
2oo3 (DT) 6S2 / ( 5S + 2/T )

Comparitive Performance
PFDAVG low

O 1oo2 O 1oo2D
O 2oo3D

Best Performance
O 1oo1D
O 1oo1
high

O 2oo2D
O 2oo2
high Spurious Trip Rate low

MooND Architecture.
The “D” nomenclature refers to architectures that use automatic diagnostics, made effective via
microprocessor power starting in the late 1980’s, to reconfigure the system after a diagnostic has
detected a failure. Diagnostics without reconfiguration do not warrant the “D” nomenclature.

Page 32 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Basic components of combustion equipment

Fuel Furnace HRA

Firebox
Induction
Air
Draft Fan
Stack
Forced
Draft Fan

Power Boiler Accidents

1997 – 1999

Injuries
73 - 6% Deaths
12 -1%

Accidents
1058 - 93%

Alternate Names for Boiler Management Systems

•Burner Safety Systems •Safety Shutdown System
•Burner Control Systems •Furnace Safeguard System
•Combustion Safeguards •Boiler Safety System
•Flame Safeguard System •Emergency Shutdown System

Page 33 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Standards Covering Burner Management Systems (BMS)

 NFPA—85, 8501, 8502, 8503, 8504, 8505, 8506

 Factory Mutual—7610, replaced by 7605
 Underwriters Lab
 ISA—S84.01
 IEC—61508, 61511
 Canadian Gas Association

NFPA 85: Boiler and Combustion Systems Hazards Code

 NFPA 8501, Standard for Single Burner Boiler Operation
 NFPA 8502, Standard for the Prevention of Furnace
Exposions/Implosions in Multiple Burner Boilers
 NFPA 8503, Standard for Pulverized Fuel Systems
 NFPA 8504, Standard on Atmospheric Fluidized-Bed Boiler
Operation
 NFPA 8505, Standard for Stoker Operation
 NFPA 8506, Standard on Heat Recovery Steam Generator Systems

Page 34 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Types of Fire Detectors

 Smoke Detectors
o Ionization
o Photoelectric
 Heat Detectors
o Fixed Temperature
 Fusible Element
 Bimetallic
o Rate of Rise
o Line
 Non-Integrating
 Integrating
 Manual Call Points
 Carbon Monoxide Detectors
 Flame Detectors
o Ultraviolet detectors
o Infrared detectors
o UV/IR detectors
o Dual spectrum IR detectors
o Triple spectrum IR detectors

Flame Detectors—Maximum Range

Types of fire 30 ft 40 ft 50 ft 100 ft 200 ft

1 ft2 (0.1 m2) Gasoline All All All UV, IR3 IR3
1 ft2 (0.1 m2) Diesel All UV, IR3 UV, IR3 IR3 IR3
1 ft2 (0.1 m2) n-Heptane All All All UV, IR3 IR3
1 ft2 (0.1 m2) Alcohol All UV, IR3 UV, IR3 IR3 IR3
4 ft2 (0.4 m2) JP4/JP8 All All All All IR3

Page 35 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Flame Detectors – Comparison of Advantages and Disadvantages

Technology Advantages Disadvantages Applications

Ultraviolet Highest speed Affected by UV sources Indoors
(UV) High sensitivity Subject to false alarms
Low cost Blinded by thick smoke and vapors
Infrared High speed Affected by temperature Indoors
(IR) Moderate sensitivity Subject to false alarms
Low cost
UV/IR High speed Affected by specific UV/IR ratio Outdoors/Indoors
High sensitivity created by false signals
Low false alarm rate Affected by thick smoke
Moderate cost
IR2 Moderate speed Limited operation by temperature Outdoors/Indoors
Moderate sensitivity range
Low false alarm rate Affected by IR sources
Moderate cost
IR3 High speed Moderate cost Outdoors/Indoors
Highest sensitivity
Lowest false alarm rate

Flame Detectors – Recommended Uses

Potential Fire Hazard  Gasoline Paints Alcohol H2 Plastic

JP4/JP8 Solvents Propane and other Wood
Possible sources of false alarms Oils Methane non- Paper
 Diesel organics
Arc welding UV/IR UV/IR IR3 UV/IR UV/IR
IR3 IR3 IR3
X-Rays UV/IR UV/IR IR3 UV/IR UV/IR
IR3 IR3 IR3
Hot surfaces UV UV UV UV UV
UV/IR UV/IR IR3 UV/IR UV/IR
IR3 IR3 IR3
Incandescent and fluorescent UV UV UV UV UV
lights UV/IR UV/IR IR3 UV/IR UV/IR
IR3 IR3 IR3
Halogen and other industrial UV/IR UV/IR IR3 UV/IR UV/IR
lamps IR3 IR3 IR3

Page 36 of 37 Revised 6/29/04

CFSE Prep Course Useful Information
Emerson Process Management
FIGURES

Relationship between IEC 61508 and IEC 61511

Process Sector
Safety System
Standard

Process Sector Process Sector

Hardware Software

Develop Use Use Develop Develop Develop

new proven-in- hardware embedded application application
hardware use developed system software software
devices hardware and software using full using
devices validated variability limited
to IEC languages variability
61508 or fixed
languages

Follow IEC Follow IEC Follow IEC Follow IEC Follow IEC Follow IEC
61508 61511 61511 61508 61508 61511

Page 37 of 37 Revised 6/29/04