Improving Safety in Process Control
Environmental law, customers, and good business sense require finding effective ways to integrate plant safety into industrial process systems. No one wants an unsafe situation, but overengineering safety can put a company out of business almost as fast as a major violation.Regulatory agencies' standards and regulations require process plants to protect against accidental damage to person...
Environmental law, customers, and good business sense require finding effective ways to integrate plant safety into industrial process systems. No one wants an unsafe situation, but overengineering safety can put a company out of business almost as fast as a major violation.
Regulatory agencies' standards and regulations require process plants to protect against accidental damage to personnel and the environment. Agencies include the U.S. Occupational Safety and Health Administration, the American Petroleum Institute, and the U.S. Environmental Protection Agency, to name of few. In the European community, standard and certifying agencies include the International Electrotechnical Commission, and TÜV.
To minimize risk, these agencies generally need extensive documentation of process design, operation, maintenance, training, and plant renovations.
Compliance with regulations often requires formal company safety and operation review. Techniques such as a Hazard and Operability (HAZOP) study, Hazard Analysis (HAZAN), or Fault Tree Analysis (FTA) can reveal potential operating and safety-related design problems. A hazard study may disclose, for example, that a plant should implement a Safety Instrumented System (SIS) to properly minimize a potentially hazardous process condition.
Instrumented systems designed to protect the plant differ significantly from systems designed for basic process control. Safety instrumented systems continuously monitor selected variables, but remain inoperative until an abnormal and possibly dangerous condition arises. To function successfully, a SIS requires a higher level of performance and diagnostics than normally needed by general-purpose process control equipment. Additionally, plants often specifically identify safety systems, and physically separate them from general-purpose control systems.
The ANSI/ISA-S84.01-1996 "Application of Safety Instrumented Systems for the Process Industry" standard defines SIS as, "A system composed of sensors, logic solvers, and final control elements for the purpose of taking the process to a safe state when predetermined conditions are violated."
This definition can also be applied to other commonly used plant safety systems, such as emergency shutdown systems, safety shutdown systems, and safety interlock systems.
Key questions to ask
A process control engineer implementing a safety instrumented system must answer several questions:
What level of risk is acceptable?
How many layers of protection is needed?
When is a safety instrumented system required?
Which architecture should I choose?
Industry standards now exist that provide a basic framework for answering these questions.
ISA S84.01 was organized around the safety life cycle (see flowchart). This systematic approach for designing safety systems can be applied to various hazardous processes—conception through decommissioning. Even so, many methods for performing the initial activities of safety life cycle are out of the standard's scope.
The best way to minimize risks in plant operation is to design inherently safe processes. In practice, total inherent safety is not always achievable.
Risks prevail wherever hazardous or toxic materials are stored, processed, or handled. Since it is difficult, if not impossible, to completely eliminate all levels of risk, some level of operational risk must be agreed upon. To specify the required performance of a safety system, control engineers must determine an acceptable level of operational risk.
After properly identifying process hazards, using a HAZOP study is among the ways to evaluate each process risk, usually by considering the severity and likelihood of a hazardous event. Determining severity requires the control engineer to assess site-specific conditions, including population density, in-plant traffic patterns, and meteorological data. Control engineers can determine the likelihood of a hazardous event by certain qualitative or quantitative techniques or in some cases by examining historical data.
After understanding the severity and likelihood of a hazardous event, engineers can rank the risks (see graphic). Risk reduction techniques would be necessary if the process exhibited risk higher than the company's acceptable level.
Multiple independent protection layers, or IPLs, reduce risk for process plants that operate with potential to cause harm. Control engineers design each protective layer to avoid or mitigate the harmful effects of a hazardous event. Protection layers start at the process and work outward to a community emergency response during an escalating incident (see graphic). Each layer should be separate and stand alone.
Rating for safety
ISA S84.01 does not specify how to decide if a Safety Instrumented System is needed, nor does it require any particular method of hazard analysis. (The American Institute of Chemical Engineering's documentation does address this.) The ISA standard does provide a common rating system called the Safety Integrity Level (SIL).
SIL defines three levels of safety performance for a safety instrumented system: 1, 2, and 3. The higher the SIL value, the greater the risk reduction. This increased risk reduction results from availability of the safety functions. Factors such as redundancy, frequent testing, and diagnostic fault detection tend to increase SIL levels, improving the SIS risk reduction. (For European and other countries in process of adopting draft international standard IEC D61508, a four-layer model is standard.)
ISA S84 shows a correlation that exists between the SIL values and three key performance metrics—safety availability, probability of failure on demand (PFD), hazard reduction factor (HRF). Safety availability represents the fraction of time that a safety system can perform its designated safety service when the process is operating (see table). PFD indicates the probability of a system failing to respond on demand. The following expression defines the relationship between safety availability and PFD:
Safety Availability = 1– PFD.
It often may be desirable to express the SIL level in terms of the hazard reduction factor, where HRF is defined as: HRF = 1/PFD.
Linking risks to SIL
To determine the application of an SIS for an actual installation, the control engineer should use a qualitative classification of risk assessment.
A qualitative evaluation of safety integrity level weighs the severity and likelihood of the hazardous event. It also considers the number of independent protection layers addressing the same cause of a hazardous event.
Once determined, such an SIL value becomes the basic communication interface and requirement parameter for implementing the safety instrumented system. (Such systems do not necessarily have to include a programmable electronic system. Hard-wired relay systems are often used and can meet SIL 3 requirements.) SIL 3 is quantified in ISA S84.01 as a Probability of Failure on Demand average range (PFD avg) of 10-3to 10-4.
Several system architectures are applied in process safety applications, including single-channel systems to triple redundant configurations. Control engineers must best match an architecture to operating process safety requirements, accounting for failure in the safety system.
One concern is that many safety systems in operation, or under construction, do not follow basic protection principles. Unsafe practices include:
Performing the safety shutdown within the basic process control systems (BPCS) or distributed control systems (DCS).
Using conventional programmable logic controllers (PLCs) in safety critical applications. (Safety PLCs are certified to meet safety critical applications to SIL 2 and SIL 3.)
Implementing single element (nonredundant) microprocessor-based systems on critical processes.
The conventional PLC architecture provides only a single electronic path. Sensors send process signals to the input modules. The logic solver evaluates these inputs, determines if a potentially hazardous condition exists, and energizes or de-energizes the solid-state output. (Fire and gas detection systems, for example, use the "energized to trip" philosophy.)
In case of failure
Suppose the safety system de-energizes the output to move the process to a safe state. Suppose also that one of the components in the single path fails so that the output cannot be de-energized. Then the conventional PLC won't provide its desired safety protection function.
A special class of programmable logic controllers, called safety PLCs, represents an alternative. Safety PLCs provide high reliability and high safety via special electronics, special software, pre-engineered redundancy, and independent certification. The safety PLC has input/output circuits designed to be fail-safe, using built-in diagnostics. The central processing unit (CPU) of a safety PLC has built-in diagnostics for memory, CPU operation, watchdog timer, and communication systems.
Accurately evaluating the safety level for a specific control device in the context of a potential hazardous event poses a major and difficult problem for many control engineers. Associations and agencies worldwide have made considerable progress toward establishing standards and implementation guidelines for safety instrumented systems. These standards attempt to match the risk inherent in a given situation to the required integrity level of the safety system.
Unfortunately, many of these guidelines and standards are not specific to a particular type of process and deal only with a qualitative level of risk. Control engineers must use considerable judgment in evaluating risk and applying instrumentation that properly addresses established design procedures within budget restraints.
For more information about Moore Process Automation Solutions, Circle 274 or visit www.controleng.com/info:
Probabilities of Safety
Safety integrity levels (SIL) correspond to specific ranges of safety availability, probability of failure on demand (PFD), and hazard reduction factor (HRF).
Probability of PFD average range
Cahners Business Information graphic with data from the ISA S84 standard
10-1 to 10-2
10-2 to 10-3
10-3 to 10-4
Acronyms of Process Safety
basic process control systems
distributed control system
fault tree analysis
hazard and operability
hazard reduction factor
independent protection layers
probability of failure on demand
programmable logic controller
safety integrity level
safety instrumented system
safety requirement specification
Safety and Standards-Related Organizations
Safety knows no borders, but organizations for regulations, certifications, and standards do. Here are a variety of sources across the worldworth getting to know. For added information, circle the following numbers on the card in this issue or visit www.controleng.com/info.
American Petroleum Institute (API)
American Institute of Chemical Engineers (AIChE)
American National Standards Institute (ANSI)
British Standards Institution (BSI)
European Committee for Electrotechnical Standarization (CENELEC)
European Committee for Standardization (CEN)
Factory Mutual Research (FM)
Food and Drug Administration
Global Engineering Documents
St. Louis, Mo.
International Electrotechnical Commission (EIC)
International Organization for Standardization (ISO)
ISA Research Triangle
Occupational Safety and Health Administration (OSHA)
National Fire Protection Association (NFPA)
TÜV Product Service
U.S. Environmental Protection Agency (EPA)
Cahners Business Information graphic with data from Moore Process Automation Solutions, Rockwell Automation, Internet.
Charles M. Fialkowski is senior marketing specialist, Critical Systems Marketing, Moore Process Automation Solutions (Moore Products Co.), Spring House, Pa.