Improving Safety in Process Control

Environmental law, customers, and good business sense require finding effective ways to integrate plant safety into industrial process systems. No one wants an unsafe situation, but overengineering safety can put a company out of business almost as fast as a major violation.Regulatory agencies' standards and regulations require process plants to protect against accidental damage to person...

09/01/1998


Key Words

 

  • Process control & instrumentation

  • Safety

  • Process control systems

  • Standards and regulations

  • Redundant control


Environmental law, customers, and good business sense require finding effective ways to integrate plant safety into industrial process systems. No one wants an unsafe situation, but overengineering safety can put a company out of business almost as fast as a major violation.

Regulatory agencies' standards and regulations require process plants to protect against accidental damage to personnel and the environment. Agencies include the U.S. Occupational Safety and Health Administration, the American Petroleum Institute, and the U.S. Environmental Protection Agency, to name of few. In the European community, standard and certifying agencies include the International Electrotechnical Commission, and TÜV.

To minimize risk, these agencies generally need extensive documentation of process design, operation, maintenance, training, and plant renovations.

Compliance with regulations often requires formal company safety and operation review. Techniques such as a Hazard and Operability (HAZOP) study, Hazard Analysis (HAZAN), or Fault Tree Analysis (FTA) can reveal potential operating and safety-related design problems. A hazard study may disclose, for example, that a plant should implement a Safety Instrumented System (SIS) to properly minimize a potentially hazardous process condition.

Instrumented systems designed to protect the plant differ significantly from systems designed for basic process control. Safety instrumented systems continuously monitor selected variables, but remain inoperative until an abnormal and possibly dangerous condition arises. To function successfully, a SIS requires a higher level of performance and diagnostics than normally needed by general-purpose process control equipment. Additionally, plants often specifically identify safety systems, and physically separate them from general-purpose control systems.

The ANSI/ISA-S84.01-1996 "Application of Safety Instrumented Systems for the Process Industry" standard defines SIS as, "A system composed of sensors, logic solvers, and final control elements for the purpose of taking the process to a safe state when predetermined conditions are violated."

This definition can also be applied to other commonly used plant safety systems, such as emergency shutdown systems, safety shutdown systems, and safety interlock systems.

Key questions to ask

A process control engineer implementing a safety instrumented system must answer several questions:

  • What level of risk is acceptable?

  • How many layers of protection is needed?

  • When is a safety instrumented system required?

  • Which architecture should I choose?

Industry standards now exist that provide a basic framework for answering these questions.

ISA S84.01 was organized around the safety life cycle (see flowchart). This systematic approach for designing safety systems can be applied to various hazardous processes—conception through decommissioning. Even so, many methods for performing the initial activities of safety life cycle are out of the standard's scope.

Evaluate risks

The best way to minimize risks in plant operation is to design inherently safe processes. In practice, total inherent safety is not always achievable.

Risks prevail wherever hazardous or toxic materials are stored, processed, or handled. Since it is difficult, if not impossible, to completely eliminate all levels of risk, some level of operational risk must be agreed upon. To specify the required performance of a safety system, control engineers must determine an acceptable level of operational risk.

After properly identifying process hazards, using a HAZOP study is among the ways to evaluate each process risk, usually by considering the severity and likelihood of a hazardous event. Determining severity requires the control engineer to assess site-specific conditions, including population density, in-plant traffic patterns, and meteorological data. Control engineers can determine the likelihood of a hazardous event by certain qualitative or quantitative techniques or in some cases by examining historical data.

After understanding the severity and likelihood of a hazardous event, engineers can rank the risks (see graphic). Risk reduction techniques would be necessary if the process exhibited risk higher than the company's acceptable level.

Multiple independent protection layers, or IPLs, reduce risk for process plants that operate with potential to cause harm. Control engineers design each protective layer to avoid or mitigate the harmful effects of a hazardous event. Protection layers start at the process and work outward to a community emergency response during an escalating incident (see graphic). Each layer should be separate and stand alone.

Rating for safety

ISA S84.01 does not specify how to decide if a Safety Instrumented System is needed, nor does it require any particular method of hazard analysis. (The American Institute of Chemical Engineering's documentation does address this.) The ISA standard does provide a common rating system called the Safety Integrity Level (SIL).

SIL defines three levels of safety performance for a safety instrumented system: 1, 2, and 3. The higher the SIL value, the greater the risk reduction. This increased risk reduction results from availability of the safety functions. Factors such as redundancy, frequent testing, and diagnostic fault detection tend to increase SIL levels, improving the SIS risk reduction. (For European and other countries in process of adopting draft international standard IEC D61508, a four-layer model is standard.)

ISA S84 shows a correlation that exists between the SIL values and three key performance metrics—safety availability, probability of failure on demand (PFD), hazard reduction factor (HRF). Safety availability represents the fraction of time that a safety system can perform its designated safety service when the process is operating (see table). PFD indicates the probability of a system failing to respond on demand. The following expression defines the relationship between safety availability and PFD:

Safety Availability = 1– PFD.

It often may be desirable to express the SIL level in terms of the hazard reduction factor, where HRF is defined as: HRF = 1/PFD.

Linking risks to SIL

To determine the application of an SIS for an actual installation, the control engineer should use a qualitative classification of risk assessment.

A qualitative evaluation of safety integrity level weighs the severity and likelihood of the hazardous event. It also considers the number of independent protection layers addressing the same cause of a hazardous event.

Once determined, such an SIL value becomes the basic communication interface and requirement parameter for implementing the safety instrumented system. (Such systems do not necessarily have to include a programmable electronic system. Hard-wired relay systems are often used and can meet SIL 3 requirements.) SIL 3 is quantified in ISA S84.01 as a Probability of Failure on Demand average range (PFD avg) of 10-3to 10-4.

Safety architectures

Several system architectures are applied in process safety applications, including single-channel systems to triple redundant configurations. Control engineers must best match an architecture to operating process safety requirements, accounting for failure in the safety system.

One concern is that many safety systems in operation, or under construction, do not follow basic protection principles. Unsafe practices include:

  • Performing the safety shutdown within the basic process control systems (BPCS) or distributed control systems (DCS).

  • Using conventional programmable logic controllers (PLCs) in safety critical applications. (Safety PLCs are certified to meet safety critical applications to SIL 2 and SIL 3.)

  • Implementing single element (nonredundant) microprocessor-based systems on critical processes.

The conventional PLC architecture provides only a single electronic path. Sensors send process signals to the input modules. The logic solver evaluates these inputs, determines if a potentially hazardous condition exists, and energizes or de-energizes the solid-state output. (Fire and gas detection systems, for example, use the "energized to trip" philosophy.)

In case of failure

Suppose the safety system de-energizes the output to move the process to a safe state. Suppose also that one of the components in the single path fails so that the output cannot be de-energized. Then the conventional PLC won't provide its desired safety protection function.

A special class of programmable logic controllers, called safety PLCs, represents an alternative. Safety PLCs provide high reliability and high safety via special electronics, special software, pre-engineered redundancy, and independent certification. The safety PLC has input/output circuits designed to be fail-safe, using built-in diagnostics. The central processing unit (CPU) of a safety PLC has built-in diagnostics for memory, CPU operation, watchdog timer, and communication systems.

Progress, complexities

Accurately evaluating the safety level for a specific control device in the context of a potential hazardous event poses a major and difficult problem for many control engineers. Associations and agencies worldwide have made considerable progress toward establishing standards and implementation guidelines for safety instrumented systems. These standards attempt to match the risk inherent in a given situation to the required integrity level of the safety system.

Unfortunately, many of these guidelines and standards are not specific to a particular type of process and deal only with a qualitative level of risk. Control engineers must use considerable judgment in evaluating risk and applying instrumentation that properly addresses established design procedures within budget restraints.

For more information about Moore Process Automation Solutions, Circle 274 or visit www.controleng.com/info:

Probabilities of Safety
Safety integrity levels (SIL) correspond to specific ranges of safety availability, probability of failure on demand (PFD), and hazard reduction factor (HRF).

SIL

Safety availability

Probability of PFD average range

HRF

Cahners Business Information graphic with data from the ISA S84 standard

1

90-99%

10-1 to 10-2

10-100

2

99-99.9%

10-2 to 10-3

100-1,000

3

99.9-99.99%

10-3 to 10-4

1,000-10,000


Acronyms of Process Safety

BPCS

basic process control systems

DCS

distributed control system

FTA

fault tree analysis

HAZOP

hazard and operability

HAZAN

hazard analysis

HRF

hazard reduction factor

IPL

independent protection layers

PFD

probability of failure on demand

PLC

programmable logic controller

SIL

safety integrity level

SIS

safety instrumented system

SRS

safety requirement specification


Safety and Standards-Related Organizations
Safety knows no borders, but organizations for regulations, certifications, and standards do. Here are a variety of sources across the worldworth getting to know. For added information, circle the following numbers on the card in this issue or visit www.controleng.com/info.

Organization

Location

Website

American Petroleum Institute (API)

Washington

www.api.org

American Institute of Chemical Engineers (AIChE)

New York

www.iache.org

American National Standards Institute (ANSI)

New York

www.ansi.org

British Standards Institution (BSI)

London

www.bsi.org.uk

European Committee for Electrotechnical Standarization (CENELEC)

Brussels

www.cenelec.be

European Committee for Standardization (CEN)

Brussels

www.cenorm.be

Factory Mutual Research (FM)

Norwood, Mass.

www.factorymutual.com

Food and Drug Administration

Washington

www.fda.gov

Global Engineering Documents

St. Louis, Mo.

global.ihs.com

International Electrotechnical Commission (EIC)

Geneva

www.iec.ch

International Organization for Standardization (ISO)

Geneva

www.iso.ch

ISA Research Triangle

Park, N.C.

www.isa.org/standards

Occupational Safety and Health Administration (OSHA)

Washington

www.osha.gov

National Fire Protection Association (NFPA)

Quincy, Mass.

www.nfpa.org

TÜV Product Service

Munich, Germany

www.tuvps.com

U.S. Environmental Protection Agency (EPA)

Washington

www.epa.gov

Cahners Business Information graphic with data from Moore Process Automation Solutions, Rockwell Automation, Internet.


Author Information

Charles M. Fialkowski is senior marketing specialist, Critical Systems Marketing, Moore Process Automation Solutions (Moore Products Co.), Spring House, Pa.




No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
Control Engineering Leaders Under 40 identifies and gives recognition to young engineers who...
Learn more about methods used to ensure that the integration between the safety system and the process control...
Adding industrial toughness and reliability to Ethernet eGuide
Technological advances like multiple-in-multiple-out (MIMO) transmitting and receiving
Virtualization advice: 4 ways splitting servers can help manufacturing; Efficient motion controls; Fill the brain drain; Learn from the HART Plant of the Year
Two sides to process safety: Combining human and technical factors in your program; Preparing HMI graphics for migrations; Mechatronics and safety; Engineers' Choice Awards
Detecting security breaches: Forensic invenstigations depend on knowing your networks inside and out; Wireless workers; Opening robotic control; Product exclusive: Robust encoders
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
News and comments from Control Engineering process industries editor, Peter Welander.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
Anthony Baker is a fictitious aggregation of experts from Callisto Integration, providing manufacturing consulting and systems integration.
Integrator Guide

Integrator Guide

Search the online Automation Integrator Guide
 

Create New Listing

Visit the System Integrators page to view past winners of Control Engineering's System Integrator of the Year Award and learn how to enter the competition. You will also find more information on system integrators and Control System Integrators Association.

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.