Process Safety What are the Odds?

Within process plants, layers of protection (LOP) include relief valves, rupture disks, dikes, and a safety-instrumented system (SIS). SISs are specially engineered solutions that are continuously online and expected to instantaneously take action to mitigate any detected unsafe process events. But with weeks, months, or even years between unsafe events, what can be done to minimize the probabi...

By Dave Harrold April 1, 2005

To read the complete 64 page pdf of “Formosa Plastics Corp. Illiopolis, Il” click here.

  • Protection layers

  • Improved safety standards

  • Role of S84

  • Better reliability

  • Testing methods

Incidents preceding improved safety standards

Within process plants, layers of protection (LOP) include relief valves, rupture disks, dikes, and a safety-instrumented system (SIS). SISs are specially engineered solutions that are continuously online and expected to instantaneously take action to mitigate any detected unsafe process events.
But with weeks, months, or even years between unsafe events, what can be done to minimize the probability of failure on demand (PFD) for some part of the SIS? The answer: select devices suitable for safety applications, engineer and install those devices using good engineering practices, apply sound maintenance practices, and test, test, test.

Improved safety standards

Safety standards were once developed to satisfy the specific needs of an application, industry, and/or country. One example is the American National Standard Institute (ANSI) P-1.1-1969 standard for defining safety requirements for pulp, paper, and paperboard mills in the U.S.

Often such standards are developed as design specifications based on technologies available when the standard is released. Such standards assume system life-cycle activities, including installation, testing, and maintenance, are properly carried out—an assumption that repeatedly has been proven wrong. (See ‘Incidents leading to improved safety standards’ sidebar.)

More recent safety standards, such as those developed by the International Electrotechnical Commission (IEC) and Instrumentation, Systems, and Automation Society (ISA), are based on identifying and quantifying risk, eliminating the risk when possible, and applying LOPs when risks can’t be completely eliminated to produce ‘performance-based’ standards.

IEC 61508 (Parts 1-7), Functional safety of electrical/electronic/programmable electronic safety-related systems , is an all-inclusive, performance-based standard that covers functional safety requirements for a range of industries including chemical, oil and gas, pulp and paper, non-nuclear power generation, as well as some non-process industries.

In response to feedback from early process industry adopters that IEC 61508 was cumbersome and somewhat inflexible, the IEC committee extracted and reworded relevant sections to form IEC 61511 specifically for process industries. The result is a functional safety standard that provides process industries some degree of implementation flexibility while ensuring compliance is achieved within IEC 61508’s framework.

S84 grandfather clause

Angela Summers, president of SIS-Tech Solutions and a voting member of ISA’s SP84 committee, says that ANSI/ISA S84.00.01-2004, Functional safety: Safety instrumented systems for the process industry sector (S84-2004) matches IEC 61511 with one exception.

‘Included in S84-2004 is a grandfather clause that requires facility owner/operators to examine and document their SIS design, operation, and maintenance practices. If it’s determined the currently installed SIS provides safe operation, no system modifications are required. However, if the examination reveals the SIS is not providing adequate protection, it must be brought into compliance using the latest good engineering practices,’ says Summers.

The goal of IEC 61511 and S84-2004 is not to dictate what technology or level of redundancy must be applied. Rather, the intent of these safety standards is to ensure that the greater the process risk, the more robust the installed SIS.

Though compliance with IEC 61511 and S84-2004 remains voluntary, it is becoming the international safety system standard of choice for process industries as witnessed by the growing number of:

  • Papers being presented by end-users at conferences and symposiums;

  • References on process control system manufacturers’ Web sites; and

  • References made by government agencies in China, India, Ireland, Italy, Norway, United Kingdom, and the United States.

One illustration of government’s awareness of S84 appeared in the $361,500 fine levied by the U.S. Labor Department’s Occupational Safety & Health Administration (OSHA) against Formosa Plastics of Illiopolis, IL. Among the 45 ‘serious violations’ alleged by OSHA, several referenced Formosa’s ‘failure to comply with recognized good engineering practices such as ANSI/ISA S84.’

(See this article online for a link to the OSHA citations document regarding Formosa Plastics.)

Where to focus

The probability a device will fail on demand (PFD) increases over time. However, following verification by another full-proof test that the device is working correctly, it returns to its original reliability level. Increasing the frequency of full-proof tests lowers PFDAVG and provides two options: 1) use the same device to meet a higher safety level (SIL); 2) use a less-expensive device to achieve the same SIL.

When engineers and technicians begin learning about SISs, they often jump to the conclusion that triple or quadruple redundant logic solvers are required.

However, when data such as OREDA (Offshore REliability DAta) are examined, they learn that final control elements malfunction 50% of the time, sensors malfunction 42% of the time, and logic solvers malfunction only 8% of the time. These facts don’t relieve anyone of the responsibility of selecting and installing the appropriate logic solver, but they do help emphasize the importance of considering all factors influencing SIS performance.

These factors include:

  • Regular use of manual or automated partial-stroke valve testing can extend the time between full-proof tests while maintaining the required PFDAVG.

    Failure rates and failure modes of components;

  • Installed instrumentation;

  • Redundancy;

  • Voting;

  • Diagnostic coverage; and

  • Testing frequency.

The only way to ensure such factors are adequately addressed while avoiding over-engineering the solution is to establish good design criteria. That begins by conducting a risk analysis and determining the required safety integrity level (SIL) as defined within the IEC standard. (See ‘Demand mode of operation’ table.)

Once the required SIL is determined, the standard provides the target risk reduction factor (RRF) and the target average PFD, thus quantifying the SIS’s design criteria.

Of course, simply designing and installing an SIS to meet defined integrity numbers isn’t enough, the SIS must be maintained so that its performance doesn’t degrade over time.

Reducing PFD

There are essentially three ways to reduce the probability an SIS will fail on demand:

  • Install double, triple, and quadruple devices;

  • Increase device diagnostic coverage; and

  • Increase the frequency at which devices are tested.

Today, extending diagnostic coverage is easier and more cost-effective with the abundance of devices that offer embedded diagnostics combined with asset management. However, when introducing such solutions as part of an SIS solution, special precautions are required.

For example, safety system experts at examined use of multiplexers with HART communication protocol, such as those available from Pepperl+ Fuchs, in conjunction with Emerson Process Management’s Asset Management Solution (AMS) software to improve SIS device diagnostic coverage.

Exida reported that the tested design can be effective in extending device diagnostic coverage and meet many IEC 61511 requirements as long as:

  • AMS software is set up with appropriate security for passwords and privileges;

  • Procedures are established and documented to ensure proper usage of the HART handheld communicator; and

  • Multiplexer failure rates are accounted for in the SIS design.

  • The third option for reducing PFD is to increase testing frequency for devices.

The graphic, ‘Testing frequency influences PFD AVG ‘ illustrates how more frequent full-proof testing lowers PFD AVG .

Readers should take note, however, that full-proof testing generally requires the process be shutdown or bypass lines installed. With more process facilities running longer between planned shutdowns, opportunities to conduct full-proof tests often aren’t available.

An alternative to full-proof testing is to partially stroke safety valves—not enough to cause process disruptions, but enough to verify the valve moves on demand.

The graphic ‘Benefit of partial-stroke valve testing’ illustrates how partial stroke valve testing can extend the time between full-proof test while maintaining the required PFD AVG .

Partial-stroke valve testing

The three basic methods of partial-stroke valve testing are:

  • Mechanical limiting;

  • Pulsed solenoid valves; and

  • Position control.

Mechanical limiting is an inexpensive solution that involves installation of a mechanical device, such as a collar, valve jack, or jammer, to limit the amount of valve travel. When these devices are being used, the safety valve is unavailable. Ensuring the valve has been returned to normal service is procedure driven.

The method of pulsing the electric signal to the safety valve’s solenoid valve is simple to implement and is very effective for on/off safety block valves. It requires limit switches (or position transmitters); adjustable, timed, pulsed outputs provided by the logic solver; and logic that forces the solenoid valve to return to its safe position, to avoid spurious process shutdowns.

Position control is most effective when using control valves and microprocessor-based ‘smart’ positioners (controllers) as part of the SIS solution. Besides being able to move the valve to predetermined settings, smart positioners provide rich diagnostic coverage, such as valve travel and actuator breakaway force. Because safety valves haven’t typically been installed with positioners, critics of this method cite the need for additional hardware and related installation costs as major drawbacks.

However, refining giant BP reports that after installing Metso Automation’s Neles VG800 valve controllers and ValvGuard testing and monitoring software, plant safety significantly increased and operational costs were reduced. BP also reported a very short payback period.

Saudi Aramco reported similar successes on its safety valves following installation of Emerson’s FieldVue digital valve controllers.

One of the lesser-publicized benefits of increasing diagnostic coverage and/or the testing frequency of safety valves is possible elimination of some safety valves. In some high-risk applications, it’s been a long-time practice to install two safety valves in series. The reason is that both valves are unlikely to fail to close on demand. However, with prudent use of redundant devices, the addition of diagnostic coverage, and increased testing frequency, some companies have eliminated one of the two safety valves, reportedly without sacrificing safety coverage.

Demand mode of operation

Safety integrity levels Target risk reduction factor failure on demand Target average probability of & safety availability
NOTE: SIL 4 rated applications are not typically used in the process industries and the standard cautions that a single programmable safety system shouldn’t be used to meet SIL 4 requirements.
Source: Control Engineering with data from IEC 61511-1 Table 3
1 (90-99%) 10 to 100 0.1 to 0.01
2 (99-99.9%) 100 to 1,000 0.01 to 0.001
3 (99.9-99.99%) 1,000 to 10,000 0.001 to 0.0001
4 (>99.99%) >10,000 &0.0001

To read the complete 64 page pdf of “Formosa Plastics Corp. Illiopolis, Il” click here.

Incidents preceding improved safety standards

Pernis oil refinery, Holland – Jan. 20, 1968 (2 dead, 85 injured).

Flixborough, U.K. – Jun. 1, 1974 (28 dead, hundreds injured).

Seveso, Italy – Jul. 10, 1976 (700 injured).

Bhopal, India – Dec. 2, 1984 (2,500 dead, 100,000 injured).

Piper Alpha, U.K. (North Sea) – Jul. 6, 1998 (165 dead, 61 injured).

Source: Control Engineering