When can the process control system, safety system share field devices?
Can a safety instrumented system (SIS) and a basic process control system (BPCS) share field devices? It could certainly save money; consider that a large cryogenic valve for an LNG plant can easily cost $500,000. But how can the SIS and BPCS share valves or other components and still comply with standards? This article will examine the relevant standards and show how it can be done—and how it shouldn’t.
SISs are generally designed to meet IEC 61511 in order to comply with the requirements of national regulations (ISA 84.00.01 is the U.S. version of IEC 61511). This standard states that it is permissible to share devices between safety and basic process control systems but also sets certain requirements for when sharing devices is and is not allowed. Those requirements are often misunderstood and frequently ignored. Ultimately the object is to avoid a single point of failure, a situation in which failure of a single device can cause the process to go out of control, creating a demand on the safety system, yet also simultaneously defeats the shutdown system by preventing it from responding properly.
To share field devices successfully, it is vital to understand the process under control—not just the safety equipment or the electronics, but the chemical processes that are being controlled. One must understand the process and how the devices are used, and understand how they fail and what will happen if they fail.
Consider the note to paragraph 8.2.1 of IEC 61511 relative to sharing devices:
“In determining safety integrity requirements, account will need to be taken of the effects of common cause between systems that create demands and the protection systems that are designed to respond to those demands.”
This is not a normative requirement but states that careful thought is required before sharing components between the BPCS and the SIS to ensure that the overall risk is within allowable limits. In addition, paragraph 11.2.10 and its attached note offer more advice:
“A device used to perform part of a safety instrumented function shall not be used for basic process control purposes, where a failure of that device results in a failure of the basic process control function which causes a demand on the safety instrumented function, unless an analysis has been carried out to confirm that the overall risk is acceptable.”
“NOTE: When a part of the SIS is also used for control purposes and a dangerous failure of the common equipment would cause a demand for the function performed by the SIS, then a new risk is introduced. The additional risk is dependent on the dangerous failure rate of the shared component because if the shared component fails, a demand will be created immediately to which the SIS may not be capable of responding. For that reason, additional analysis will be necessary in these cases to ensure that the dangerous failure rate of the shared equipment is sufficiently low. Sensors and valves are examples where sharing of equipment with the BPCS is often considered.”
This means that one should not use a device in a safety instrumented function (SIF, essentially a control loop for safety purposes) if a failure of that device will cause a BPCS loop to place a demand on the SIS and simultaneously cause that SIF to fail to a dangerous state. This clause is the origin of the requirement for preventing a single point of failure.
The 11.2.10 Note says that having a single point of failure is permissible as long as the frequency of such a failure is acceptably low. This requires a detailed quantitative analysis—a laborious process that many people do not do well, and often ignore. However, in most situations the mathematical analysis will reveal that sharing is not possible.
The FMEA process
Sharing will require a FMEA (failure modes and effects analysis) of the equipment to be shared. This means that for any shared equipment—a transmitter, a valve, or even an entire control loop—one must determine all of the different ways that each of the shared components can fail, and whether any failure mode constitutes a single point of failure. And while the standard does not explicitly require it, we strongly recommend that the study be formally documented and verified.
The FMEA process begins with making a list of each item to be shared for a given loop or function. All the failure modes for each item should be listed, and for each failure mode the effect of the failure must be described. If a primary failure disables a safeguard, then that constitutes a single point of failure. The single points of failure must then be eliminated with a redesign or a quantitative analysis that demonstrates that the frequency of failure is low enough to be allowed should be performed.
Too much sharing
Figure 1 shows an example with a considerable amount of sharing. The process is a water knockout drum; the interface between hydrocarbon and water is monitored by level transmitter LT-101, which provides the process measurement to controller function block LIC-101 in the control system that adjusts the level control valve, LV-101, to hold the water level in the drum to the setpoint. Function block LSLL-101, the low-level limit, is providing the safety function in this example. Possible failure modes and their consequences are tabulated below:
This example has been simplified and highlights only two shared components. In reality the DCS input card, the DCS CPU, the DCS output card, and the level valve are all shared and should be included in the failure analysis.
This arrangement clearly cannot be used, but what would happen if the safety function were separated out, at least in part? In Figure 2, a separate level transmitter, LT-102, has been added. This provides a level measurement signal to its own logic solver, which responds to low-level conditions by de-energizing a solenoid valve to vent the air from control valve, LV-101, causing it to close. In this scenario, the only shared component is the control valve. The failure mode analysis is tabulated below:
Once again, sharing of just the control valve provides insufficient protection.
Figure 3 shows the situation with an additional, separate shutoff valve. The analysis in this case is simple: there can be no single point of failure because there are no shared components.
Sharing that works
For an example of a situation in which it permissible to share some components, consider a hydrocracker or a heavy oil hydrotreater. In these process units there will be a feed pump going from a low feed-system pressure, perhaps 100 psig, up to a very high reactor pressure of 1,000 to 2,000 psig. There is a shutdown system, illustrated in Figure 4, intended to detect that forward flow has been lost because of a pump failure.
The shutdown system will then close a shutoff valve to prevent the high-pressure reactor system from flowing backwards through the feed pump into the low-pressure feed system, potentially causing a pressure-relieving scenario. Upon pump failure, the flow controller on the discharge of the pump will respond to the low-flow condition by opening the control valve to try to increase the flow rate since the measured flow (zero) is below the feed flow setpoint. Therefore, a solenoid valve controlled by the shutdown system is provided on the flow-control valve. If forward flow is lost, the shutdown system will de-energize the solenoid valve to close the control valve.
In this case, sharing the control valve is permissible because it does not constitute a single point of failure that both creates a demand and causes the protective function to fail dangerously. Failure of the flow controller cannot cause a reverse flow. The only thing that causes a reverse flow is pump failure. If the valve gets stuck in any position—in place, open, or closed—it will not cause a reverse flow if the pump continues to operate. The shutdown action is independent of the cause of the hazardous situation, so sharing the valve for both the safety purpose and the shutdown purpose is permissible. A separate shutdown valve is often provided to provide redundancy should the flow-control valve fail to close when the solenoid valve is de-energized, either due to a failure of the solenoid valve or if the control valve is stuck.
We have not covered cases where a single point of failure is permitted. This requires a detailed mathematical analysis of the frequency of possible failures, an analysis that may be more costly than purchasing separate equipment.
In summary, IEC 61511 allows sharing of field equipment between the SIS and BPCS, but it has requirements that, if properly implemented, will prevent sharing in an unsafe manner. One of those requirements is a fairly complex analysis of the shared components, which is often misunderstood or done improperly. And finally, a documented and verified FMEA of all shared components should be performed.
Marszal is president of Kenexis Consulting Corporation. Hawkins is global refining business consultant for Emerson Process Management.
Fired heater low-pass flow
A process heater at a refinery in the northeast U.S. had the safety shutdown system shown in Figure 5. There were two shutoff valves, XV-21 and XV-22, in the fuel gas line controlled by independent logic in a safety PLC. If the flow of process fluid to the heater decreased too much, the safety system would shut off the fuel gas to the burner. The heater had been in stable operation for a long time with no problems. But the safety loop and process control both relied on the same flow transmitter, FT-101. In addition, the flow transmitter had been mounted below the process fluid line, rather than above it, and moisture had condensed in the impulse lines. During the winter there was a lengthy cold spell. No one noticed that the insulation bag had fallen off the transmitter, causing the condensed moisture in the impulse lines to freeze solid, locking the transmitter’s signal in place.
During that time there was an operational change, and the plant control system called for reduced flow of process fluid to the heater. Flow loop controller FIC-101 began to close process fluid flow control valve FV-101. The flow decreased but the flow transmitter, being locked in place, did not respond to it. This caused the flow control loop output to wind up, driving the flow control valve to close completely. As the flow dropped below the lower limit, the safety loop should have responded, but its flow input came from the same locked-up flow transmitter as the flow control loop. The safety system never responded and the tubes in the heater overheated and ruptured, spilling naphtha and hydrogen into the heater firebox. The heater was a total loss, other equipment was damaged, and production was shut down. The total cost was more than $10 million. Fortunately there were no injuries or fatalities.
The fault here was that the flow transmitter, shared by the control loop and the shutdown loop, constituted a single point of failure, simultaneously causing the unsafe situation and preventing the safety system from responding to it. This was a clear violation of 11.2.10 in IEC 61511. Proper design would have required a separate transmitter for the controller and a separate transmitter for the shutdown system to avoid that single point of failure.
Water knockout drum
This incident occurred on an offshore production platform in the Middle East in the 1990s. A water knockout drum separates liquid hydrocarbons and water, sending the water to a storage tank via an oily water sewer. As shown in Figure 2, level transmitter LT 101 monitored the water/hydrocarbon interface and controlled water flow to the sewer using controller LIC-101 and flow control valve LV-101. The safety system used an independent level transmitter, LT-102, its own safety PLC, and a solenoid valve that, when de-energized, would dump the actuating air from the control valve and cause it to close.
The system had been operating for some time with no change in process conditions. This was a known fouling, depositing service, but the valve had never been partial-stroke tested, and, unbeknownst to the plant operators, had stuck in place.
Then process conditions changed, reducing water-make. The level in the knockout drum began to fall and the level control loop signaled the flow control valve for lower flow. Since the valve was stuck, the flow did not decrease and the level in the drum continued to fall. When it reached the lower limit, the safety system reacted and de-energized the solenoid valve, but the stuck control valve did not respond.
The drum level continued to fall until liquid hydrocarbon entered the sewer. The hydrocarbons eventually found a source of ignition and the sewer exploded, shutting down production and requiring expensive repairs. The total loss exceeded $1 million, although luckily there were no injuries or fatalities.
As in the other example, there was a single point of failure—in this case the control valve, a clear violation of 11.2.10. The proper design here is a dedicated shutoff valve for the SIS separate from the BPCS. It is worth noting that even with separate valves for process control and safety functions, partial stroke testing should be considered, in this known fouling service.