Comment

1 June 2005

Protect the plant

Leading edge trends in process control safety.

By Ged Farnaby

Manufacturers need to maintain the integrity and safety of their processes; and if they can do so while optimizing production, that's even better. The number of safety system options available to process manufacturers today, and the varying degrees of certification, can make choosing the right configuration and level of protection more complex than ever. High-profile technology introductions for safety instrumented systems (SIS) have added to the array of options available for process automation. How can today's manufacturers incorporate the latest integrated SIS technology into their process and discuss the options available and the related benefits?

High integrity automation helps to mitigate the factors, such as mandated cost reductions from consolidation, restructuring, and downsizing, which can undermine the process of maintaining operations integrity. The resulting pressure to do more with less pushes production and equipment to their limits. Other factors include inadequate training to react to critical conditions, human error, lack of focus on safety, dynamic state plant conditions (such as during startup, shutdown, and product changeovers), and of course the presence of hazardous materials.

High integrity

The term high integrity means different things in different industries. It means safety and safety integrity level (SIL) compliance with the appropriate certification and reaching production goals within strict tolerance in regulated industries. It also means consistently producing quality goods or operating safely at optimum efficiency. In most cases, it is some combination of all of these. The objective for everyone is to have the process react in a controlled manner, in normal and critical conditions, to reduce the risk of plant incidents that could impact the environment, business, health of employees, and innocent bystanders.

The most valuable asset of the all process industries is people. Remember Bhopal 1984 (3,000 deaths), Seveso June 1976 (35,000 exposed to poisonous Dioxin), and Piper Alpha 1988 (167 deaths)? In the wake of these horrific industry incidents, the process manufacturing industry developed necessary international standards and solutions for protecting personnel, equipment, and the environment.

Different safety approaches

Stand-alone safety systems have been the traditional method of choice for years, which means different design and operation requirements of process control systems and SIS. A process control system is for control strategies and continuous dynamic response to process measured variables. Safety instrumented systems are static, waiting to take action on out-of-control processes. As a result, we've developed separate systems for process control and safety yield duality in operator interface, engineering and configuration tools, data and event historians, asset management, and network communication areas. Also affected are infrastructures, plant systems integration, control and instrumentation hardware, wiring, project execution, installation, and commissioning costs.

Lifecycle costs, such as spare parts, support, training, maintenance, and service also increase with this approach. Because these interfaces are sometimes engineering intensive and expensive to maintain and synchronize, we've incurred added costs with engineering and maintenance interfacing between DCS and SIS systems. It's a costly solution for end users, considering a SIS has no perceived return on investment unless something goes wrong. Of course, if an incident does occur and puts demand on the SIS, it becomes invaluable.

Integrated safety and automation systems

A more modern approach has the DCS and SIS in the same, but separate, system. This eliminates the need for duplicate operator stations, engineering tools, asset optimization, historians, and network equipment, which reduces duality and the associated lifecycle costs. Also, the ease of data sharing and synchronization, through safe reads and confirmed online writes, allows you to optimize SIL and non-SIL applications. This improves operations without extra engineering.

As industrial research firm ARC Advisory Group notes in an April 2005 Industry Insight, "In process safety, several major suppliers have embraced the concept of 'same but separate.' This concept is becoming well entrenched in process control applications where the safety system shares a common hardware platform with the process automation system, as well as common networks and software tools. This greatly reduces engineering and lifecycle costs of the safety system and improves early event detection and avoidance of unplanned downtime."

You can use the same-but-separate philosophy to improve the overall DCS and SIS functionality and improve efficiency by:

• Online read of safety parameters in the safety application by the control application.
• Critical time interaction between control and safety, such as burner startup.
• Automatic safety bypass management during different states of control, such as start up, changes in production, batch, and automatic set and reset.
• Shared instruments for DCS and SIS.
• Comparison of instrument signals in DCS and SIS.

In an integrated safety and automation system, the safety controller is a recognized, functionally integrated control device in a common safety and automation control network. A firewall protects the integrity of the safety controller and prevents the safe environment in the controller from unintended outside influence. Such firewall (access control) implementation is subject to a certification agency's review, inspection, and approval. The industry considers TÜV Product Service the foremost independent certification agency in the business.

The new generation of evolutionary systems has the required level of separation according to IEC 61508/61511 and certified TÜV compliance. This approach has advantages such as system design through implementation and operability, maintenance, asset optimization, and change management.

Control and safety delivered in a single environment eliminates interfacing, cost, and complexity and widens the functional scope. This approach combines safety critical loops with control applications for the best use of process equipment within defined safety boundaries during changing production modes.

Newly developed embedded safety and control within the same architecture addresses firm safety requirements as well as opportunities for efficiency gains, made possible with new technology like a single window (a homogenous operator control room environment). Programmable electronics act as a technology for automation and safety. An integrated solution should support separation of safety and process control functions with the necessary degree of safety integrity. Another technology could be a common set of rules and solutions for the automation and safety system's configuration and design. It's good to have one common tool environment for engineering, configuration, design, and programming. Also, pay attention to support modifications, not only initial design.

As few different modules and components (spare parts) for the automation and safety system as possible is ideal. You'll want them as interchangeable as possible, keeping safety integrity in mind.

The benefits of this approach include minimized scope of specialized knowledge; reduced engineering and maintenance training costs; and reduced purchasing, installation, operator training, and spare part costs. It gives engineers, operators, and managers a common working environment.

The industry is calling for flexible and cost-effective SIS solutions through integration with control systems, less frequent proof testing, and scalable architectures. Embedded control and safety seamlessly integrates traditionally isolated plant devices and systems. This unified architecture reduces duality and associated lifecycle costs of maintaining separate basic process control system (BPCS) and SIS . You can optimize project engineering, training, operations, maintenance, and spare parts by using the common architecture.

The newest system architectures also can offer the flexibility of hosting safety and process critical control applications in the same controller, providing logical separation of control and safety functions. Supporting this controller are common engineering tools, human system interface, historian, audit trail, asset and device management applications, and instruments, which improve the integrity and reliability of BPCS and SIS operations. Such an environment offers safe and instant interaction between applications, leading to a host of benefits from easier handling to better technical solutions and lower costs.

With integrated control and safety, users can choose the configuration that works best for their application. Each option protects the integrity of the process while providing engineering and operational efficiencies. These flexible architectures' integrated functionality provides physical separation or logical separation of control and safety for better safety system performance and process optimization.

You'll need to examine and assess all safety loops to ensure safe operation of a plant and to comply with IEC 61508 or 61511. When determining a SIL, consider all devices in each specific safety instrumented function (SIF) or field instrumentation, not just the logic solver. The most forward thinking suppliers have all elements of the loop covered with SIL certified instrumentation and logic solvers, from SIL1 through SIL3, protecting up to SIL4 with technology diversity.

Risk assessment

You can apply the basic principles behind SILs to any system. IEC 61508 intended the term for manufacturers of E/E/PE systems. They intended the second standard, IEC 61511, for users. In principle a SIL defines a tolerable range of frequencies, deeming acceptable the risk of some pre-defined hazard.

Before designing and calculating the safety loop, you need to perform the SIL assessment or safety standard, such as SIL2. Use the risk graph in IEC 61508.

By adopting IEC standards in the process industries, manufacturers have developed improvements to safeguard personnel, environment, and equipment. Now, it's either a mandatory requirement or, in some countries, a recognized best practice approach to system design. It's also a great way for suppliers and owner operators to ensure the highest level of protection. From an insurability perspective, system owners can significantly reduce costs by complying with these standards.

Historically, vendors designed our systems for SIL3 compliance. Through HAZOP analysis, we can identify this level of protection as required for the specific process loop or SIF. Take a look at IEC 61511 for definition and SIL determination methods. Rather than simply stating "it's a SIL3 loop," apply risk reduction methods, such as layers of protection analysis (LOPA) and device redundancy techniques. Such methods would reduce the SIL3 determination to SIL2, reduce the level of risk to personnel and equipment, and have a favorable impact on insurability for owners and operators.

Control & safety: Physical & logical separation

Effective protection

Effective protection allows technologies offering protection at SIL2 to meet customers' protective needs, where you may have originally made a SIL3 assessment. Typically, this will reduce costs significantly, as higher cost triple modular redundant (TMR) configurations have dominated SIL3 applications. It's becoming more popular to design your plant for SIL2 by lowering the risk level and adopting techniques, such as LOPA, to eliminate SIL3 wherever possible. To meet this SIL3 determination, we used to use TMR configurations by providing high availability, fault-tolerant systems for a diverse range of applications. We did it by incorporating a triplicated system architecture from input module to output module. The new generation of SIS gives greater financial and operational pay back and efficiency with the latest technologies and reliable electronics and software. Safety and control systems integration have also contributed with value-added features such as asset optimization, alarm management, and predictive maintenance, which traditional stand-alone doesn't offer.

Fieldbus technologies for safety

Right now, the safety industry hasn't widely adopted fieldbus technologies. Profisafe is a TÜV certified fieldbus technology seeing use in an open architecture for safety process industry applications mainly in Europe. Foundation Fieldbus is working with such bodies as ISA and IEC to develop and certify their fieldbus technology to meet future trends. It's likely they'll release and certify these bus technologies for SIL applications within a few years. The next big functional leap for safety will be in this area.

But there is still work to do. Even though we have certified SIS systems, accidents still occur. On 23 March, 2005, an explosion at the BP Amoco facility in Texas City, Tex., killed 15 people and injured more than 170. At that facility, there is a BPCS and SIS. But during a plant shutdown, something went wrong. The explosion occurred because BP ISOM unit managers and operators greatly overfilled and then overheated the Raffinate Splitter, a tower that is part of the ISOM unit, according to a BP Products North America's interim fatal accident investigation report. The fluid level in the tower at the time of the explosion was nearly 20 times higher than it should have been.

We cannot be complacent or ignore the fact that hazards are present in every process facility operating today. And even if we don't fully understand, we still need to protect ourselves. It could happen again.

Behind the Byline

Ged Farnaby is business development manager, North America, at ABB Inc. in Houston.