1 August 2002
Emergency batch landing
By Iwan van Beurden and Rachel Amkreutz
Batch processes pose their own particular challenges to safety system implementation.
Processes have different kinds of risks. There are community risks, environmental risks, and economical risks. Each of these different kinds of risks, or a combination, can require the installation of a safety instrumented system (SIS) in the process to reduce that risk.
Batch standards and literature do not address safety. However, general process industry safety standards also apply to batch processes. Even though a SIS installed in a batch process may look identical to a SIS installed in a continuous process; there are a number of extra problems to consider when installing a SIS in a batch process.
In general, companies make no real distinction between safety in batch processes and safety in continuous processes. They maintain guidelines and procedures regarding safety that apply to both continuous and batch processes. These guidelines and procedures can, however, hold sections that are relevant only to batch processes and that address batch specific needs or problems.
The following are some observations from our study of batch safety and specific batch safety problems and the solutions that industry is applying. We found the following to be the primary issues:
- Segregation of the batch process control system (BPCS) and SIS
- Synchronization of the process steps between the BPCS and the SIS
- Operator interaction
- Implementation of variable (recipe-dependent) trip levels
- Frequent operational state changes
- Frequent recipe changes
Segregating the systems
Basic process control systems do not achieve significant risk reduction. International standards such as IEC 61508/IEC 61511 indicate that SISs must provide significant risk reduction. This means that besides the BPCS, a SIS may need to install in the process if the process requires additional risk reduction.
Separating the control from the safety in safety-critical processes creates an independent layer of protection. Separation of the SISs and the control system into independent layers of protection is a fundamental, widely accepted practice for these safety-critical processes.
With batch systems, this need for separation causes complexities not typically found in a continuous process due to a variety of issues. For example, the SIS functions are batch recipe dependent or even batch step dependent. Consequently, the SIS system needs to know the recipe and the state that the batch process is in.
This constitutes two other major issues in batch processes. The first issue, related to the recipe, is the setting of the recipe parameters in the safety system. The second issue, related to the batch step, is the synchronization of batch states between the BPCS and the SIS. Both issues are separate batch safety issues.
Industry practices regarding the separation of control and safety are no different for batch processes than for continuous processes. Solutions in the industry show a separate safety system and control system where both systems are connected to the same field instruments.
This industry practice is justifiable only when the safety system has the final vote over the output instruments.
Synchronize process and safety
This separation of safety and control to provide an independent layer of protection brings another major issue in batch processes to light: the synchronization of the step sequence between the distributed control system (DCS) and the SIS logic solver.
This synchronization is mandatory, as the SIS logic solver needs to know the active recipe and the current batch step. Process trip points are recipe and step dependent. The adjusting of the trip points is closely related to DCS and SIS synchronization.
Two industry practices concerning synchronization between the control system and the safety system are important. The first industry practice shows that the recipe and batch step transmit from the control system to the safety system. The safety system performs plausibility checks on the correctness of the step change conditions. An example of such a plausibility check is verification if the sequence of phase changes is plausible.
The second industry practice shows that the safety system calculates the process step independent from the BPCS. This means that the SIS has to determine the batch step or recipe by its own measurement of valve positions, levels, pressures, or other parameters.
Notice that this sensing of the status of the batch process is safety related, as it either enables or disables safety instrumented functions. Consequently, the batch status sensing should also be part of a safety integrity level, or SIL, assessment.
Furthermore its implementation should be performed according to appropriate safety standards such as IEC 61508/IEC 61511.
The implementation of variable trip points in the SIS is probably the most important issue regarding safety in batch processes. An inherent characteristic of batch production is the sequence of various batch steps, each with its own properties and process safety limits.
Because of these recipe-dependent safety limits, the trip levels in the SIS need to adjust with changes to recipe and the process step. It can also be necessary to change the logic of SIS interlocks, depending on the selected recipe.
There are a number of industry practices that cope with this problem. One establishes a "most critical" trip point that was set in the SIS. This most critical trip point related to the equipment. Further, the recipe-dependent trip levels in this case implemented in the BPCS. The equipment loss was the major concern in this case, whereas product loss was no concern. This industry practice can operate only when there are no risk reduction requirements related to the recipe trip levels.
An alternative practice concerning the variation of recipe-dependent trip point level is the implementation of a string-based compare. This industry practice implies that a table of recipe "strings" and their corresponding trip point levels are stored in the safety system.
Based on the recipe string, the safety system will look up the appropriate trip levels from the predefined table. In the case of a recipe change, the control system will send a string with the recipe name to the safety system. The safety system will compare the string received from the control system with the strings stored in the predefined table and adjust the trip levels accordingly.
Note that receiving the correct string is a safety critical function and must undergo analysis to ensure a low probability of dangerous failure.
An expansion of this industry practice is that the safety system will display the selected recipe, and the operator has to acknowledge the selected recipe. Only after operator acknowledgement do the trip levels change.
A safety assessment of the industry practice with just string-based compare might show it is not sufficiently fault tolerant against different postulated faults of the BPCS. Any practice with additional fault tolerance is preferable.
A different industry practice implies the use of a multiposition physical switch. The positions the switch can hold correspond to the various trip levels—for example, low, high, and clean. The trip levels would have to be stored in a predefined table in the safety system. A specific switch position then corresponds to a specific table cell. When the switch position changes, the trip levels in the SIS are set accordingly.
This industry practice type is very much like the string-based compare industry practice type, except that the recipe mode is communicated to the safety system via the physical switch instead of a recipe string.
Like for the string-based compare, an expansion of this industry practice is possible. After changing the physical switch's position, the safety system displays the selected recipe, and the operator has to acknowledge the selected recipe mode. Only after the operator acknowledgment do the trip levels adjust.
Measure process pulse
A third industry practice involved the position of the physical switch compared with a recipe mode variable that transmits to the safety system via the BPCS. The safety system will adjust the trip levels only when both the switch position and the recipe mode variable match.
This compare constitutes redundant means by diverse technology and is therefore a very appropriate and safe method to change the trip point levels in the SIS.
Any of the techniques that increase safety, including redundancy, diverse redundancy, diagnostics, and lower failure rates, can apply to batch safety problems. This third industry practice is a good example of diverse redundancy.
A further industry practice addressing variable trip points is product ID pulsing. In this scheme, the batch management system declares the product in production and sends the appropriate recipe information to the BPCS. This recipe includes a two-digit (or more) product ID number.
The same number also transmits to the safety system. In the safety system the trip levels set according to the product ID number. The trip levels originate in a predefined table in the safety system. Again, this part of the industry practice is very much like the string-based compare industry practice. Then, confirmation that the same product ID number is in both the safety system, and the control system takes place.
After receiving the product ID number, the BPCS starts pulsing two (or more) digital outputs to the safety system in a cycle that lasts until the next product recipe downloads. The safety system interprets these pulsed signals as the product ID number and compares them with the value sent directly from the batch management system.
If the two values sent over the separate paths match, the various block valves controlled by the safety system can energize as the interlocks permit. Otherwise the safety system activates the interlocks, resulting in a safe shutdown. As in the previous two industry practices, the trip levels selected by the safety system can display for operator confirmation.
Finally, it should be pointed out, for all industry practices identified, that whenever there is a discrepancy between the control system and the safety system, the safety system should switch to the most strict, and therefore most safe, trip point levels. In addition, the safety system should always overrule the control system.
While the implementation of SISs in a batch process has a number of special problems not normally encountered with continuous processes, the most dominant issue is the implementation of variable trip points.
The online version of this story includes three more issues not discussed here: operator interaction, frequent operation state changes, and frequent recipe changes. See the original paper at www.isa.org/journals/intech/BatchOrig.doc.
Know that batch processes by nature also have advantages over continuous processes regarding safety, including short turnaround time, which allows frequent testing of the SIS.
It's not now clear whether these advantages are fully utilized. IT
Iwan van Beurden has an M.S. in mechanical engineering. He is a senior safety engineer for exida.com. He gives training classes for exida and is also an ISA instructor and member. Rachel Amkreutz has an M.S. in mechanical engineering. She is also a member of ISA and the American Society for Quality. She works at exida.com as a safety engineer.