Home Page

Officer Reports
   President's Message
   Membership Chair
What's New?
   Event Calendar
   Programming
   Membership
   Education
Other ISA Links
   Division List
   Rep. Search
   International ISA
   Section Services
Section Info.
   Board Roster
   Downloads
   Past Presidents
   About ISA
Transmitter
   Information
   Advertisers
Cincinnati Info.
   Newspapers
   General Info

E-mail the Board

Learning the Hard Way
or "To Engineer Is Human"

Lessons Learned on Safety Instrumented System Design

By Paul Gruhn, P.E., Moore Process Automation Solutions

Safety Instrumented System (SIS)

A system composed of sensors, logic solvers, and final control elements for the purpose of taking the process to a safe state when pre-determined conditions are violated.

The Danger of Overconfidence & Complacency

After Three Mile Island, but before Chernobyl, the head of the Soviet Academy of Sciences said,

"Soviet reactors will soon be so safe that they could be installed in Red Square."

When the Bhopal plant works manager was informed of the accident, he actually said in disbelief,

"The gas leak just can’t be from my plant. The plant is shut down. Our technology just can’t go wrong. We just can’t have leaks."

Major Industrial Accidents

  • Flixborough (England)
    1974: 28 deaths, > 100 injuries
  • Bhopal (India)
    1984: 3,000 deaths, 200,000 injuries
  • Mexico City (Mexico)
    1984: 500 deaths, 4,000 injuries
  • Chernobyl (Soviet Union)
    1986: 100,000 deaths estimated
  • Piper Alpha (England)
    1988: 165 deaths, destruction of platform
  • Pasadena (US)
    1989: 23 deaths, > 130 injuries

Historic Accidents on Film

Tacoma Narrows Bridge

Challenger

Findings of the Lord Cullen Report (Piper Alpha)

  • "The operator should be required ... submit a Safety Case … of each installation."
  • ‘Regulations should be performance oriented (set goals), rather than
    prescriptive.’

Control System Incident Occurrence By Phase

  • Specification 44%
  • Changes After Commissioning 20%
  • Design & Implementation 15%
  • Operations & Maintenance 15%
  • Installation & Commissioning 6%

From ‘Out Of Control’ A compilation of 34 incidents involving control systems, by the UK HSE

(Similar findings have been reported by others)

Current or Developing Standards

  • HSE, PES, 1987
  • AIChE CCPS; Guidelines for Safe Automation of Chemical Processes, 1993
  • ISA S84; Application of Safety Instrumented Systems for the Process Industries, 1996
  • IEC TC65 dS61508 (and dS61511);
    Functional Safety - Safety Related Systems, 1998
  • OSHA CFR 1910.119; Process Safety Management of Highly Hazardous
    Chemicals    , 1992

Standards

  • HSE, PES, 1987
  • AIChE CCPS; Guidelines for Safe Automation of Chemical Processes, 1993
  • ISA S84; Application of Safety Instrumented Systems for the
    Process Industries    , 1996
  • IEC TC65 dS61508 (and dS61511);
    Functional Safety - Safety Related Systems, 1998
  • OSHA CFR 1910.119; Process Safety Management of Highly Hazardous
    Chemicals    , 1992

Safety Life Cycle

  • Conceptual Process Design
  • Hazard Analysis / Risk Assessment
  • Apply non-SIS Protection Layers
  • SIS Required?
  • Define Target SIL
  • Select Technology
  • Select Architecture
  • Determine Test Philosophy
  • Reliability Evaluation
  • Performance Target Met?
  • Proceed to Manufacture

Multiple layers of protection

  • Community Emergency Response
  • Plant Emergency Response
  • Physical Protection (Containment Dikes)
  • Physical Protection (Relief Devices)
  • Safety Instrumented System
  • Critical Alarms, Operator Intervention
  • Basic Process Control
  • Process

Failure Modes

With a safety system, the concern shouldn’t so much be with how the system operates, but rather how the system fails. Safety systems can fail in two ways:

  • Safe Failures
  • Dangerous Failures

3 Dimensional Risk Ranking

Factoring for Frequency, Severity, and other Multiple Independent Layers

IEC, ISA & AIChE Integrity Levels

Integrity Safety PFD Equivalent

Level Availability RRF

4 > 99.99% < .0001 >10,000

3 99.9 - 99.99% .001 - .0001 1,000 - 10,000

2 99 - 99.9% .01 - .001 100 - 1,000

1 90 - 99% .1 - .01 10 - 100
    1. (Control - N/A)

Sample Architectures for SILs

SIL 1: Non-redundant: Best single path design.

SIL 2: Partially redundant: Redundant independent paths for elements with lower availability.

SIL 3: Totally redundant: Redundant independent paths for total interlock system. A single fault of a SIS system component should not result in a loss of process protection.

Note: Examples ONLY (NOT Recommendations!)

Engineering Tools

Engineering design tools to evaluate different design options such as:

  • technology
  • redundancy
  • manual test intervals
  • field devices

Analyze the problem, before you specify the solution!

Final Thoughts

  • Engineering responsibility should not require the stimulation that comes in the
    wake of catastrophe.
    S.C. Florman
  • The result of the increased application of hazard analysis has been a 50% reduction in injuries, increased ease of operations, and decreased production stoppages.
    N. Leveson
  • Accidents are not due to lack of knowledge, but failure to use the knowledge we have.
    T. Kletz
  • When a man’s education is finished, he is finished.
    E.A. Filene
  • Those who cannot remember the past, are condemned to repeat it.
    G. Santayana
  • Ignoring the problem won’t make it go away.
    Anonymous

But how can you make your plant really safe?

Actually, that’s easy!

Do what the French did 200 years ago.

They passed a law requiring an explosives manufacturer to

live on the premises...

with his family!

Site designed and maintained by
Unlimited Media