February 2008

Cover Story

Petrochem sees triple

Converting relay-based logic solver to triple modular redundancy means safer plants at less cost

Fast Forward

  • PLC-based triple modular redundancy helps petrochem plant lock in safety.
  • Designing PLCs for safety reduces risk, minimizes nuisance trips.
  • Standards play important role in helping design safety inside.
By Keyur Vora and Ranjan Bhattacharya

When a leading Indian petrochemical plant noticed interlock operations and actuation happening six times a year due to shutdowns, they knew it was time for a change. Problems with trips in the oxidation reactor lead to huge costs in production and quality losses. Finally plant officials looked at upgrading the relay-based interlock system with triple modular redundancy (TMR) to enhance reliability and availability and reduce nuisance trips. 

A typical system schematic used in one of the exothermic oxidation reactors of the plant indicated functioning of high-level trip process safety interlock trip logic. Its original design included process licensor with 11 nos. alarm/trip parameters in 1986-87, when safety integrity level (SIL) was not common vernacular. The interlock system comprised 90 nos. relays, 20 nos. analog timers, 40 nos. lamps, 18 nos. bypass switches, 18 nos. solenoid operated valves ranging from 1-in to 8-in line sizes, inter panels cablings and hard-wired remote connectivity with reactor startup panel, sequence of events recorder, and DCS. The system underwent three modifications to incorporate plant changes and expansion. The interlock operation and actuation takes place six times per year on average due to plant periodic shutdown. The plant had experienced problems and trips since the day of commissioning with the oxidation reactor, such as three relay failures, one time failure, and two cable faults.

Most of these incidents incurred huge costs for the plant in terms of production and quality losses. The supplier of the relay/timer also tried to arrive at the root cause. The original equipment manufacturer never explained the relay coil failure phenomenon. Trouble-shooting was difficult during each failure since there was no visual indication on relay and timers available. The circuit design included 1-out-of-1 (1oo1) logic, and any failure within the interlock system resulted in trip of the exothermic oxidation reactor, thereby causing plant upset and production loss.

The plant licensor suggested the system comply with SIL 2 as per current philosophy of the similar plant design. The proposal was to upgrade the relay-based interlock system by TMR-based interlock system complying with the minimum SIL 2 requirement.

TMR-based logic solver architecture

By designing the system for safety and availability, users can reduce risk while simultaneously minimizing nuisance trips. The PLC-based triple modular redundant (TMR) logic solver enhances safety, reliability, and availability of a plant, thereby reducing nuisance trips. The architecture of a safety instrumented system (SIS) TMR-based logic solver used in the petrochemical plant integrates three isolated, parallel control systems and extensive diagnostics in one control system. The system uses two-out-of-three voting to provide high-integrity, error-free, uninterrupted process operation with no single point of failure. TMR architecture provides three identical system channels that independently execute the control program.

TMR provides intelligent processors, enabling users to troubleshoot online with a specialized hardware and software mechanism. Replacing I/O modules does not disturb field wiring. The TMR system provides intelligence in input and output modules. Each I/O module has three microprocessors. Input module micro- processors filter and check the inputs and diagnose hardware faults on the module. Output module microprocessors supply information for the voting of output data, check loop back data from the output terminal for final validation of the output state, and diagnose field-wiring problems.

Fault-tolerance in a control system identifies and compensates for failed system elements and allows repair while continuing to control an industrial process without interruption. The most important capability of the TMR system is the ability to detect transient and steady-state error conditions (such as struck 'on'), and it takes appropriate corrective action online. Fault tolerance increases safety as well as the availability of the controller and the process being controlled.

The system provides isolation in the three channels so any single point failure will not affect the system as it will be overridden by the other channel in operation. Repair consists of removing and replacing the faulty module online without any interruptions on the process side.

TMR provides extensive diagnostics on each channel, module, and functional circuit and immediately detects and reports operational faults by means of indicators or alarms. All diagnostic information is accessible by the control program and the operator. If the operator detects faults, he can use the diagnostic information to modify control actions or direct maintenance procedures. The triplicate system operates as a single control system for the user, easing application setup. TMR also supports integration of remote and distributed I/Os, which can be monitored at one central control station.


PLC in industry

A safety PLC represents industry's attempt to develop a failsafe microprocessor-based system by invoking the requirements of IEC 61508 in its hardware and software design. In fact today, a safety PLC has become the automatic choice as a logic solver in most industrial applications. By designing the system for safety and availability, you can reduce risk while simultaneously minimizing nuisance trips. Exercise caution, however, when making architectural decisions about a logic solver. It is dangerous to under-design. And unnecessarily high lifecycle costs are a consequence of over-design.

As a fired device grows in complexity or size, the risk typically increases. A system with multiple burners and dual fuels has far more safety issues than a skid-mounted oil heater. The choice of when to use a relay-based system, an industrial PLC, or a safety certified PLC is blurred in the eyes of most users. Few are aware of the requirement that PLC-based process safety interlocks must follow IEC 61508.

Logic solver selection

We all have our industry opinions about what we consider to be a suitable choice for a logic solver. The choices can range from hard-wired relays to safety-certified PLCs. It all depends on what agency, committee, or insurance company approves of applicability for service. And the codes or standards we follow are similarly diverse. While some companies follow NFPA, others follow corporate standards, national or international safety standards, or no standard at all.

By actively embracing the concept that a critical process interlock system may in fact be a SIS, companies can ensure these systems see design, maintenance, inspection and testing per the applicable prescriptive instrumentation international standards as well as the latest SIS performance-based standards.

Logic solver choices range from hard-wired relays up through safety-certified PLCs. Depending on what agency, committee, or insurance company provides sign-off on applicability for service, the codes or standards followed are similarly diverse. NFPA allows the use of relay-based systems or approved, listed PLC-based systems. ANSI/ISA 84.00.01-2004 (IEC 61511) allows the use of general purpose PLCs in SIL 1 and SIL 2 applications. However, general-purpose PLCs have limitations the SIS community recognizes and reflects within the requirements of the standards.

SIS standards, codes

Performance-based standards for a SIS has gained widespread acceptance in the process industry. Users are increasingly applying these standards to the design of critical interlock systems, whose design can meet all requirements of the prescriptive standards and yet will not satisfy SIS requirements. It is imperative end users learn to properly implement critical process safety interlock/logic solver systems-related projects.

Quite a few companies are under the naïve impression existing critical process interlock systems are grandfathered in accordance with whatever standards or practices were in place at the system's original installation. IEC 61508 & IEC 61511 is clear on the facts about grandfathering.

Prescriptive standards, such as NFPA 85 or NFPA 86, have identified what interlocks to implement based on lessons learned from previous incidents and near misses. However, in today's microprocessor-based world, it is more important to know how to properly implement the prescriptive-based interlocks.

When the logic solver was comprised of relays with simple and well-defined failure modes, it was easy to understand what level of risk reduction the critical process interlock systems provided. However, someone with the best intentions could replace a relay-based critical process interlock system with a new microprocessor-based logic solver, thereby producing a system that is less safe. This issue contributed to the development of the performance-based SIS standards in use today throughout the process industry.

These performance-based standards address how to properly implement prescriptive-based interlocks:

  • ANSI / ISA 84.00.01-2004 - Appli-cation of Safety Instrumented Systems for the Process Industries
  • IEC 61508 - Functional safety of electrical/electronic/programmable electronic safety-related systems
  • IEC 61511 - Functional safety: Safety Instrumented Systems for the process industry sector



cover 27

SIS requirements

Safety lifecycle: One way to provide a framework of consideration for each stage of a SIS, from conception to decommissioning, is through a safety lifecycle. The intent is to force a logical and sequential process for the project scope. Some of the basic components of the safety lifecycle include: risk analysis, consequence analysis, layer-of-protection analysis, SIL determination, documentation of safety function requirements, SIS conceptual design, SIL verification, detail design, and system implementation.

Risk identification, quantification: ANSI/ISA 84.00.01-2004 (IEC 61511) is a performance-based SIS standard released by ISA in October 2004. It is identical to the IEC 61511 standard endorsed by over 144 member countries around the globe, except for the addition of a grandfather clause. The standard requires a risk analysis be one component of the mandated safety lifecycle. Risk ranking represents the act of evaluating consequence (what could happen if any component of the critical process interlock systems fails to function) and likelihood (an estimate of how often the failure could occur) of an event. In some facilities, this is called a hazop analysis or a process hazards analysis. The concept is the same: A team of knowledgeable people considers all possible scenarios of operation and conducts a what-if analysis to identify and document all risks. By quantifying the risks associated with each hazard, you can then make a ranking.

SIL determination: Next comes selecting a SIL, which is a measure of required risk reduction. ANSI/ISA 84 recognizes SIL 1, 2, and 3 in the process industry. It is an end user's responsibility to define the risk associated with the operation. [See accompanying article, "Busting SIL myths," by Paul Gruhn.] You can then compare this inherent process risk to the corporate tolerable risk criteria. If the inherent risk is less than that target for tolerable risk, you should document this risk, but there is no required SIS. If the inherent risk is greater than what the company can tolerate, use a SIS as a means to bring the risk back within tolerable limits.

The quantification of the identified risks to establish the required SIL for each safety function determines how good the logic solver needs to be. The standards apply SIL to risk reduction. A required reduction of 10 to100 times is a SIL 1 requirement while a required reduction of 100 to 1,000 times is a SIL 2. Although very rare, a SIL 3 requires reducing risk by 1,000 to 10,000 times. 

Based on how much risk is inherent in the operation of the fired equipment in a plant, the performance-based SIS standards provide methods to determine how good the hardware components need to be, how much redundancy is required, how often testing of the system is required, and what level of reliability is required of the individual components.

Grandfather clause: The grandfather clause of the ANSI/ISA standard provides for the continued use of existing safety systems. You can show through a rigorous risk analysis the system meets the required level of risk reduction commensurate with the corporate risk tolerance level. If it does, then implement the mandated process of documentation of ongoing testing, manage- ment of change, and the like. If the original design does not meet these requirements or if you make modifications, the system will require you to follow the safety lifecycle as the standard describes.

SIL verification: You must perform SIL verification calculations on the burner management system (BMS), which includes sensors, logic solver, and final elements, to ensure safety function of the BMS has achieved the required SIL. Most industrial process related BMSs typically include SIL 1 functions and at least one SIL 2 safety instrumented function. Thus, you will usually require a logic solver capable of meeting at least SIL 2 for these BMS applications.

Functional testing: SIL capability of a SIS is heavily dependent on the functional test interval assumed. Functional testing is mandatory. OSHA has fined a facility for failure to test its SIS. (An example of functional testing is the procedure of removing pressure from the low fuel pressure switch and verifying the desired actions occur.)

System integration qualifications: IEC 61508 mandates those involved with design/implementation of SIS demonstrate competence in applying the SIS standards. Certified functional safety expert designation represents a professional engineering type certification and examination to evaluate the competence of SIS personnel. Certification requires completion of an examination and demonstration of at least eight years of experience in safety-related endeavors.


Keyur Vora is general manger of instrumentation at Reliance Industries Limited, Patalganga Unit, Maharastra India. Ranjan Bhattacharya is vice president of instrumentation at Reliance Industries Limited. 

Methodologies, problems with TMR execution

By Keyur Vora and Ranjan Bhattacharya

The original relay based interlock system was designed to operate on 48VDC hardware in line with other interlock systems. DCS and annunciator interface were on 24 VDC systems. The relay panel, reactor start-up panel, and DCS I/O panel field were scattered. The distance between the hardware was ranging from 50 to 600 meters.

The TMR system evaluated for our application was demanding a 24 VDC system. The replacement of new hardware in the existing relay panel was not possible due to space constraints. Hence, engineering of the entire project became complex. The field hardware was single-line equipment without any redundancy. To meet the requirement of upgrade, we decided to house the new TMR hardware in a dedicated new panel. We proposed to provide redundant field equipment and instruments during plant shutdown. We used TÜV certified relay in output to avoid field changes, and we carried out PFD analysis and assigned I/O in such a way that problems in the less critical circuit of the interlock should not affect the critical one.

Other requirements included pre-wiring and testing of the TMR panel to hook-up in minimum time during four days shutdown, no change in present logic, creating graphics for operation overview and monitoring, shifting present SOE tags in the new TMR system and configuring all logic and other utility instrument tags for alarm and event recording, documenting interlock test procedures, and creating evidence and record for functionality check.

Some advantages of the TMR include advanced diagnostic features, redundancy at all levels (i.e. power supply, CPU, I/O, LAN), higher MTBF of components, increased reliability in meeting SIL 3 requirements, increase in uptime of plant availability, and reduced nuisance trips. Quick troubleshooting and scalable I/Os also allowed easy modification and expansion of the system.


Busting SIL myths

By Paul Gruhn

The original ISA84 standard (released in 1996) only recognized up to SIL 3. The latest standard recognizes up to SIL 4 but states the user must follow IEC 61508 if they have a SIL 4 requirement. 

If it is decided the risk must be reduced, a safety system is only one of many possible options. Other options that could also reduce the risk include process changes (e.g., inherently safer design) or the addition/strengthening of other safety layers (e.g., relief valves, scrubbers, flares, etc.).

SIL is a measure of safety system performance. The logic solver is only one piece of the puzzle. You must also analyze the impact of sensors and final elements. 

A system comprised of a triplicated SIL 3 rated logic system used with non-redundant sensors and final elements will only meet SIL 1.

Burner management systems must usually follow NFPA 85. That standard does not address SIL or require verification calculations.

Certified functional safety expert is an expert category. While it covers many engineering issues, it is not considered an engineering certification (which is why the 'e' does not stand for engineer), nor does it wish to conflict with state licensing laws over the use of the term engineer.

The most important capability of a triplicated system is not the ability to detect errors (such as stuck on faults), or to provide extensive diagnostics and report faults. Even non-redundant safety PLCs have such capabilities. In addition to high safety, triplicated systems offer the benefit of fault tolerance (the ability to tolerate faults and continue to operate properly), which means triplicated systems help prevent nuisance trips. 

PLC based systems do not have to follow IEC 61508. IEC 61508 is a standard primarily focused for manufacturers (vendors). It covers what they need to do in the design and development of their hardware and software in order to meet the different SILs. Independent third parties are brought in by the vendors to assure their users their systems were designed according to the standard.

Users are expected to follow 61511 (not 61508). That standard does not require the use of certified equipment. It does not require PLC systems follow 61508. Many users still continue to use general purpose PLCs in safety applications (e.g., SIL 1). General purpose PLCs can indeed meet the requirements for SIL 1, yet are not designed according to the requirements called out in IEC 61508.  Yes, general purpose PLCs are suitable for use in SIL 1, yet such systems were not designed according to the requirements in 61508.


Paul Gruhn, P.E., is a training manager at ICS Triplex in Houston.