Myth 1: Application programming for modern safety PLCs is so easy that anyone can do it.
With drag-and-drop interfaces, function blocks and some training, you would think that almost anyone could program a PLC. But translating critical safety logic into a PLC application program requires close cooperation among programmers, process control engineers, and operations and maintenance personnel to ensure that the application program supports plant operation, as well as safe operation.
A program specification should be developed and approved prior to PLC programming. Some PLCs have tools that translate the program as written into an engineering document. This is great for debugging the program, but it is not the same as programming and validating the system operation per an approved specification. Through a debugging exercise, you can obtain a program that under certain test conditions will do what you intend, but this program can have significant hidden problems that will not be seen until conditions change. A program with latent bugs can negatively impact system reliability and risk reduction. Disorganized and complex programming can yield an application program that’s difficult to understand, properly test and safely modify.
SIS-TECH has experience with all major brands of PLCs. Whether Emerson, Honeywell, Siemens, Allen-Bradley, Yokogawa, HIMA, Triconex, or any other PLC, SIS-TECH can execute turn-key projects in critical control, alarm, interlock and SIS applications. For more information on SIS-TECH’s independent engineering services, contact Eric Randecker, email@example.com or 832-434-7307.
Step 1. Confirm Hazard and Risk Analysis (H&RA) assumptions
The Hazard and Risk Analysis establishes the preliminary risk management strategy. The supporting documentation contains assumptions related to automation reliability and the capability of on-site staff to sustain the system. Examples of common assumptions include:
- Well trained operations who reliably use written procedures
- Facility only operates under the conditions evaluated in the H&RA
- Facility does not intentionally violate the safe operating limits (throughput, process conditions, etc.)
- Adequate staffing levels of operations and maintenance technicians to address faults and discrepancies in a timely manner
- An effective alarm management program is in place
- Instruments are fit-for-use for the process applications
- Low demand rate on the instrumented safeguards
- Independence between causes and safeguards exists
Functional safety practices dictate that the site verify the H&RA assumptions. IEC-61511:2016 requires the determination that the design, operation, maintenance, and testing are sustaining the safety integrity as required by the site risk management strategy. ANSI/ISA-18.2 requires that alarm events be monitored to ensure effectiveness of the alarm system. Gaps between the assumptions and reliability can have both direct and indirect impact on actual site risk.
Case Study Example:
Natural gas processing; Longford, Australia; September 25, 1998.
Impact: Explosion and fire; 2 fatalities; 8 injuries; Plant 1 destroyed, Plants 2 and 3 shutdown, 5% loss of supply, 250,000 workers sent home.
Control instrumentation for absorber bottoms condensate
The LPG Plant 1 separated methane from LPG in a pair of absorber towers using lean oil. During the night before the accident, the level increased in the knockout section of Absorber B. Since the disposal route to Plant 2 was not available, an alternate route to a Condensate Flash Tank was used. The normal procedure of increasing absorber bottom temperature was not done. As a result, the flash tank protected itself from excessively cold temperatures by decreasing incoming flow, which in turn caused absorber condensate level to continue to increase. Eventually, condensate mixed with rich stripping oil. This mixture flashed across the level control valve and lowered the temperature in the Rich Oil Flash Tank. Temperatures throughout the plant were lowered as rich oil flowed through the process. A low temperature trip of the lean oil pumps resulted, and the trip was not communicated to the plant supervisor for over an hour. A hand switch was actuated to decrease flow through exchanger GP905 in an attempt to restart the pumps. The heat exchanger ruptured due to cold temperature embrittlement, releasing a vapor cloud of gas and oil. The cloud traveled 170 meters to fired heaters before ignition occurred.
Instrumentation and Controls Gaps
- 100s-1000s of alarms happened per day, many regarded as nuisance
- Critical alarms were not prioritized
- Operators desensitized, alarm system ineffective
- Operators and supervisors did not understand the consequences of their manual actions and experienced engineers had been moved off-site
Key automation learning points
Alarm management reduces the number of alarms to only those requiring operator action. The risk reduction that normally results from a robustly managed safety alarm program is fully dependent on timely and correct operator response to the alarms. Having chronically high process alarm rates in a facility or a significant number of alarms which do not require action will promote the development of ineffective alarm response habits. [ANSI/ISA 18.2]
As in most large events, there were many contributing factors. Among them were two significant deviations from common H&RA automation assumptions:
- The facility was operating in an alternate mode in which operations and the front-line supervisors, in the absence of experienced engineers, did not correctly understand how the process conditions would respond to the manual actions they took.
- The alarm management system was ineffective, with chronically high levels of unprioritized alarms, fostering desensitization to and basic distrust of alarms by the operators.
With these deviations from standard H&RA assumptions, any Operator Response to Alarm protection layer would be very unlikely to succeed.
Audit to confirm that the assumptions made during hazard and risk analysis are actually reflected in plant operation and that these assumptions remain valid over time.
Earlier versions of this case study were originally presented at:
- Texas Chemistry Council 28 Annual Environmental, Health & Safety Seminar. Moody Gardens, Galveston Texas, June 2015.
- 61st International Instrumentation Symposium- (IIS), Huntsville, Alabama, May 2015.
- As poster at 11th Global Congress on Process Safety, Austin, Texas, April 2015.
Automation equipment in control applications is selected primarily based on operational needs, such as functionality, reliability, repeatability, accuracy, communication options and ease of maintenance. Demonstrated in-service performance earns the equipment and its manufacturer a coveted place on the approved equipment list. Equipment in safety applications must also support risk reduction requirements. For safety instrumented systems (SIS), approving the initial selection and continued use of equipment based on in-service performance is referred to as “proven in use” in International Electrotechnical Commission (IEC) 61508 and “prior use” in IEC 61511. Ultimately, the intent of both standards is to collect data that proves the installed equipment is capable of providing satisfactory performance.
Manufacturers often make safety integrity level (SIL) claims on their products. However, SIL is a loop concept and not a device property. An SIL 1 sensor connected to an SIL 1 logic solver with an output to an SIL 1 final element may not achieve an SIL 1 loop. The strength of a chain depends on the total strength of its links. Like a weak link in a chain, the weakest subsystem will limit the integrity of the loop. In many cases, it is necessary to design some, if not all, of the subsystems (the links) to achieve a higher SIL claim so the loop (the chain) design meets the required SIL. Of course, the actual loop performance will also depend upon operations and maintenance management systems.
The most troublesome result of the IEC 61508 certification process is how unconservative the manufacturer claims appear to be. The failure rate data published by various industry data collection programs have revealed in-service dangerous failure rates are significantly higher than what is claimed in the majority of third-party approval reports. For field devices, the reported values are generally 3-10 times lower than what is seen in actual installations. For programmable logic controllers, the manufacturer’s claims can be unconservatively lower than in-service performance by a factor of 10 or more. This means a lot of certified equipment is being sold based on an SIL claim at least one level higher than achievable in the installation.
IEC 61511 only requires the use of safety-certified controllers in SIL 3 applications. For all other technologies and applications, IEC 61511 clause 220.127.116.11 states, “Devices selected for use as part of an SIS with a specified SIL shall be in accordance with IEC 61508-2:2010 and IEC 61508-3:2010, and/or 11.5.3 to 11.5.6, as appropriate.” This clause lists two forms of evidence that can be used to select devices for SIS applications:
• Evaluation for compliance with IEC 61508 Part 2 (hardware) and Part 3 (software). This typically involves a third party approval of a specific configuration of a product.
• Prior use or historical data. These data are typically derived from the device’s performance in similar operating environments.
When weighing these two forms of evidence, the more relevant the information is to the in-service environment, the higher the certainty will be that the actual performance will be consistent with the assumed reliability parameters.
Ultimately, the intent of both standards reinforces that there should be sufficient evidence for site personnel to have confidence that the equipment as installed is suitable for the operating environment, meets the risk reduction requirements and is fit for purpose. Practically, every site has different organizational strengths and capabilities. One site may be perfectly capable of supporting a particular technology, while another site may not be. The effect of the process fluid or external environment on a device can be more severe at one site than at another. These factors are typically excluded from an IEC 61508 analysis. Prior use evidence ensures the selected equipment can be dependably specified and implemented in a way that minimizes the potential for random failures and human errors within that site.
Houston, TX – SIS-TECH Solutions introduces its tank monitoring and overfill protection system using the latest version of the Diamond-SIS. The fully integrated system is easy to apply, making it an economical solution from both a capital and installation cost perspective. The Diamond-SIS has a 15 year history of reliable and trustworthy protection of critical assets. Its durability allows it to be locally installed, while its fast delivery time make it the perfect choice for tank retrofits and new construction.
Houston, TX – Pete Fuller, applications advisor at SIS-TECH, has commissioned the largest Diamond-SIS® (safety instrumented system) to date. The burner management system ensures safe start-up of a six burner heater with purge permissives and light-off. Onboard LEDs display real-time burner status, giving outside personnel a clear indication of which burners are lit and which valves are open.
The ease of use and lack of programming make the Diamond-SIS a cost-effective choice for heater protection. The site has chosen the Diamond-SIS as its preferred small-input/ output safety instrumented system. Additional projects have been initiated for an eight-burner and a 12-burner heater.
For more information, call (713) 909-2100.
Houston, TX – SIS-TECH Solutions has hired Bob Brown as director of strategic accounts. Bob has over 35 years in the Petrochemical industry focused on the challenges of process safety. He also holds membership in committees that include ASME, ISA, Texas A&M’s Mary Kay O’Connor Process Safety Center, and RPSEA. In his new role, Bob will continue his focus on process safety offering clients options to create an inherently safer work place.
Chemical processing is an industrial activity that involves using, storing, manufacturing, handling, or moving chemicals. The process can be designed using inherently safer strategies to ensure safe operation under foreseen process upsets. An example of an inherently safer practice is to design a vessel to withstand the maximum and minimum operating conditions that exist under emergency operation. When the process is not designed to withstand emergency operation, process safety is achieved through implementation of safeguards, which act when the process conditions become dangerous. Internationally, safeguards are maintained under a program referred to as functional safety management.
The owner/operator of the process has the responsibility to determine and document that the process is designed, maintained, inspected, tested, and operating in a safe manner, regardless of the means used to achieve safety. Safe operation of chemical processes is demonstrated through the data records and information gathered to comply with process safety management program. The risk of unsafe operation can be lowered by leveraging the inherently safer strategies throughout the entire design, including the safeguard design.
Many types of equipment are implemented as safeguards within the process industry. Sustainability of safeguards can be significantly different, even when they are designed and managed to provide similar risk reduction. Automated systems, whether in manual or automatic mode, are complex systems where many different devices must work successfully to achieve the desired functionality.
The process control system, safety alarm system, and safety instrumented system (SIS) can achieve similar risk reduction, but the resilience of the SIS to human error is higher due to its more rigorous design, verification, and validation processes. A pressure relief valve and a check valve are both mechanical devices, yet the pressure relief valve has a more sustainable level of risk reduction in service than a check valve. Choosing protection layers that are more resilient to human error is an inherently safer practice. When manual operator actions are required, training with real-time simulators can yield faster troubleshooting, higher response effectiveness, and safer operation.
Safeguards are designed and managed using a safety lifecycle, which includes a myriad of activities, intended to identify and eliminate human errors. Many different skill sets and planned activities are needed to ensure that the safeguards work as desired when required. These activities include competency assessment, verifications, functional safety assessments, configuration management, management of change, audits, and metrics. Keeping up with all these activities and maintaining the necessary documentation requires a strong safety culture that cares about safeguard reliability. Sustaining attention on the numerous details associated with instrumented safeguard performance is a significant challenge.
Automation is undergoing a massive step-change that will take many years to become widely adopted. The latest architectures are IT networks that rely on countermeasures to secure increasingly open communication between plant automation and the outside world. Interconnectivity is highly desirable, but introduces sources of human error and cybersecurity risks that did not exist 20 years ago. “The way things are done” may not be good enough when practices haven’t kept up with technology change. Documentation, procedures, and training must evolve to keep up.
A new book by the Center for Chemical Process Safety, Guidelines for Safe Automation of Chemical Processes, was edited by SIS-TECH Solutions’ staff and is now available from retailers. The equipment installed for process control and safeguard applications often looks the same, and in many cases is the same technology. However, there are significant differences in their functional objectives and in the level of detail needed in the front-line procedures to achieve the required reliability. The book contains practical considerations on the design and management of both process control and instrumented safeguards.
HOUSTON — SIS-TECH has introduced the latest edition of the ICE-Tablet™. This innovative product reduces the time required to execute turnaround testing of instrumentation and controls in critical applications. The ICE-Tablet integrates “documentation, procedures and forms in a single platform for efficient field deployment,” according to Brant Smith, director of SIS-TECH’s instrumentation, controls and electrical (ICE) team.
The ICE-Tablet is constructed of rugged hardware suitable for hazardous environments, and its user interface is ergonomically configured for use in the field. Its innovative design, slim profile and HART (Highway Addressable Remote Transducer) compatibility supports in-service testing of any critical system, especially safety controls, alarms, interlocks and safety instrumented systems.
HOUSTON — SIS-TECH Solutions LP has been awarded its largest greenfield project to date by Koch Industries. The project is part of a $1.3 billion expansion at the Koch fertilizer plant located east of Enid, Oklahoma. SIS-TECH’s instrumentation, controls and electrical (ICE) team will provide field services associated with the construction of a 900,000-ton-per-year urea plant and improvements to existing ammonia plants.
The ICE team project includes execution of tests to validate the operation of critical instrumentation and control systems installed in the Koch fertilizer plant. The quality assurance of test records will be managed using SIS-TECH’s ICE-Tablet.
HOUSTON — SIS-TECH Solutions LP has promoted Khaldon Batnij to associate design consultant on SIS-TECH’s instrumentation, controls and electrical (ICE) team. Batnij graduated from the University of Houston in computer and electrical engineering. He implemented the application software requirements for streamlining the distribution of maintenance procedures and the collection of mechanical integrity data in SIS-TECH’s ICE-Tablet.
In his new position, he works directly with turnaround teams for custom integration of the ICE-Tablet with site maintenance management systems.