Automation equipment in control applications is selected primarily based on operational needs, such as functionality, reliability, repeatability, accuracy, communication options and ease of maintenance. Demonstrated in-service performance earns the equipment and its manufacturer a coveted place on the approved equipment list. Equipment in safety applications must also support risk reduction requirements. For safety instrumented systems (SIS), approving the initial selection and continued use of equipment based on in-service performance is referred to as “proven in use” in International Electrotechnical Commission (IEC) 61508 and “prior use” in IEC 61511. Ultimately, the intent of both standards is to collect data that proves the installed equipment is capable of providing satisfactory performance.
Manufacturers often make safety integrity level (SIL) claims on their products. However, SIL is a loop concept and not a device property. An SIL 1 sensor connected to an SIL 1 logic solver with an output to an SIL 1 final element may not achieve an SIL 1 loop. The strength of a chain depends on the total strength of its links. Like a weak link in a chain, the weakest subsystem will limit the integrity of the loop. In many cases, it is necessary to design some, if not all, of the subsystems (the links) to achieve a higher SIL claim so the loop (the chain) design meets the required SIL. Of course, the actual loop performance will also depend upon operations and maintenance management systems.
The most troublesome result of the IEC 61508 certification process is how unconservative the manufacturer claims appear to be. The failure rate data published by various industry data collection programs have revealed in-service dangerous failure rates are significantly higher than what is claimed in the majority of third-party approval reports. For field devices, the reported values are generally 3-10 times lower than what is seen in actual installations. For programmable logic controllers, the manufacturer’s claims can be unconservatively lower than in-service performance by a factor of 10 or more. This means a lot of certified equipment is being sold based on an SIL claim at least one level higher than achievable in the installation.
IEC 61511 only requires the use of safety-certified controllers in SIL 3 applications. For all other technologies and applications, IEC 61511 clause 184.108.40.206 states, “Devices selected for use as part of an SIS with a specified SIL shall be in accordance with IEC 61508-2:2010 and IEC 61508-3:2010, and/or 11.5.3 to 11.5.6, as appropriate.” This clause lists two forms of evidence that can be used to select devices for SIS applications:
• Evaluation for compliance with IEC 61508 Part 2 (hardware) and Part 3 (software). This typically involves a third party approval of a specific configuration of a product.
• Prior use or historical data. These data are typically derived from the device’s performance in similar operating environments.
When weighing these two forms of evidence, the more relevant the information is to the in-service environment, the higher the certainty will be that the actual performance will be consistent with the assumed reliability parameters.
Ultimately, the intent of both standards reinforces that there should be sufficient evidence for site personnel to have confidence that the equipment as installed is suitable for the operating environment, meets the risk reduction requirements and is fit for purpose. Practically, every site has different organizational strengths and capabilities. One site may be perfectly capable of supporting a particular technology, while another site may not be. The effect of the process fluid or external environment on a device can be more severe at one site than at another. These factors are typically excluded from an IEC 61508 analysis. Prior use evidence ensures the selected equipment can be dependably specified and implemented in a way that minimizes the potential for random failures and human errors within that site.
Houston, TX – SIS-TECH Solutions introduces its tank monitoring and overfill protection system using the latest version of the Diamond-SIS. The fully integrated system is easy to apply, making it an economical solution from both a capital and installation cost perspective. The Diamond-SIS has a 15 year history of reliable and trustworthy protection of critical assets. Its durability allows it to be locally installed, while its fast delivery time make it the perfect choice for tank retrofits and new construction.
Houston, TX – Pete Fuller, applications advisor at SIS-TECH, has commissioned the largest Diamond-SIS® (safety instrumented system) to date. The burner management system ensures safe start-up of a six burner heater with purge permissives and light-off. Onboard LEDs display real-time burner status, giving outside personnel a clear indication of which burners are lit and which valves are open.
The ease of use and lack of programming make the Diamond-SIS a cost-effective choice for heater protection. The site has chosen the Diamond-SIS as its preferred small-input/ output safety instrumented system. Additional projects have been initiated for an eight-burner and a 12-burner heater.
For more information, call (713) 909-2100.
Houston, TX – SIS-TECH Solutions has hired Bob Brown as director of strategic accounts. Bob has over 35 years in the Petrochemical industry focused on the challenges of process safety. He also holds membership in committees that include ASME, ISA, Texas A&M’s Mary Kay O’Connor Process Safety Center, and RPSEA. In his new role, Bob will continue his focus on process safety offering clients options to create an inherently safer work place.
Chemical processing is an industrial activity that involves using, storing, manufacturing, handling, or moving chemicals. The process can be designed using inherently safer strategies to ensure safe operation under foreseen process upsets. An example of an inherently safer practice is to design a vessel to withstand the maximum and minimum operating conditions that exist under emergency operation. When the process is not designed to withstand emergency operation, process safety is achieved through implementation of safeguards, which act when the process conditions become dangerous. Internationally, safeguards are maintained under a program referred to as functional safety management.
The owner/operator of the process has the responsibility to determine and document that the process is designed, maintained, inspected, tested, and operating in a safe manner, regardless of the means used to achieve safety. Safe operation of chemical processes is demonstrated through the data records and information gathered to comply with process safety management program. The risk of unsafe operation can be lowered by leveraging the inherently safer strategies throughout the entire design, including the safeguard design.
Many types of equipment are implemented as safeguards within the process industry. Sustainability of safeguards can be significantly different, even when they are designed and managed to provide similar risk reduction. Automated systems, whether in manual or automatic mode, are complex systems where many different devices must work successfully to achieve the desired functionality.
The process control system, safety alarm system, and safety instrumented system (SIS) can achieve similar risk reduction, but the resilience of the SIS to human error is higher due to its more rigorous design, verification, and validation processes. A pressure relief valve and a check valve are both mechanical devices, yet the pressure relief valve has a more sustainable level of risk reduction in service than a check valve. Choosing protection layers that are more resilient to human error is an inherently safer practice. When manual operator actions are required, training with real-time simulators can yield faster troubleshooting, higher response effectiveness, and safer operation.
Safeguards are designed and managed using a safety lifecycle, which includes a myriad of activities, intended to identify and eliminate human errors. Many different skill sets and planned activities are needed to ensure that the safeguards work as desired when required. These activities include competency assessment, verifications, functional safety assessments, configuration management, management of change, audits, and metrics. Keeping up with all these activities and maintaining the necessary documentation requires a strong safety culture that cares about safeguard reliability. Sustaining attention on the numerous details associated with instrumented safeguard performance is a significant challenge.
Automation is undergoing a massive step-change that will take many years to become widely adopted. The latest architectures are IT networks that rely on countermeasures to secure increasingly open communication between plant automation and the outside world. Interconnectivity is highly desirable, but introduces sources of human error and cybersecurity risks that did not exist 20 years ago. “The way things are done” may not be good enough when practices haven’t kept up with technology change. Documentation, procedures, and training must evolve to keep up.
A new book by the Center for Chemical Process Safety, Guidelines for Safe Automation of Chemical Processes, was edited by SIS-TECH Solutions’ staff and is now available from retailers. The equipment installed for process control and safeguard applications often looks the same, and in many cases is the same technology. However, there are significant differences in their functional objectives and in the level of detail needed in the front-line procedures to achieve the required reliability. The book contains practical considerations on the design and management of both process control and instrumented safeguards.
HOUSTON — SIS-TECH has introduced the latest edition of the ICE-Tablet™. This innovative product reduces the time required to execute turnaround testing of instrumentation and controls in critical applications. The ICE-Tablet integrates “documentation, procedures and forms in a single platform for efficient field deployment,” according to Brant Smith, director of SIS-TECH’s instrumentation, controls and electrical (ICE) team.
The ICE-Tablet is constructed of rugged hardware suitable for hazardous environments, and its user interface is ergonomically configured for use in the field. Its innovative design, slim profile and HART (Highway Addressable Remote Transducer) compatibility supports in-service testing of any critical system, especially safety controls, alarms, interlocks and safety instrumented systems.
HOUSTON — SIS-TECH Solutions LP has been awarded its largest greenfield project to date by Koch Industries. The project is part of a $1.3 billion expansion at the Koch fertilizer plant located east of Enid, Oklahoma. SIS-TECH’s instrumentation, controls and electrical (ICE) team will provide field services associated with the construction of a 900,000-ton-per-year urea plant and improvements to existing ammonia plants.
The ICE team project includes execution of tests to validate the operation of critical instrumentation and control systems installed in the Koch fertilizer plant. The quality assurance of test records will be managed using SIS-TECH’s ICE-Tablet.
HOUSTON — SIS-TECH Solutions LP has promoted Khaldon Batnij to associate design consultant on SIS-TECH’s instrumentation, controls and electrical (ICE) team. Batnij graduated from the University of Houston in computer and electrical engineering. He implemented the application software requirements for streamlining the distribution of maintenance procedures and the collection of mechanical integrity data in SIS-TECH’s ICE-Tablet.
In his new position, he works directly with turnaround teams for custom integration of the ICE-Tablet with site maintenance management systems.
Process safety safeguards must be capable of performing their required function in stopping the progression of a loss event. Since a process upset proceeds at a certain rate as determined by the process design, speed is a critical part of the functional specification. If a safeguard performs too slowly compared to the loss event, it provides no protection at all. Determining just how fast a safeguard needs to complete its action is an important project deliverable that impacts safeguard selection and setpoint specification.
The first task in specifying the safeguard response time is to look to the process design to determine how much time it will allow. The process safety time (PST) is the time between the process failure and the loss event that would occur if there were no safeguards. The PST may be only seconds, which limits the types of safeguards that can be effective. On the other hand, the process may take days to transition from the initial failure to the loss event, allowing for a sequence of safeguards.
A variety of engineering practices may be used to justify the selected PST. Expert judgment, based on individual or industry experience, can be a very useful starting point and may be the only method available for the initial PST estimation. Expert judgment alone may leave the operating facility with a weak rationale to support future management of change. Extrapolation or mass-and-energy balances can be used to determine the PST based on a specific process design. These simpler techniques may be insufficient for evaluating a complex process upset and are unlikely to reveal short-term transients during abnormal operation. Process simulation uses first principle models to determine the response of multiple process parameters to one or more process upsets. In dynamic simulation, the actual process equipment, including piping configurations, and process chemistry are incorporated into the model. With the capability to model complex reactive or multi-phase reactions, a dynamic simulation is more likely to reveal short duration transients and more likely to track the actual process conditions during a simulated upset. Tuning the model with startup and normal operational data helps increase confidence in the simulation accuracy. Operator testing using a simulator can increase alarm response effectiveness.
The second task is to specify the response time for each safeguard that must complete its action in order to stop the loss event. The response time is basically the time available for the safeguard to act given its setpoint and the process dynamics. The least conservative setpoint is determined based on time lags inherent to the safeguard hardware, application program delays, and measurement error. Early in the project, simple tables of generic hardware delays and measurement error might be used. Later project stages replace the early estimates with specific information as it becomes available.
It is not a good practice to design a safeguard based on the least conservative value. The generally accepted margin is to ensure that the safeguard completes its action in half the time allowed by the process dynamics. This design margin increases the likelihood that the safeguard is effective even when the real world slows things down a bit. On the other hand, having an setpoint too close to the operating limit can put a facility at risk for more frequent nuisance alarms and trips. Nuisance trips cause lost productivity and often cascade into other events. Ensuring enough time to act without causing nuisance events is a balancing act that is often negotiated among operations, process safety, and engineering. Dynamic simulation can provide detailed data to make this negotiation easier and the outcome more consistent.
Contact SIS-TECH to learn more about how a dynamic simulator can be used to improve process control, determine the process safety time, increase operator effectiveness, reduce operator response time, validate your alarms, and certify your operators.
SIS-TECH’s SIL Solver V7 recently completed an extensive review of its calculation algorithms, architecture, and failure rate database. It has been re-certified as complying with national and international standards for determining the likelihood that a safety-critical system will fail to operate as required or cause an unnecessary process disruption. The failure rate database derives from a 20-year history of gathering data giving the user confidence that it reflects real-world conditions in the general process industry. SIL Solver V7 is a platform for retaining the safety requirements specification for safety instrumented systems and supports the lifecycle management of this critical information.