HOUSTON — SIS-TECH Solutions LP has promoted Khaldon Batnij to associate design consultant on SIS-TECH’s instrumentation, controls and electrical (ICE) team. Batnij graduated from the University of Houston in computer and electrical engineering. He implemented the application software requirements for streamlining the distribution of maintenance procedures and the collection of mechanical integrity data in SIS-TECH’s ICE-Tablet.
In his new position, he works directly with turnaround teams for custom integration of the ICE-Tablet with site maintenance management systems.
Process safety safeguards must be capable of performing their required function in stopping the progression of a loss event. Since a process upset proceeds at a certain rate as determined by the process design, speed is a critical part of the functional specification. If a safeguard performs too slowly compared to the loss event, it provides no protection at all. Determining just how fast a safeguard needs to complete its action is an important project deliverable that impacts safeguard selection and setpoint specification.
The first task in specifying the safeguard response time is to look to the process design to determine how much time it will allow. The process safety time (PST) is the time between the process failure and the loss event that would occur if there were no safeguards. The PST may be only seconds, which limits the types of safeguards that can be effective. On the other hand, the process may take days to transition from the initial failure to the loss event, allowing for a sequence of safeguards.
A variety of engineering practices may be used to justify the selected PST. Expert judgment, based on individual or industry experience, can be a very useful starting point and may be the only method available for the initial PST estimation. Expert judgment alone may leave the operating facility with a weak rationale to support future management of change. Extrapolation or mass-and-energy balances can be used to determine the PST based on a specific process design. These simpler techniques may be insufficient for evaluating a complex process upset and are unlikely to reveal short-term transients during abnormal operation. Process simulation uses first principle models to determine the response of multiple process parameters to one or more process upsets. In dynamic simulation, the actual process equipment, including piping configurations, and process chemistry are incorporated into the model. With the capability to model complex reactive or multi-phase reactions, a dynamic simulation is more likely to reveal short duration transients and more likely to track the actual process conditions during a simulated upset. Tuning the model with startup and normal operational data helps increase confidence in the simulation accuracy. Operator testing using a simulator can increase alarm response effectiveness.
The second task is to specify the response time for each safeguard that must complete its action in order to stop the loss event. The response time is basically the time available for the safeguard to act given its setpoint and the process dynamics. The least conservative setpoint is determined based on time lags inherent to the safeguard hardware, application program delays, and measurement error. Early in the project, simple tables of generic hardware delays and measurement error might be used. Later project stages replace the early estimates with specific information as it becomes available.
It is not a good practice to design a safeguard based on the least conservative value. The generally accepted margin is to ensure that the safeguard completes its action in half the time allowed by the process dynamics. This design margin increases the likelihood that the safeguard is effective even when the real world slows things down a bit. On the other hand, having an setpoint too close to the operating limit can put a facility at risk for more frequent nuisance alarms and trips. Nuisance trips cause lost productivity and often cascade into other events. Ensuring enough time to act without causing nuisance events is a balancing act that is often negotiated among operations, process safety, and engineering. Dynamic simulation can provide detailed data to make this negotiation easier and the outcome more consistent.
Contact SIS-TECH to learn more about how a dynamic simulator can be used to improve process control, determine the process safety time, increase operator effectiveness, reduce operator response time, validate your alarms, and certify your operators.
SIS-TECH’s SIL Solver V7 recently completed an extensive review of its calculation algorithms, architecture, and failure rate database. It has been re-certified as complying with national and international standards for determining the likelihood that a safety-critical system will fail to operate as required or cause an unnecessary process disruption. The failure rate database derives from a 20-year history of gathering data giving the user confidence that it reflects real-world conditions in the general process industry. SIL Solver V7 is a platform for retaining the safety requirements specification for safety instrumented systems and supports the lifecycle management of this critical information.
SIS-TECH Solutions, LP is celebrating the 15 anniversary of SIL Solver with its V7 product. SIL Solver started as a computational tool and evolved into a lifecycle tool with V7. 1000s of users have analyzed their safety-critical systems and identified ways to improve their performance since SIL Solver V1. The built-in database expanded from simple process technologies to cover complex technologies with high diagnostic capabilities. Throughout it all, SIS-TECH’s technical staff mentored and trained SIL Solver users enabling them to quickly analyze system functions and to try different architectures to improve performance or reduce test requirements.
SIS-TECH Solutions LP, Houston, TX has selected Denisse Corbett to lead a new initiative on process control system and interface optimization. Along with her over 15-year experience in the control systems field, Denisse is a certified functional safety professional and holds a FS Eng (TÜV Rheinland) certificate. Denisse’s new position builds on her expertise in the lifecycle management of safety instrumented systems, including design, engineering, application software programming, and systems integration. She is fluent in English and Spanish and can execute technical work in either language.
Automation equipment in control applications is selected primarily based on operational needs, such as functionality, reliability, repeatability, accuracy, communication options, and ease of maintenance. Demonstrated in-service performance earns the equipment and its manufacturer a coveted place on the approved equipment list. Equipment in safety applications must also support the risk reduction requirements in addition to meeting the operational needs. For safety instrumented systems (SIS), the concept of approving the initial selection and continued use of equipment based on in-service performance is referred to as proven in use in IEC 61508  and prior use in IEC 61511 . Ultimately, the intent of both standards is to collect data that proves that the installed equipment is capable of providing satisfactory in-service performance.
Manufacturers often make safety integrity level (SIL) claims on their products, but SIL is a loop concept and not a device property. A SIL 1 sensor connected to a SIL 1 logic solver with an output to a SIL 1 final element may not achieve a SIL 1 loop. Like links in a chain, the integrity is limited by the weakest link, but the chain is only as strong as the whole. In many cases, it is necessary to design some, if not all, of the subsystems (the links) to achieve a higher SIL claim so that the loop (the chain) meets the required SIL.
The most troublesome result of the IEC 61508 certification process is how non-conservative the manufacturer claims appear to be. The failure rate data published by various industry data collection programs has revealed that in-service dangerous failure rates are significantly higher than what is claimed in the majority of 3rd party approval reports. For field devices, the reported values are generally 3 to 10 times lower than what is seen in actual installations. For PLCs, the manufacturer’s claims can be non-conservatively lower than in-service performance by a factor of 10 or more. This means that a lot of certified equipment is being sold based on a SIL claim at least one level higher than achievable in the installation.
IEC 61511 only requires the use of IEC 61508 compliant equipment when applying PLCs in SIL 3 applications. For all other technologies, IE 61511 clause 220.127.116.11 states, “Devices selected for use as part of a SIS with a specified SIL shall be in accordance with IEC 61508-2:2010 and IEC 61508-3:2010, and/or 11.5.3 to 11.5.6, as appropriate.” This clause lists two forms of evidence that can be used to select devices for SIS applications:
- Evaluation for compliance with IEC 61508 Part 2 (hardware) and Part 3 (software). This typically involves a 3rd party approval of a specific configuration of a product.
- Prior use or historical data. This data is typically derived from the device’s performance in similar operating environments.
When weighing these two forms of evidence, recognize that the more relevant the information is to the in-service environment, the higher the certainty that the actual failure rate will be in alignment with the assumed reliability parameters. In-service data is essential to understanding the real potential for human (or systematic) errors. In contrast to IEC 61508 compliance information, prior use identifies not only hardware failures and their root causes, but also systematic failures, which is essential for achieving industry benchmarked performance.
IEC 61511 acknowledges the importance of in-service records for justifying the continued use of existing equipment. For example, clause 18.104.22.168 states that “for existing SIS designed and constructed in accordance with codes, standards, or practices prior to the issue of this standard the user shall determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.” The newly required stage 4 functional safety assessment involves a periodic examination of site operating and maintenance records to determine whether the installed SIS is being managed as planned and complies with the safety requirements specification.
IEC 61511’s quality metrics are also appropriate for proving the fitness for purpose of equipment in any safety control, alarm, and interlock application. Fundamentally, this approval process involves making an engineering judgment of the equipment’s design quality, functional capabilities, use factors, in-service history, failure rate in the operating environment, and ability to fulfill the safety requirements specification for the particular application.
With 12 years designing Safety Instrumented Systems (SIS) at SIS-TECH Solutions, LP, Pete Fuller knows what it takes to keep on track when it involves compliance with today’s standards. With over 35 years of experience in the instrument world (originating at NASA), Pete continues to meet the ever challenging task to come up with a design to meet target SIL’s. Earning the FS Eng (TÜV Rheinland) certificate in 2013, demonstrates that Pete can talk the talk when it comes to process safety. Besides his specialty of designing single SIS Systems for SIS-TECH, reach out to Pete for any SIS requirement including calculations, training, and commissioning of SIS Systems.
SIS-TECH announces its new Tank Protection System (TPS) – an independent, cyber-proof system that uses the Diamond-SIS® to monitor and report asset threatening conditions in terminals, tank farms and process vessels. The Diamond-SIS® is a state-based controller rated for hazardous locations, allowing local installation, minimizing installation and wiring costs. The Diamond-SIS® is specifically designed for low I/O applications and its installed cost is 10% of conventional safety controllers. The Diamond-SIS® has over a decade of continuous industrial service with zero reported failures and is certified for use in SIL 3 applications.
The TPS is flexible and customizable for any application. A popular configuration provides dual alarms for each condition of concern, a local operator interface for safe operation and shutdown, and an automatic overfill prevention system (AOPS). The low power consumption of the Diamond-SIS® is ideally suited for solar power where utilities don’t exist. Options are available for communicating tank fill status to remote monitoring stations.
Hui Jin was recently promoted to Senior Risk Analyst with SIS-TECH Solutions in Houston, TX. Hui Jin has a PhD in reliability engineering from NTNU in Norway, where he developed a keen interest in the numerical assessment of safety instrumented systems in process industrial applications. At SIS-TECH, he leads the software design team for SIL Solver NG, a tool for calculating the probability of failure and nuisance trip potential of safety critical systems. Hui Jin is bilingual with fluency in Chinese and English.
SIS-TECH Solutions strongly supports The Center by sending gift boxes of their delicious gingersnaps to our best clients every holiday season since the early 2000s. The Center is a private not-for-profit United Way agency, which has for more than 60 years served children and adults through educational, residential and work training programs. The holiday gingersnaps are shipped in gold tins that are decorated with gilded handmade paper ornaments. All proceeds from cookie sales (see www.gingersnapsetc.org) are used to enrich the lives of the 600 adults at The Center located in Houston, TX. For more information on The Center please visit www.thecenterhouston.org.