How to Implement Effective Safety Instrumented Systems for Process Automation Applications

Hariharan Ramachandran’s First Question

How is the safety integrity level (SIL) of a critical safety system maintained throughout the lifecycle?

Len Laskowski’s Answer

The answer might sound a bit trite by the simple answer is by diligently following the lifecycle steps from beginning to end. Perform the design correctly and verify that it has been executed correctly. The SIS team should not blindly accept HAZOP and LOPA results at face value. The design that the LOPAs drive is no better than the team that determined the LOPA and the information they were provided. Often the LOPA results are based on incomplete or possibly misleading information. I believe a good SIS design team should question the LOPA and seek to validate its assumptions. I have seen LOPA’s declare that there is no hazard because XYZ equipment protects against it. But a walk in the field later discovered that equipment was taken out of service a year ago and had not yet been replaced. Obviously getting the LOPA/Hazop right is the first step.

The second step is to make sure one does a robust design and specifies good quality instruments that are a good fit for the application. For example, a vortex meter may be a great meter for some applications but a poor choice for others. Similarly certain valve designs may have limited value as a safety shutdown valve. Inexperienced engineers may specify Class VI shutoff for on-off valves thinking they are making the system safer, but Class V metal seat valves would stand up to the service much better in the long run since the soft elastomer seats can easily be destroyed in less than month of operation. The third leg of this triangle is using the equipment by exercising it and routinely testing the loop. Partial stroke testing the valves is a very good idea to keep valves from sticking. Also for new units that do not have extensive experience with a process, the SIF components (valves and sensors) should be inspected at the first shutdown to assess their condition. This needs to be done until a history with the installation can be established. Diagnostics also fall into this category, deviation alarms, stroke time and any other diagnostics that can help determine the SIS health is important.

Hariharan Ramachandran’s Feedback

The safety instrumented function has to be monitored and managed throughout its lifecycle. Each layer in a safety protection system must have the ability to be audited. SIS verification and validation process provides a high level of assurance that the SIS will operate in accordance with its safety requirements specification (SRS). The proof testing must be carried out periodically at the intervals specified in the safety requirement specification. There should be a mechanism for recording of SIF life event data (proof test results, failures, and demands) for comparison of actual to expected performance. Continuous evaluation and improvement is the key concept here in maintaining the SIS efficiently.

Hariharan Ramachandran’s Second Question

What is the best approach to eliminate the common cause failures in a safety critical system?

Hunter Vegas’ Answer

There are many ways that common cause failures can creep into a safety system design. Some of the more common ways include:

• Using a single orifice plate to feed redundant 2oo3 transmitters. Some make it even worse by using a single orifice tap to feed all three. (Ideally it is best to get as much separation as possible – as a minimum have 3 different taps and individual impulse lines. Better yet have completely different flow meters and if possible utilize different technologies to measure flow so that a single failure or abnormal process condition won’t affect them all.)
• If the impulse lines of redundant transmitters require heat trace, it is best to use different sources of heat. (If they are fed with a single steam line its failure might impact all three readings. This might apply to a boiler drum level or an orifice plate.)
• Having the same technician calibrate all three meters simultaneously. (Sometimes he’ll get the calibration wrong and set up all three meters incorrectly.) Some plants have the technician only calibrate one meter of the three each time. That way an incorrect calibration will stand out.
• Putting redundant transmitters (or valves) on the same I/O card. If it freezes or fails all of the readings are lost.
• Implementing SIS trips in the same DCS that controls the plant.
• Just adding a SIS contact to the solenoid circuit of an existing on/off valve. If the solenoid or actuator fails such that the valve fails open neither the DCS or SIS can trip it. At least add a second solenoid but it is far better to add a separate shutdown valve. (Some put a trip solenoid on a control valve. However if the control valve fails open the trip solenoid might not be able close it either.)
• Having a single device generate a 4-20mA signal for control and also generate a contact for a trip circuit. A single fault within the instrument might fail and take out both the 4-20mA and the trip signal. (Using a SIS transmitter for control is really the same thing.)

Hariharan Ramachandran’s Feedback

Both, random and systematic events can induce common cause failure (CCF) in the form of single points of failure or the failure of redundant devices.

Random hardware failures are addressed by Design architecture, diagnostics, estimation (analysis) of probabilistic failures, design techniques and measures (to IEC 61508‐7).

Systematic failures are best addressed through the implementation of a protective management system, which overlays a quality management system with a project development process. A rigorous system is required to decrease systematic errors and enhance safe and reliable operation. Each verification, functional assessment, audit, and validation is aimed at reducing the probability of systematic error to a sufficiently low level.

The management system should define work processes, which seek to identify and correct human error. Internal guidelines and procedures should be developed to support the day-to-day work processes for project engineering and on-going plant operation and maintenance. Procedures also serve as a training tool and ensure consistent execution of required activities. As errors or failures are detected, their occurrence should be investigated, so that lessons can be learned and communicated to potentially affected personnel.

Hariharan Ramachandran’s Third Question

An incident happened at a process plant, what are all the engineering aspects that needs to be verified during the Investigation?

Len Laskowski’s Answer

I would start at the beginning of the lifecycle look at Hazop and LOPA’s to see that they are done properly. Look to see that documentation is correct; P&IDs, SRS, C&Es, MOC and test logs and procedures. Look to see where the break down occurred. Were things specified correctly? Were the designs verified? Was the System correctly validated? Was proper training given? Look for test records once the system was commissioned.

Hunter Vegas’ Answer

Usually the first step is to determine exactly what happened separating conjecture from facts. Gather alarm logs, historian data, etc. while it is available. Individually interview any personnel involved as soon as possible to lock in the details. With that information in hand, begin to work backwards determining exactly what initiated the event and what subsequent failures occurred to allow it to happen. In most cases there will be a cascade of failures that actually enabled the event to happen. Then examine each failure to understand what happened and how it can be avoided in the future. Often there will be a number of changes implemented. If the SIS system failed, then Len’s answer provides a good list of items to check.

Hariharan Ramachandran’s Feedback

Also verify if the device/equipment is appropriately used within the design intent.

Hariharan Ramachandran’s Fourth Question

What are all the critical factors involved in decommissioning a control systems?

Len Laskowski’s Answer

The most critical factor is good documentation. You need to know what is going to happen to your unit and other units in the plant once an instrument, valve, loop or interlock is decommissioned. A proper risk and impact assessment has to be carried out prior to the decommissioning. One must ask very early on in a project’s development if all units controlled by the system are planning to shut down at the same time. This is needed for maintenance and upgrades. Power distribution and other utilities are critical. One may not be able to demo a system because it would affect other units. In many cases, a system cannot be totally decommissioned until the next shutdown of the operating unit and it may require simultaneous shutdowns of neighboring units as well. Waste management strategy, regulatory framework and environmental safety control are the other factors to be considered.

Hariharan Ramachandran’s Feedback

A proper risk and impact assessment has to be carried out prior to the decommissioning. Waste management strategy, regulatory framework and environmental safety control are the other factors to be considered.