Is your chemical process "covered" by 29 Code of Federal Regulations (CFR) 1910.119, which covers the process safety management of highly hazardous chemicals? If so, you might be aware that instrumentation and controls can be several of the many independent layers used to maintain process safety.

A number of new domestic and international standards and guidelines are available in this area.1-3 The Occupational Safety and Health Administration (OSHA) has publicly recognized American National Standard Institute/Instrumentation, Systems, and Automation Society (ANSI/ISA) 84 as a "good engineering practice" and acceptable when following the 1910.119 regulation. Unfortunately, many engineers are either unaware of or reluctant to follow these documents. Ignorance is not bliss, or an adequate defense in court should something go wrong.

These standards and guidelines either frown on or actually forbid performing control and safety in one "box" ," e.g., a distributed control system (DCS). However, many plant engineers combine control and safety for purely economic reasons ," fewer systems, single source of supply, etc. ," without realizing the negative impact on safety.

Safety cannot be shortchanged ," no easy solutions exist. Current standards address this with a design life-cycle approach that consists of a set of procedures starting with the process conceptual design and ending with decommissioning.

The design of instrumentation and control systems for safety has been a source of controversy for the past 15 years. What technology is most appropriate (e.g., relay, solid state, software)? What level of redundancy is most appropriate (e.g., single, dual, triple)? What manual test interval is most appropriate (e.g., monthly, quarterly, yearly)? Should safety control be performed in the main control system?

These questions cannot be answered subjectively because everyone has a different opinion and personal background. Developers of industry guidelines, standards and recommended practices realize this problem and have created performance-based documents. In other words, the standards do not mandate the technology, level of redundancy or test intervals. The common theme in all the documents is: The greater the level of process risk, the better the systems needed to control it.

One common theme in all of the industry's process safety documents is multiple independent protection layers. Instrumentation and controls form many of these layers. See Fig. 1.

Historically, all of the layers were independent, typically using diverse technologies from diverse vendors. However, with the acceptance of software programmable systems, many plant engineers have considered combining multiple functions into one system. For example, it is possible to combine control, alarms, shutdown and fire and gas systems in a modern DCS.

The benefits seem obvious ," single source of supply, simplified training and spare parts, lower installed costs, etc. ," yet all industry standards either outright forbid or strongly frown on such practices. The reasons are simple. How do you allow access to some functions, but deny access to others? How do you enforce management-of-change policies when operators are constantly making changes to the control system? How can you be certain changes made in one program area will not impact the functionality somewhere else?

One end-user reported a case in which all the safety functions in one facility were performed in the DCS. Plant personnel were not aware of the recent industry standards. The corporate specialist mandated that all safety loops be verified. After checking, plant personnel found one-third of the loops had been deleted, one-third were bypassed, and the remaining one-third did not function when tested.

The benefits of multiple independent layers also can be shown graphically. Consider an example of a process with an inherent level of risk ," in this case, the probability of an explosion ," of once per year, (as was common in the manufacture of gun powder more than a century ago). Such a level of risk would not be tolerated today.

Suppose the current goal was a 1/100,000 chance of explosion. Assume the basic process cannot be changed. The only alternative would be to add multiple independent protection layers. See Fig. 2.

The "mechanical" layer might represent pressure-relief valves, and the "other" layer might represent a fire and gas system. Some layers are "prevention layers," installed to prevent a particular hazard, while others are mitigation layers, installed to lessen the consequences of a particular incident. Assume each layer reduces the risk by a factor of 10. The original accident probability of once per year now can be reduced to 1/100,000 per year (10 x 10 x 10 x 10 x 10 = 100,000).

But what if most of the layers were performed in a single box such as a basic process control system (BPCS). In this case, the overall risk would be reduced only by a factor of 100 (the control system and the mechanical protection [10 x 10 = 100]). The overall level of safety protection in this scenario is less by a factor of 1,000, even though a modern control system was used. Industry standards actually limit the performance operators can claim from a control system to no more than a factor of 10.

A detailed, systematic, methodical, well-documented design process is necessary for the design of safety instrumented systems. This starts with a safety review of the process, implementation of other safety layers and a systematic analysis, as well as detailed documentation and procedures. The steps are described in the standards and referred to as a safety design life cycle. The intent is to leave a documented, auditable trail, and to make sure nothing falls between the inevitable cracks within every organization.