Fig. 3 shows the life-cycle steps described in the ANSI/ISA 84 standard. This should be considered one example only, because variations of the life cycle are presented in other industry documents. A company can choose to develop its own variation of the life cycle, based on its unique requirements.

Figure 3. Safety Life Cycle

Some will complain that performing all the life-cycle steps, like all other tasks designed to lower risk, will increase overall costs and result in lower profitability and decreased productivity. One in-depth study, conducted by a group that included major engineering societies, 20 industries and 60 product groups, concluded that production increased as safety increased.4 OSHA has reported similar findings.

Conceptual process design. The first step in the life cycle is to develop an understanding of the process, the equipment under control and the environment in sufficient depth to enable the other life-cycle activities to be performed. The goal is to design an inherently safe plant. The activities in this step are generally considered a job for a process engineer.

Hazard analysis & risk assessment. The next step is to develop an understanding of the risks associated with the process. These can impact personnel, production, capital equipment, the environment, company image and more.

A hazard analysis consists of identifying the hazards. Numerous techniques can be used (HAZard and OPerability study [HAZOP], what if, fault tree, checklist, etc.) and numerous texts describe each method.5-7

A risk assessment classifies the risk of the hazards identified in the hazard analysis. Risk is a function of the frequency or probability of an event, as well as the severity or consequences of the event.

A risk assessment can be either qualitative or quantitative. Qualitative assessments subjectively rank the risks from low to high, while quantitative assessments attempt to assign numerical factors such as death or accident rates to the risk. This is not intended to be the sole responsibility of the control system engineer. A number of other specialists are required to perform these assessments, including risk analysts, process designers, process engineers and possibly control engineers.

The goal of process plant design is to have a plant that is inherently safe, or one in which residual risks can be controlled by the application of noninstrumented safety layers.

If the risks can be controlled to an acceptable level without the application of an instrumented system, then the design process stops, as far as a safety instrumented system is concerned. If the risks cannot be controlled to an acceptable level by the application of noninstrumented layers, then an instrumented system will be required.

The most difficult step in the overall process for most organizations seems to be determining the required safety integrity level (SIL). This is not a direct measure of process risk, but instead a measure of the safety system performance required to control the risks identified earlier to an acceptable level. The standards outline a variety of methods that describe how this can be accomplished.

Safety requirement specification development. The next step consists of developing the safety requirements specification, essentially the functional logic of the system. Naturally, this will vary for each system. No general across-the-board recommendation can be made.

Each safety function should have an associated SIL requirement, as well as reliability requirements if unplanned shutdowns are a concern. The engineer should include all operating conditions, from startup through shutdown, as well as maintenance.

The system will be programmed and tested according to the logic determined during this step. If an error is made here, it will carry through for the rest of the design. It will not matter how redundant the system is or how often the system is manually tested; it will not work properly when required. These are referred to as systematic or functional failures.

Conceptual SIS design. The purpose of this step is to develop an initial design to determine if it meets the safety requirements and SIL performance requirements. The engineer needs initially to select a technology, configuration (architecture), test interval, software design, power source and user interfaces, among others, pertaining to the field devices and the logic box.

Factors to consider are overall size, budget, complexity, speed of response, communication requirements, interface requirements, methods of implementing bypasses and testing. Plant personnel then can perform a relatively simple quantitative analysis to see if the proposed system meets the performance requirements.8-11 The intent is to evaluate the system before specifying the solution. Just as it is better to perform a HAZOP before building the plant, it is better to analyze the proposed safety system before specifying it ," how else will you know if it meets the performance goal?

Detailed SIS design. Once a design has been chosen, the system must be engineered and built following strict and conservative procedures. The process requires thorough documentation ," an auditable trail someone else can follow for verification purposes.

Installation and commissioning. This step ensures the system is installed per the design and performs per the safety requirements specification. Before a system is shipped from the factory, it must be thoroughly tested for proper operation. If any changes are required, they should be made at the factory, not at the installation site.

At installation, the entire system ," including field devices ," must be checked as well. A detailed installation document should outline each procedure to be carried out. Finished operations should be signed off in writing to verify each function and operational step has been checked.

Operations and maintenance. Every system requires periodic maintenance to function properly. Not all faults are self-revealing, so every safety system must be periodically tested to make sure it will respond properly to an actual demand. The frequency of inspection and testing should have been determined earlier in the life cycle. All testing must be documented.

Modifications. As process conditions change, it will be necessary to make changes to the safety system. All proposed changes require returning to the appropriate phase of the life cycle. A change considered minor by one individual could have a major impact on the overall process. The change must be thoroughly reviewed by a qualified team. Many accidents have been caused by a lack of review.12

Decommissioning. System decommissioning should entail a review to make sure system removal will not impact the process or surrounding units, and that means are available during the decommissioning process to protect the personnel, equipment and environment.

Conclusion

When it comes to the design and evaluation of instrumentation and control systems installed for safety purposes, no easy answers exist. Triplicated logic boxes do not magically solve all problems. A methodical, team-oriented life-cycle approach is required.

Gruhn is owner of L&M Engineering, Houston. He can be reached at paul.gruhn @ix.netcom.com.

References

1. International Society for Measurement and Control. Application of Safety Instrumented Systems for the Process Industries, ANSI/ISA 84.

2. International Electrotechnical Commission (IEC). 61508 and draft 61511 standards.

3. American Institute of Chemical Engineers, Center for Chemical Process Safety (AIChE CCPS). Guidelines for Safe Automation of Chemical Processes, 1993.

4. Leveson, Nancy G. Safeware ," System Safety and Computers, Addison-Wesley, 1995.

5. AIChE CCPS. Guidelines for Hazard Evaluation Procedures, 1992.

6. AIChE CCPS. Guidelines for Chemical Process Quantitative Risk Analysis, 1989.

7. Taylor, J.R. Risk Analysis for Process Plants, Pipelines and Transport, E&FN Spon, 1994.

8. Safety Instrumented System (SIS) ," Safety Integrity Level (SIL) Evaluation Techniques, ISA Draft Technical Report dTR84.02, 1997.

9. Gruhn, P. "The Evaluation of Safety Instrumented Systems ," Tools to Peer Past the Hype," ISA transactions 35 (1996) 25,"32.

10. Gruhn, P. "Safety Systems: Where is Your Weak Link?" InTech, December 1993.

11. Smith, D. J. Reliability, Maintainability and Risk, Butterworth Heinemann, 1993.

12. "Out of Control ," Why Control Systems Go Wrong and How to Prevent Failure." Health & Safety Executive (U.K.), 1995.