Select the Right Process Safety System

Keeping several do's and don'ts in mind can help.

By Paul Gruhn, Rockwell Automation

Share Print Related RSS

1312 process safety checklist buttonChanges in technology have led to a variety of recent developments in process safety, with many suppliers releasing new systems that significantly depart from those traditionally available. So, choosing a safety instrumented system (SIS) may seem even more complicated now. However, paying attention to a few do's and don'ts can make picking the right system for your process easier.

Do take advantage of scalable systems. The first popular safety programmable logic controllers (PLCs) introduced in the mid-1980s were triplicated. These systems, of course, cost more than non-redundant general-purpose PLCs. Because multiple distributed systems scattered around a facility often were considered too expensive, many plants opted for a single large centralized system — one 1,000-input/output (I/O) system cost less than ten 100-I/O systems.

However, not all applications need 1,000+ I/O. That's why some vendors have developed safety PLCs particularly suited for small amounts of I/O. Still, using one system for small applications and a different system for large ones in the same facility is hardly ideal.

A number of suppliers recently have launched systems that can scale from small and stand-alone to large and distributed — all using the same hardware platform.

Don't settle for a single level of redundancy. Like the early Model T Fords that came in any color you wanted — as long as it was black — early safety controller systems came in any configuration you wanted — as long as it was triplicated.

This level of redundancy ensures the system is fault tolerant and can survive one or more possible failures. However, not all parts of a process safety system require triple redundancy. Depending upon the level of safety risk, some applications only need dual redundancy.

Three vendors have released safety PLCs that can be configured single, dual or triple (one even offers quad). In one system, some modules can be single, others dual and still others triple. Such flexible redundancy allows a system to more closely match your safety and reliability requirements for each loop in a cost-effective manner.

Don't assume two vendors are better than one. The traditional approach for control and safety systems has been to buy two separate platforms, each from a different vendor. The trend now is to have one supplier for both systems. That's because the control and safety systems often look very similar (although they're not interchangeable), and usually are programmed with the same software. This means users only have to attend one training course, and communication between systems is effortless.

Do consider using fieldbus technology for safety. Fieldbuses — digital networks for process instrumentation — enable connecting multiple field devices on a single pair of wires. Features and benefits include reduced wiring, higher levels of internal diagnostics and lower total costs.

Fieldbuses for general process-control applications have been available for a number of years. However, many people have questioned their use in safety systems because of concerns that a digital message could be corrupted or an unauthorized party could change the configuration and functionality. Safety standards state that busses are acceptable only if they satisfy the safety integrity level (SIL) requirements. No busses could meet such requirements in the past but this is changing.

The Fieldbus Foundation has been working for several years on a fieldbus for safety (Foundation Fieldbus SIF) with a consortium of users, as well as safety PLC and field device manufacturers. Early field-device products were demonstrated in the summer of 2008; final products (both field devices and logic solvers) are nearing release.

The primary benefit touted by safety fieldbus manufacturers is diagnostics: being able to better and more quickly predict problems before they impact the process and perhaps even lead to a shutdown.

HART sensors can communicate extensive diagnostic information on a standard 4–20-mA signal and have been available for decades. However, only recently have some safety PLCs been able to incorporate HART information directly.

Do use safety-certified field devices. Using a controller certified for SIL-3 applications doesn't necessarily mean the system will perform at a SIL-3 level. Like a chain, the system is only as strong as its weakest link. In most integrated safety systems, the weak links have been field devices.

So, to achieve acceptable performance, systems usually include redundant field devices. SIL 2 generally requires one-out-of-two or two-out-of-three sensor configurations and one-out-of-two final element configurations. Reports place the total installed cost of a sensor as high as $10,000. Redundant final elements are even more expensive. This means implementing SIL-2 loops can be very pricey.

However, redundancy isn't the only option for safety. Today, dozens of safety-certified field devices provide much higher levels of internal diagnostics than past products. These devices usually offer safety performance similar to redundant standard devices — at much lower costs.

Don't overlook the need for employee certification. While it helps, a certified safety system doesn't automatically make a facility safe. Unfortunately, many systems don't work effectively because they were incorrectly specified, designed, installed, operated or maintained.

A competent workforce is an essential defense against risk. But achieving a high level of competency is easier said than done. After all, how do you know that all employees involved have the knowledge and skills they need? Thankfully, certification and certificate programs can help ensure employees understand what's necessary to keep a plant operating as safely as possible. Organizations such as CFSE.org (Certified Functional Safety Expert), ISA (International Society of Automation), and TÜV (both Rheinland and SÜD) offer a variety of programs.


Even if you think all your employees are completely competent, the best way to be certain is through certification. Even a single uncertified employee represents a potential safety hazard.

Do stay up to date on standards for fire and gas systems. Current safety standards covering fire and gas systems are prescriptive and focus on commercial applications such as buildings. Many people in the process industry believe similar standards are needed for industrial applications.

However, in contrast to SIS hardware, claiming any integrity level for fire and gas hardware alone doesn't allow users to determine if the overall system will meet the desired level of fire and gas risk reduction.

Two factors predominantly impact the safety performance of fire and gas systems — and may prevent most systems from ever meeting SIL-1 performance levels:

• Detector coverage. Are there enough sensors strategically placed to actually see the problem? Does voting of sensors mean that it takes more than one sensor to detect a problem? (Because sensors usually are spaced far apart, this makes it even less likely for multiple sensors to detect a problem.)

• Mitigation effectiveness (i.e., the probability the system will mitigate the consequence of all defined hazard as intended). For example, do you believe that the fire and gas system will put out all fires? (Because mitigation effectiveness generally is less than 90% accurate, using it as a safety-performance indicator can prevent SIL-1 performance. SIL 1 requires an effectiveness level of 90% or greater.)

Despite these factors, performance-based concepts can be applied to fire and gas systems. It is possible to assign risk-reduction targets for such systems and apply quantitative techniques in system verification. The ISA 84 committee published a technical report in 2010 — ISA-TR84.00.07-2010, "Guidance on the Evaluation of Fire and Gas System Effectiveness" — on ways to account for detector coverage, mitigation effectiveness and other factors, thus allowing a quantitative performance-based approach to fire and gas system design. Once the detector coverage and mitigation effectiveness limitations are better understood and addressed, focusing on the SIL rating of the hardware will be more meaningful.



PAUL GRUHN is Houston-based global process safety consultant for Rockwell Automation. E-mail him at pgruhn@ra.rockwell.com.

Share Print Reprints Permissions

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • This a very good piece that reflects the application of modern monitoring of system processes. It can be made more complicated by being a plant very sensitive to pressures, temps, levels, oxygen and hydrocarbons mixing, moisture, pump pressures, line pressures and flows. Some processes are batch, some are continuous. If you are making Kool Aide, it's one thing, but operate a cracking plant and things can be serious. One tweak the wrong way can be disastrous. There has to be redundancy, if not, triple. A heat exchanger for instance will show a shell level in the control room, but it be false, and someone will tweak it and the plant can trip. So an outside operator can go outside and count the freeze plugs on the level loop. The C/V can be statically set and the level loop can be blown down if it is plugged.

    Also plants need to be programmed to a fail safe mode automatically, if the plant has to evacuate, the plant should be able to shut down to a fail-safe step. This keeps from shaking up plant utilities like steam, condensate, water, and air.

    Also there may be a tendency to eliminate bypass valves in a control loop because of plant cost when building. Bypass valves can save your plant.

    Reply

RSS feed for comments on this page | RSS feed for all comments