While large chemical companies have engaged in rigorous safety analysis for years, the benefits of the technology are becoming better known to smaller manufacturers, says Bill Barkovitz, vice president of product marketing for Triconex, Irvine, Calif., a division of Invensys PLC. Certainly, longtime practitioners in the field, who have been patiently explaining the need for and benefits of SIS for years, are enjoying the new attention. The increasing interest is prompting other companies to enter the field. "People have noticed that the safety instrument market has been growing at several percentage points more than general process control, that good standards are now in place, and they’;ve decided to jump into the market," Barkovitz says.
Joe Pittman, safety systems specialist for Lyondell Chemical, Houston, agrees that a properly designed SIS can enhance plant performance. The system reduces spurious trips — process shutdowns for safety not due to a hazard but, for instance, to malfunctioning communication. An unnecessary shutdown obviously affects productivity. It also can lead to an action like flaring a process stream, which then becomes an environmental issue. "Safety is an absolute requirement for our company," he says, "but the enhanced reliability â¦ pays for itself in hazard avoidance and productivity."
An SIS also can lead to lower equipment costs. "Our client did the analysis and was able to show regulatory authorities that the lowered probability of flaring justified a smaller flaring system, thus saving on equipment costs," says Robin McCrea-Steele, director of business development at Premier Consulting Services, Houston, a division of Triconex.
At Lyondell, the safety analysis begins with a hazards and operability study at the design stage. Pittman’;s team uses layers of protection analysis to determine the required safety integrity level (SIL) as defined by IES 61511. The SIL for a process plant ranges from one to three, and is based on the probability of failure of a system component, coupled with the risks inherent in that failure.
Pittman says the company continually reviews previous safety analyses to see if it makes sense to implement an SIS during scheduled plant turnarounds. "We’;re usually working two years ahead of the turnaround," he says. "Right now, I’;m working on turnarounds that will be taking place in the fall of 2005 and the spring of 2006."
How the SIS deals with faults differs among product offerings. For instance, logic solvers may rely on programmable logic controllers or microprocessor-based controllers similar to those in distributed control systems. Vendors provide some degree of redundancy. The validity of an input, for example, usually is determined via a voting scheme, in which a number of inputs are compared. In this fashion, the number of spurious trips can be reduced without undermining the system’;s ability to react to a real problem.
Comparable redundancy or failure prevention also characterizes the transmitters, valve positioners, sensors and related field devices used in an SIS. These must comply with IEC 61508 standards and provide a specific SIL, says Mike Cushing, a manager for ABB Inc., Rochester, N.Y.
An engineer cannot buy an "SIL 3" (the highest level of safety integrity specific to process applications) device and simply install it on a process to achieve that safety integrity level. Rather, those involved must analyze the application, assess the safety risks and specify the appropriate equipment. Strictly speaking, an equipment vendor sells "SIL-compliant" products. In an all-ABB SIS, Cushing says, safety transmitters like the 2600T would be combined with the Triguard system from ABB Safety Systems to achieve the required SIL.
According to Siemens Energy and Automation, Alpharetta, Ga., about 15% of the failure risk of an SIS can be attributed to the logic solver, with the rest due to the field devices. So, several vendors now offer "critical" or "safety-rated" transmitters, sensors, valve positioners, etc. Some units feature onboard diagnostics that promise reduced capital costs by making redundancy unnecessary.
An integrated approach
"As the new standards came out, we wanted to step back, take a clean sheet and figure out a new way to address safety systems," says John Gardner, senior vice president for process systems and solutions. Rather than make the SIS physically separate from the control system, the two are integrated. Sufficient redundancy, and isolated communication and power lines and the like are provided to meet IEC standards. So, instead of validating each instrument or logic solver to IEC 61511 or S84 standards, the entire loop would be validated to those requirements.
A key part of this plan is to take advantage of the "intelligence," including self-diagnostics, that is built into instruments and is available when they are connected via Foundation Fieldbus.
"We’;ve been using standards like the HART protocol for years to allow the SIS to communicate with field devices," notes Triconex’;s Barkovitz. Still, he says, "There are arguments to be made both ways on this. You can gain easier configuration and maintenance procedures when your control system and your SIS are running on the same platform — those are benefits. On the other hand, many end users want to have a diversity of systems to avoid âcommon mode failure.’;" Common mode failure is a situation in which a defect in one system is replicated in the other, causing both to fail the same way under unforeseen circumstances.
Emerson’;s prospects for success will depend upon the company’;s ability to convince inherently conservative safety specialists about the benefits of integration. "The graybeards in this field like the separation of basic control and safety," says Lyondell’;s Pittman.
Nick Basta is editor at large for Chemical Processing magazine.