How Can We Reach SIL 2 With Manual Intervention?

Oct. 2, 2003

Readers help a reader solve this control problem. Next month's problem: How Can We Control Fly Ash Resistivity?

 A Reader Writes:

The safety system on our natural gas compression station has UV/IR temperature and gas sensors that notify the operator of a hazardous condition (fire or gas leak). The operator then activates the safety system, which is run by a PLC certified by TUV for SIL 2. Can this system be made to qualify for SIL 2, and if so, how?

--From July 2003 CONTROL

Solutions

I Don't Think So

In my opinion, this system is not a safety instrumented function (SIF) or safety instrumented system (SIS) because it is not automatic and requires a human function to provide the overall protective function. Per IEC 61511, Sec. 1, Scope: "...In particular, this standard...does not place any direct requirements on the individual operator or maintenance person..." ANSI/ISA 84.01, Section 1.2.14 says, "Systems where the operator action is the sole means required to return the process to a safe state are not covered by this standard (e.g., alarm systems, fire and gas monitoring systems, etc.)."

So the safety standards IEC 61511 and ANSI/ISA 84.01 do not apply. This is not to say that the principles of these standards could not be applied but simply that they are not required to be. Any safety system should have special care in its design and use recognized and generally accepted good engineering practices.

Even if you were to apply the principles of safety integrity level (SIL) to this system, it would be at best a SIL 1 system (and a number of things must be satisfied to accomplish this, such as specificity, dependability, availability, procedures, training, administrative controls, etc.). In my opinion, it certainly it would not achieve a SIL 2 rating--the reliability of human action is not sufficient to support a SIL 2 rating.

There is a paper on this subject at www.srs.gov/general/pubs/fulltext/ms2002091/ms2002091.html that claims operator action can be a safety instrumented function. I believe it misinterprets IEC 61511, however, it does give some insight to the subject.

William (Bill) L. Mostia Jr., PE, Partner

exida.com, www.exida.com

Eliminate the Operator

Can the system be shown to meet SIL 2? Yes and no. The combination of UV/IR (flame) temperature and gas detectors can be shown to meet SIL 2. This requires knowing device failure rates, levels of diagnostics, architecture (redundancy), and test intervals. Voting of sensors may or may not be required.

The "certified for use in SIL 2" logic box is the easiest piece of the pie. Presuming that one implements it correctly, it will meet the requirements. One unknown in this overall solution is what you are using for final elements. If it's simply turning off motor contactors, reaching SIL 2 numbers should be relatively easy. Shutting off engine fuel flow with valves will most likely require dual block valves.

However, it's doubtful that the overall system will meet SIL 2 because it relies on a human operator. Claiming that an operator will respond correctly to a hazardous situation greater than 99% of the time is a stretch I would not be willing to make.

If you have so much confidence in the hardware, why not make it a totally automated system? If the concern is over nuisance trips and the resulting lost production and downtime, proper voting of sensors, along with a redundant logic box, will go a long way in minimizing this problem.

It should be stressed that simply using a logic box certified to a certain level in no way means you have a system that meets that level.

Paul Gruhn, PE, CFSE, President

L&M Engineering, www.landmengineering.com

Possible, but Perhaps Not Cost-Effective

At a first pass, most people would say this cannot be done. However, if we look to IEC 61511 for guidance, a couple of clauses are pertinent to this problem: "If the operator is required to select options or bypass the system for certain operations, then an operator function will become part of the overall SIS function. This should be avoided where possible because of the potential for operator error. Experience has shown that the potential for operator error is high when such actions need to be carried out on a frequent basis or at times of high operator workload such as at startup or when the plant is disturbed."

In Sec. 2 (Guidelines) it states: "Where an operator, as a result of an alarm, takes action and the risk reduction claimed is greater than a factor of 10, then the overall system will need to be designed according to IEC 61511-1. The system that undertakes the safety function would then comprise the sensor detecting the hazardous condition, the alarm presentation, the human response, and the equipment used by the operator to terminate any hazard. It should be noted that a risk reduction of up to a factor of 10 might be claimed without the need to comply with IEC 61511. Where such claims are made, the human-factor issues will need to be carefully considered."

So we see that IEC 61511 does not preclude using operators for this type of problem. Since the question requires a design for a SIL 2 application, consideration must be taken as to the probability of failure on demand (PFD) that can be claimed for all the components of this SIF. In other sections, the PFD assigned to an operator action is 0.1, so to achieve a SIL 2, we would need three operators, assuming independence of the operators. This would also mean the means the operators have of initiating the SIL 2 PLC would need to be independent. So although it may be possible to achieve a SIL 2 for the stated problem, it may not be economically viable.

A better approach would be to use the detectors directly in the SIS and automatically initiate the shutdown.

Gary Law, Product Manager

Emerson Process Management, www.easydeltav.com

Factor in the Basic Process Control System

The first step would be to identify the SIL requirement for the natural gas compression station. There are several means to do this including cause and effect matrices, standards such as EN 1050 (Safety of Machinery-Principles for Risk Assessment), and ANSI B11.TR3 (Risk Assessment and Reduction). This involves analyzing the hazard using risk parameters that include extent of damage or consequences, which ranges from minor injury to fatalities. Then the probability of the hazard occurring is evaluated. This could involve elements such as exposure time, occurrence probability, and hazard avoidance/mitigation. Once the appropriate SIL level is determined, the appropriate SIL reduction measures can be applied.

Many companies perform a Levels of Protection Analysis (LOPA) to determine what abatement measures are possible. IEC 61511-1, paragraph 9.4, provides examples of typical risk reduction measures and methods. These protection levels include the basic process control system (BPCS), prevention measures such as alarms with operator interaction, and SISs. An approach could be to claim a risk reduction for the BPCS, another for the SIS and operator corrective action.

Each of these measures needs to be independent. The SIS, for example, would have its own logic solver, sensors, and valves and would be programmed to automatically perform an emergency shutdown when required. Rockwell Automation's ControlLogix has been certified for use up to SIL 2 as an SIS for emergency shutdown.

Art Pietryk, Program Manager, Safety & Automotive

Rockwell Automation, www.ra.rockwell.com

November's Problem:

How Can We Control Fly Ash Resistivity?

The electrostatic precipitators in our coal-fired power plant flues cannot operate at peak efficiency unless fly ash resistivity is controlled to an optimum level. Unfortunately, there are considerable lags between fly ash resistivity changes and changes in precipitator efficiency. To compound problems, the relationship between fly ash resistivity and precipitator efficiency is nonlinear. Traditional PID control does not seem to work, and we would like to consider using artificial intelligence. What other control schemes might be effective?