If you employ a SIL3-rated logic solver (safety controller) and use field devices with simplex configurations and no diagnostics, the overall system’s rating decreases to that of only SIL1. Today’s safety systems need an integrated safety approach where transmitters are part of the safety system and perform autocalibration, diagnostics, validation and remote monitoring, connecting with an intelligent fieldbus such as HART or Foundation fieldbus.
The Weakest Link
The weakest link in field equipment, according to Robin McCrea Steele, director of business development at Premier Consulting, is the shutdown valve, which in the past, was operated by solenoids or pneumatics and was either open or closed. Due to their infrequent use, shutdown valves often became stuck in position, and cannot be operated. Testing valves was a tedious—and sometimes deadly—manual process. Today, these valves have seen some improvements in packing materials and the reduction of valve seizure.
When valve positioners came on the market, partial-stroke testing (e.g., moving the valve 10%) became a practical way to check valve operation. But, according to Charlie Fialkowski, Siemens process safety manager, the cost of positioners 10 years ago was prohibitive ($2,500). Now positioners are in the $200 range making it more practical to test valve operation.
The Big Story: Integration
There is a growing opinion that plant safety can be easier and less expensive to implement by making SISs a more tightly integrated part of the basic process control system (BPCS) or DCS. Whether this integration is good for safety and what degree of integration or separation is considered appropriate depends on whom you ask. For example, Paul Steinitz, director of marketing at Foxboro Automation recommends avoiding an integrated system. Instead he suggests trying to get the best of both worlds by using two separate technologies. The best SIL rating you could hope for from a DCS would be a SIL1—not the SIL3 that traditional safety systems get.
According to Heinz Janiec, Shell Deutchland Oil Rhineland Refinery, there are a majority of applications where a safety system can be integrated with—or placed in—a control system, especially if the required SIL is not greater than 2. Of course, there are applications and industries that will not allow the use of this approach due to common mode hardware failures. Janiec remembers 20–25 years ago when safety systems were hardwired and DCSs were just emerging. DCS vendors then suggested putting the safety system into a safety-rated PLC, and there was skepticism among users. Today, we have proof that the use of safety PLCs is safer than hard-wired systems because of the built-in diagnostics and early warnings of faults.
Some control engineers are favoring a degree of merging (or integrating) the safety and control systems. The latest specs (IEC 61511 and ISA 84.01) seem to allow for some free interpretation of safety and control architectures;, and again, you’re likely to get widely differing viewpoints from both camps—the safety engineers and the control engineers.
Manufacturers have several viable safety options. Whether a greenfield plant or retrofit, careful considerations must be given to fitting the right safety system to the application.
According to Roy Tanner, ABB systems marketing manager for 800 XA, some plants today have nothing in place when a safety system should have been installed with the control system. In fact, any SIL-level system would be better than none at all. For these manufacturers, Dr. M. Sam Mannan, director of the Mary Kay O’Connor Process Safety Center, Texas A&M, has some advice. “First, if you’re going to manufacture or use certain chemicals, then irrespective of what the law says, you have an obligation to know everything about the chemical. Second, if there is published data and literature available that can be used to make the process safer, and you’ve ignored it, this should be criminal negligence. Third, when you put a process in, it’s very important that you do a hazards analysis, and then implement the results from the analysis.”
Interpreting the Specs
Applicable specs for safety-instrumented systems (aka, shut-down systems) include IEC 61508 (primarily for the supplier community), IEC 61511 (for end users in the process industry), and the ANSI/ISA 84.01 standard, which follows the IEC 61511 standard. When end users purchase an IEC 61508-compatible system, they should select products that are certified by an independent third-party, such as TÃœV or FM.
According to Ghosh, IEC 61511 is divided into three parts. Part 1 spells out framework, definitions, system, hardware and software requirements. Part 2 provides application guidelines, and Part 3 shows how to determine the required safety levels and explains the development of (???)
With prescriptive standards, there is no question as to what has to be done, but while the new IEC/ISA standards provide a lot of design flexibility, they don’t spell out the specifics. Manufacturers have to determine their own safety system specs based on the risks/hazards they identify in their process. Thus, manufacturers can fall into the trap of relaxing their standards and increasing their tolerable risk.
Performance-based design can have advantages for manufacturers. Says Bill Goble, principle partner at Exida, a worldwide safety consulting firm, “I’d rather have a standard that allows me to do the analysis and allows me to do what makes sense. It forces me—if I want to claim compliance—to do a detailed analysis in the jobs that I’ve done.”
The specs do call for separation between the SIS and BPCS, and this is where Goble has definite opinions. “The new ISA 84.01, which is based on IEC 61511, does not prohibit common control and safety even in one logic solver. While it’s not prohibited, it forces an engineer to meet a series of requirements, (or hurdles,) before attempting such a design. These requirements dictate a thorough analysis of the situation, and the analysis typically shows the flaw in the thinking [of combining the systems-ed.].”