By Feng Tao, PhD; Dan Bourlet, R.E.T.; Jon Blois, PE
The petrochemical industry is one of the most experienced in terms of using safety instrumented systems (SIS) or conventional emergency shutdown systems. In this industry, safety systems were employed even before the issue of the first ISA 84 standard in 1996.
The petrochemical industry is familiar with SIS standards, requirements from the Occupational Safety and Health Administration Process Safety Management program and the Environmental Protection Agency chemical accident prevention provisions. Some leading companies have even more detailed corporate design criteria to supplement performance-based SIS standards.
But now many industries besides petrochemical are being pressed to assume corporate social responsibility and improve safety for employees and the environment. Many of these industries have not been typical users of safety systems, but now want to adopt SIS to enhance process safety.
When new industries are ready to embrace safety systems, they often find themselves lost in the swamp of safety standards and terminology. Unlike users in petrochemical industry, they are not familiar with SIS and rigorous regulation requirements from federal regulatory bodies. This does not mean that they have neglected process safety issues or that they have a bad safety record; but they recognize that improvements can be made.
Many companies find themselves playing catch-up in terms of safety system implementation. In the design and construction of new facilities, safety systems often are excluded from the project. For existing facilities, some companies are finding it best to hire safety consultants to examine compliance with safety system standards.
New users, new problems
Companies for whom SIS is a new concept find they are unfamiliar with the concept of the safety life cycle. Managers and engineers often struggle over these questions:
- What is the procedure for development of a safety instrumented system?
- What are the exact requirements for a safety system?
- How will safety systems affect daily operation and maintenance?
Safety system integrators (SSI) and safety consultants can guide users through the safety life cycle and provide answers to these and other questions.
The safety life cycle can be divided into three stages: analysis, design/realization, and operation and maintenance. Normally, the SSI’s main role is in design/realization. The SSI will finish detailed design and implementation based on the safety requirements specification provided by users. After site acceptance testing, the system will be handed over to users for operation and maintenance.
There must be management buy-in of safety standards and of the associated life- cycle concept. Some safety-related design and activities may conflict with company’s existing concepts or design criteria because the safety standards are relatively new. As a result, the safety design may not be recognized by the management/operation departments.
If this conflict is not resolved at the beginning of the project, two problems may arise. First, the user engineers may not agree with the design provided by the safety system integrator. Even if this problem is resolved and implementation is successful, there is no guarantee that the safety system will be effectively operated and maintained.
Another issue is insufficient risk analysis and inappropriate safety system performance requirements. This can be addressed by properly executing the first stage of the safety life cycle, the generation of the safety requirements specification. Unfortunately, some users fail to exercise due diligence at this stage, and the quality of risk analysis is sacrificed. This can cause problems in areas like safety integrity level (SIL) assessment.
When an instrumented function is rated with a high SIL, users may not understand the implications of this designation. Because they are in a hurry to continue to the next stage of the project, they may not try options to lower the SIL rating. This is often the situation in a big project when everyone wants to make up time on the schedule. Early feedback to the design team can design out process risks, reduce the SIL and cut cost of ownership.
For new users of SIS, issues like these are common and can be resolved by getting safety system integrators involved early. This can ensure that the safety requirements specification is correct and that the safety design is cost-effective.
Safety life-cycle planning helps
Safety life-cycle planning in the early stages of a project can control project execution risk and achieve a cost-effective design. The ISA 84.01/IEC 61511 standard divides the safety life cycle into 10 phases and specifies inputs/outputs for each phase. But in addition to the separate phases, it is useful to prepare a governing document on safety life-cycle planning.
This overview document defines the project execution path, the individual steps and the methods used, the corporate resources needed and the definition of important safety terms directly related to the project. This gives all parties involved in the project a clear road map for project execution. Users should ratify this document before the project moves into detailed execution, as it brings these diverse and cost-effective benefits:
- Helps reach mutual agreement: Because the execution path and a brief description of each step and the method used in that step are described, all parties involved in the project will know the development process of the safety system. From a project execution standpoint, this document acts like a road map, and it should decrease the resistance faced from the project execution team.
- Gains management support: All the resources needed from users are listed in the document. During the project, information from the user engineer and from the operation and maintenance departments will be needed. This information will include existing engineering documents and drawings, near-miss accident records and reparation/maintenance records. To obtain the information needed, the support of management may be required.
- Identifies missing information: The company may not have the information necessary for the project, or the information may not be ready for use. This situation should be identified before the project moves forward. For example, some companies do not have a risk matrix, necessary when using layer-of-protection analysis or a risk graph in determination of the SIL.
- Brings up potential difficult issues: Some issues may not look important at the early stages in the project, but are vital for the safety system design. For example, device reliability data must be used in probability-of-failure-on-demand calculations. It can be difficult to obtain these data because many vendors don’t like to release this information. Therefore, this risk should be put on the table prior to detailed design, and users should focus on getting the information in the selection and procurement phase.
- Provokes the thinking process: User engineers are prompted to answer questions that help them think about system design criteria and performance requirements. Sufficient feedback from users eventually helps to develop a safety system suitable for their needs.
Besides the safety life-cycle plan, documents for each phase of the safety life cycle should be prepared as required by the standards. These efforts can significantly improve the quality of the project.
Read our May 2008 cover story, Why Is Safety So Hard?
Are accidents caused by poor safety standards or by poor implementation?
Feng Tao, EE, Ph.D. is a safety system analyst at Rutter Hinz automation in Edmonton. He has researched industrial applications of safety systems and risk analysis. He is currently applying safety life-cycle planning to pipeline systems. Feng is also a process control engineer. Recent publications include "Design of stochastic fault tolerant control for H2 performance," International Journal of Robust and Nonlinear Control, 2007; "Synthesis of stochastic fault tolerant control in the presence of random FDI delay," International Journal of Control, 2007; "Synthesis of active fault tolerant control based on Markovian jump system models," IET-Control Theory and Applications, 2007.
Dan Bourlet, RET is the regional manager of Rutter Hinz Calgary and is a principal of the firm. He has over fifteen years experience in the area of risk reduction audits, safety system analysis, design, architecture, programming and implementation of safety instrumented systems (SIS) in field, plant process, refinery and transmission applications in the oil-and-gas sector. He has experience with most major safety system manufacturers and has assisted some manufacturers in obtaining their TÜV accreditation. He promotes industry process safety and has hosted a safety symposium event in Calgary.
Jon Blois, PE, is a senior engineer and principal at the Rutter Hinz Edmonton office. He has been a control systems application specialist and project manager for over twenty years. He is a registered professional electrical engineer in California and has taught industrial automation in the Electrical and Computer Engineering department at the University of Alberta. (Senior member ISA, IEEE; Member NSPE, PMI)
Rutter Hinz is an industrial-based electrical engineering firm with locations in the United States and Canada that specializes in automation and power systems. See Rutter Hinz website at www.RutterHinz.com. Comments or questions about this article maybe directed to Jon Blois at 780-489-8880 or Jon.Blois@RutterHinz.com.