Can integration keep your processing plant safe?

Contributing Editor Wayne Labs reports that the best way to reduce the risks of dealing with dangerous chemicals and equipment that can fail in manufacturing is to integrate safety and process systems from the start.
April 20, 2005
17 min read
By Contributing Editor Wayne LabsIN MARCH of 2005, an explosion tore through the isomerization unit at the BP Amoco Texas City Refinery, killing 15 and injuring more than 100. At the time of the incident, contract workers were conducting maintenance during a turnaround of the unit.Unfortunately, this was not the only accident at this refinery. As recently as last September, two employees were burned to death and a third severely injured by steam when they opened a 12-in. check valve on a high-pressure line without first relieving the pressure. In March, 2004, a pipe ruptured on a furnace, releasing flammable vapors that ignited a fire in the Ultraformer No. 4 desulfurizer section. Fortunately, no one was hurt.According to an Aug. 25, 2004 OSHA press release, citations for 14 alleged serious violations of safety standards were filed against BP Amoaco, resulting in a proposed $63,000 in penalties for the March incident. According to OSHA, “The alleged serious violations include failures to identify, evaluate and control hazards associated with the emergency shutdown system; to activate the emergency shutdown system; to train employees to use the emergency shutdown system;, and to inspect and maintain process equipment. A serious violation is one in which there is a substantial probability that death or serious physical harm could result from a hazard about which the employer knew or should have known.”Emergency shutdown systems—also known as safety-instrumented systems (SISs) or process safety systems—can prevent catastrophic events like those experienced by BP Amoaco. But for SISs to be effective, it is necessary to clearly define both the process risks/hazards and the safety integrity levels (SILs) needed to shut down a process before it gets out of control. While today’s newest safety systems require careful thought in their design and application, configuration and implementation is easier than in the older standalone systems, thanks to better engineering tools and integration with basic process control systems (BPCSs).

Doing the Numbers: Reduce the Risk
The best way to reduce risk in a manufacturing plant is to design safe processes—a tall order when dealing with dangerous chemicals and equipment that can fail. For example, look at the way safety systems are rated. SILs demonstrate the availability of equipment or the probability that a failure will occur either on demand or in continuous operation. In terms of availability, SIL1 means that safety equipment will be available 90.00-99.00% of the time; SIL2, 99.00-99.90%; SIL3, 99.90-99.99%; and SIL4, better than 99.99% (See Table, “SIL Availability and Risks”). For example, a high-level trip on a tank with a safety-instrumented system (SIS) rated SIL1 means that one out of every 10 times the tank reaches overflow, the SIS will be unable to react, causing an overflow. Can you live with this risk?


Table: SIL availability and risks

Safety Integrity Level (SIL) IEC 61508/61511

Safety Availability Required

Probability to Fail on Demand (PFD)

RRF = 1/PFD

Generalized Impact

4

>99.99%

E-005 to

100,000 to 10,000

Catastrophic to community

3

99.90% to 99.99%

E-004 to

10,000 to 1,000

Employee and community

2

99.00% to 99.90%

E-003 to

1,000 to 100

Major property and production protection; possible employee injury

1

90.00% to 99.00%

E-002 to

100 to 10

Minor property and production protection


The Weakest Link
According to Asish Ghosh, vice president, ARC Advisory Group, nearly 70% of today’s manufacturers are performing hazard and risk analyses for existing and new processes. Slightly more than half of the manufacturers interviewed by ARC said they test to ensure SIL compliance once a year. Not surprisingly, Ghosh attributes more than 90% of failures in safety systems to field devices—sensors and actuators. If you employ a SIL3-rated logic solver (safety controller) and use field devices with simplex configurations and no diagnostics, the overall system’s rating decreases to that of only SIL1. Today’s safety systems need an integrated safety approach where transmitters are part of the safety system and perform autocalibration, diagnostics, validation and remote monitoring, connecting with an intelligent fieldbus such as HART or Foundation fieldbus.

The Weakest Link
The weakest link in field equipment, according to Robin McCrea Steele, director of business development at Premier Consulting, is the shutdown valve, which in the past, was operated by solenoids or pneumatics and was either open or closed. Due to their infrequent use, shutdown valves often became stuck in position, and cannot be operated. Testing valves was a tedious—and sometimes deadly—manual process. Today, these valves have seen some improvements in packing materials and the reduction of valve seizure.

When valve positioners came on the market, partial-stroke testing (e.g., moving the valve 10%) became a practical way to check valve operation. But, according to Charlie Fialkowski, Siemens process safety manager, the cost of positioners 10 years ago was prohibitive ($2,500). Now positioners are in the $200 range making it more practical to test valve operation.

The Big Story: Integration
There is a growing opinion that plant safety can be easier and less expensive to implement by making SISs a more tightly integrated part of the basic process control system (BPCS) or DCS. Whether this integration is good for safety and what degree of integration or separation is considered appropriate depends on whom you ask. For example, Paul Steinitz, director of marketing at Foxboro Automation recommends avoiding an integrated system. Instead he suggests trying to get the best of both worlds by using two separate technologies. The best SIL rating you could hope for from a DCS would be a SIL1—not the SIL3 that traditional safety systems get.

According to Heinz Janiec, Shell Deutchland Oil Rhineland Refinery, there are a majority of applications where a safety system can be integrated with—or placed in—a control system, especially if the required SIL is not greater than 2. Of course, there are applications and industries that will not allow the use of this approach due to common mode hardware failures. Janiec remembers 20–25 years ago when safety systems were hardwired and DCSs were just emerging. DCS vendors then suggested putting the safety system into a safety-rated PLC, and there was skepticism among users. Today, we have proof that the use of safety PLCs is safer than hard-wired systems because of the built-in diagnostics and early warnings of faults.

Some control engineers are favoring a degree of merging (or integrating) the safety and control systems. The latest specs (IEC 61511 and ISA 84.01) seem to allow for some free interpretation of safety and control architectures;, and again, you’re likely to get widely differing viewpoints from both camps—the safety engineers and the control engineers.
Manufacturers have several viable safety options. Whether a greenfield plant or retrofit, careful considerations must be given to fitting the right safety system to the application.

According to Roy Tanner, ABB systems marketing manager for 800 XA, some plants today have nothing in place when a safety system should have been installed with the control system. In fact, any SIL-level system would be better than none at all. For these manufacturers, Dr. M. Sam Mannan, director of the Mary Kay O’Connor Process Safety Center, Texas A&M, has some advice. “First, if you’re going to manufacture or use certain chemicals, then irrespective of what the law says, you have an obligation to know everything about the chemical. Second, if there is published data and literature available that can be used to make the process safer, and you’ve ignored it, this should be criminal negligence. Third, when you put a process in, it’s very important that you do a hazards analysis, and then implement the results from the analysis.”

Interpreting the Specs
Applicable specs for safety-instrumented systems (aka, shut-down systems) include IEC 61508 (primarily for the supplier community), IEC 61511 (for end users in the process industry), and the ANSI/ISA 84.01 standard, which follows the IEC 61511 standard. When end users purchase an IEC 61508-compatible system, they should select products that are certified by an independent third-party, such as TÜV or FM.

According to Ghosh, IEC 61511 is divided into three parts. Part 1 spells out framework, definitions, system, hardware and software requirements. Part 2 provides application guidelines, and Part 3 shows how to determine the required safety levels and explains the development of (???)

With prescriptive standards, there is no question as to what has to be done, but while the new IEC/ISA standards provide a lot of design flexibility, they don’t spell out the specifics. Manufacturers have to determine their own safety system specs based on the risks/hazards they identify in their process. Thus, manufacturers can fall into the trap of relaxing their standards and increasing their tolerable risk.

Performance-based design can have advantages for manufacturers. Says Bill Goble, principle partner at Exida, a worldwide safety consulting firm, “I’d rather have a standard that allows me to do the analysis and allows me to do what makes sense. It forces me—if I want to claim compliance—to do a detailed analysis in the jobs that I’ve done.”

The specs do call for separation between the SIS and BPCS, and this is where Goble has definite opinions. “The new ISA 84.01, which is based on IEC 61511, does not prohibit common control and safety even in one logic solver. While it’s not prohibited, it forces an engineer to meet a series of requirements,  (or hurdles,) before attempting such a design. These requirements dictate a thorough analysis of the situation, and the analysis typically shows the flaw in the thinking [of combining the systems-ed.].”

Edward R. Sederlund, process automation product manager at Dow Chemical Company thinks the new specs promote better safety systems. “We believe the ISA and IEC specs ensure greater consistency in how safety systems are designed, installed, and maintained to ensure adequate fault tolerance and that common cause failures will not deactivate the protective features.” Furthermore, he says combining the technical specifications provided by ISA and IEC with the more consistent risk assessment methodology known as Layers of Protection Analysis (LOPA) provides a greater level of consistency in ensuring that more layers of protection are in place.

Janiec says the new IEC specs will, in general, help to make systems better, more reliable, easier to handle, and safer. But, he says, that safety starts with using certified equipment, and designing the loop so that it meets the required SIL. All the components in the loop must be considered in the SIL calculation. This includes sensors, actuators, pipes, and vessels. When the new IEC spec is used by everyone involved in the safety area, the result should be a better-designed safety loop.

Just how and where you combine or separate is open to discussion. Says Andrew Dennant, Delta V SIS development manager at Emerson Process Control, “61511 requires complete separation between the control system and the safety system. It talks about the functional separation of control and safety.” While you can have control and safety in the same chassis, they can’t be sharing sensors or shutdown valves, or writing into the safety system from the control system. According to Dennant, one of the things that 61508 did was to stop focusing on just the safety PLC or the logic solver, and start looking at the whole loop.

New Specs Breed New Products
The interpretation of the new specs has created a corresponding wave of new safety products from control vendors. In most cases, users can take advantage of the integration that these products offer or use them separately as SIS and BPCS. Integration levels vary from supplier to supplier but include, at the minimum, read-only communications from SIS to BPCS; housing for two separate processors, each with its own power supply in the same rack or chassis with a communications path; and the same processor actually running SIS and BPCS.

In any of the three architectures, it’s extremely important that communications doesn’t interfere with the SIS. With the new Yokogawa system, the safety system is independent hardware, but there is a common communications bus. This design has been very thoroughly scrutinized and tested to make sure that communications faults can not affect the safety function.

Emerson took the approach of using a different OS in the SIS than in the standard Delta V products so there would be no common cause of failure. Another advantage to this approach is that engineers can upgrade the control system without having to touch the SIS.

Engineers may want to put both physical processors in the same box, but Siemens’ Fialkowski says that if they do this, they, should be willing to settle for a slightly lower protection rating than could be achieved with two separate boxes. Siemens currently offers dedicated safety and control processors, but some of its customers, according to Fialkowski, are telling him that because the SIS has some control functionality, customers are opting to buy the safety box to do control and another safety box to do safety. This helps them cut back on spare parts.

Different Design Philosophies
SISs and BPCSs have opposite design philosophies. Foxboro’s Steinitz notes that, by nature the safety system is designed to shut the plant down, so if you’re looking for control to maximize uptime, putting that control in the safety system is not the right thing to do. The safety system will not maximize uptime; it will maximize safety. According to Steinitz, safety vendors get around uptime by using 2-out-of-3 redundancy, providing availability and diagnostics. But to fine-tune a DCS for safety would require tradeoffs and probably a redesign.

Indeed, according to Connie Chick, GE Fanuc Automation’s controller and I/O business manager, “We see many more specs for TÜV, SIL3 related to applications that do not involve loss of life or environmental hazards—they’re spec’d to maximize the uptime. If you go to a SIL3 system, the plant is going to have higher uptime.” In general, when specialized systems are applied for the purpose of safety, the goal is not always protecting the bottom line. Instead, the goal is achieving the delicate balance between safety and productivity. Chick warns, “How user representatives evaluate and rank hazards and risk can result in either an over-protected process that shuts down too ‘easily,’ or an under-protected process that shuts down too late, or perhaps never.”

Generation Gap?
According to Fialkowski, some younger engineers are deciding to combine control and safety into one box, but none of the old school will have it. These younger engineers are not entrenched in the architecture wars of years ago where everyone was told that SISs must be totally separate and disconnected from the BPCS. For many years, several controls vendors including Siemens, Yokogawa, Invensys, and Honeywell have seen the benefits of operationally-integrated systems and have been engineering systems that satisfy the integration needs of their customers, providing common engineering tools and HMIs.

ABB already has a safety-certified product that also allows the safety processor to do control tasks. Tanner says that while the regular applications do not interfere with the safety application, the system does use separate I/O. Users do have the ability to separate the tasks when necessary.

Dow Chemical Company, an ABB customer, found that its philosophy matched ABB’s, and ABB had the product. Says Edward R. Sederlund, “Dow has extensive experience implementing combined process automation and safety (logical separation) on the same physical hardware platform with our legacy MOD 5 proprietary system that is certified SIL 3. Dow worked with ABB to provide a similar capability that we practiced in our MOD 5 in ABB’s recent SIL 2 system. The ABB offering can be implemented as a separate safety system (physical separation) or a combined process automation and safety system (logical separation).”

Why Integrate?
There will always be users whose corporate policy is to keep systems separate. Notes Bill Barkovitz, vice president of marketing at Triconex,, “Our customers pretty much all have internal standards that require separation between the control and safety systems. There is no way we’ll see the need for separation going away.” However he does see the need for good communications and data flow from both SIS and BCPS. But there is a caveat. If data presented from both systems is shown on a single screen, there needs to be clear differentiation between them, and operators should not be able to access the SIS without a procedure.

Integration can be done safely. According to Bruce Jensen, Yokogawa manager of marketing and sales support, manufacturers can have two separate networks and use a gateway, or put the SIS data on the DCS network using a single unified HMI. The operator from his console can monitor the safety system and operate the DCS. Engineers, for example, can have a unified screen with a common engineering environment to configure the logic solver on the safety system and the DCS using the DCS builder. The safety tags use the same tag names that can be displayed on the DCS without any gateway conversion or mapping of loops. The alarms come into a unified alarm system.

While savings are possible with an integrated system, Scott Hillman, manager, Safety Management Systems, Honeywell Process Solutions, thinks that it’s not so much the architecture (integrated or separate) that makes the difference in saving money. Rather, the biggest savings actually comes from the up-front analysis and design phase, where manufacturers run the risk of either under-engineering the SIS (exposing too much risk) or over-engineering the SIS, resulting in spending too much money. Over-engineering is the more common path taken, adding too much cost to the system without really adding any risk further protection.

While integration brings with it all the advantages of improved data communications, simplified engineering tools, and common HMIs for the operators, it means more up-front work for manufacturers, especially the smaller ones who lack qualified personnel on staff who are current with the new specs. One vendor recommends that these manufacturers call in TÜV certified consultants (see www.cfse.org) who can design, build, and verify that a safety system meets all the IEC and ISA specs.

“Why shouldn’t a DCS system with an integrated safety system go through the same scrutiny as DCSs and safety PLCs did in the 80s?” questions Shell’s Janiec. Janiec says the new safety approach is easier to use, may be more economical than the separate systems of today, and promises more reliability with higher availability.

Apply Common Sense
While it may be quite all right in some applications to put process control and SIS in the same controller, it’s a good idea to make sure that existing controllers aren’t maxed out. An already over-tasked safety controller that’s running 200 safety loops is just too much to ask of the logic solver. The accumulated risk that comes with this build-up of loops should not be overlooked. In this situation, it makes more sense to add another controller.

Finally, it’s all well and good to have the technology in place, but accidents can often be traced to human error. Says Dr. Mannan, “In general the majority of accidents happen for two reasons. First, 90% of accidents happen because the manufacturer didn’t use the resources that were available. For example, the procedures were there, but ignored; a check valve should have been installed, but wasn’t; or the control system was in place, but operators relied on human judgment. The remaining 10% occur because of a lack of adequate technology or knowledge.” Mannan contends that if humans are 90% reliable, then controls companies need to design fail-safe systems that take into consideration the 10% human unreliability factor.

Mannan sees three areas of growth in the future of safety. First, we need better performance measurement systems to tell us how we’re doing with plant safety design. Second, we need better ways of dealing with run-away chemical reactions—and computer modeling software is making it possible to design safer process control systems. Third, we need inherently safer design where lifecycle risk assessments are used with all the chemicals involved in a process.

Sign up for our eNewsletters
Get the latest news and updates