mcmillan_weiner
mcmillan_weiner
mcmillan_weiner
mcmillan_weiner
mcmillan_weiner

The ins and outs of safety instrumented systems—part 1

March 1, 2016
Familiarity with SIS starts with an understanding of reliability, redundancy, integrity levels and testing.
Authors
Greg McMillan and Stan Weiner bring their wits and more than 80 years of process control experience to bear on your questions, comments and problems. Write to them at [email protected]. Follow McMillan's Control Talk Blog.

See more Control Talk articles.

Greg: Stan and I developed Monsanto’s Interlock Guidelines. My main contribution was outlining the logic to determine the principle root cause effect so detection and prevention of abnormal conditions could be more effectively focused. Eliminating the distraction of secondary effects and my emphasis on the middle selection of three measurements were, for me, the key to improving diagnostics and reducing the cost, complexity and possible number of false trips.

The Monsanto guidelines had the most and least degree of concern as a category 1 and 4, respectively. The safety instrumented system (SIS) has the order of severity of Safety Integrity Level (SIL) numbered in the opposite direction, where SIL 1 has the least and SIL 4 has the greatest requirements. This makes sense in allowing for higher levels of concern. After issuing the Monsanto guidelines, I returned to my emphasis modeling and control. I concentrated on process control improvement, eventually developing and applying the Opportunity Sizing and Assessment methodology with Glenn Mertz as discussed in "The Human Factor," Control Talk, June 2012. To help get us properly oriented, here are some rephrased reliability engineering key points from 1992's "Introduction to the Reliability of Interlock Systems" by Randy Freeman, a Monsanto Fellow like me and Stan. Note that the term "interlock" has been replaced in the ISA SIS standard by the more definitive term Safety Integrated Function (SIF):

    • All things die or fail, it's just a matter of time
    • No system will work forever without maintenance
    • The unavailability of a demand mode safety function (e.g., interlock) depends on the failure rate of the device or system, and the frequency of testing or maintenance on the system
    • Reducing the failure rate or increasing testing frequency improves system safety
    • An announced failure of a device results in immediate notification to operator
    • An unannounced failure can't be detected until the system is used or tested
    • Interlocks must be designed to fail in an announced manner
    • Adding redundant interlocks generally improves the system safety

Stan: I continued as a member of the Process Control Subcommittee of the Center for Chemical Process Safety (CCPs) of the American Institute of Chemical Engineers (AIChE) to become a contributor to "Guidelines for the Safe Automation of Chemical Processes" published in 1993. This is an excellent book that's in many ways the source of the SIS standard, offering key application knowledge. We're fortunate to have Len Laskowski, a Monsanto retiree like us, who took over where I left off, here to help understand and use the SIS standard. Len is working on the 2nd edition of the book. He is a principal technical SIS consultant at the Emerson Engineering Center in St. Louis.

Greg: Before we get started, please realize this is a discussion, and that design and implementation of an SIS requires considerable expertise and involvement of key plant personnel and SIS specialists. The amount of discipline and details required to assign the proper SIL and to define and meet SIL requirements are extraordinary. Len, can you give us, right off the bat, an idea of the magnitude of the effort?

Len: It is a whole different type of ballgame than what we conventionally think of for automation. You need to understand how the process hazard and risk assessment, process and equipment layers, BPCS and SIS standards all come together. In order to work on a SIS application in our company, a person must take at least one month of training and thoroughly know everything in the course documentation (e.g., 200 pages). When working on an application, a person needs to completely know the Safety Requirement Specification (SRS) (e.g., 1,000 pages) that includes all the SIL calculations.

There is some extremely powerful SIL calculation software, such as Exida’s SILver, that's essential here. With one click, if all of the data is right and there are no wrong assumptions, you can get the SIL. The requirements for SIL 4 get way more complex and stringent. Fortunately, in the process industry, SIL 3 is the highest found. Something like Chernobyl would be SIL 4. When testing an application, a person needs to know how to thoroughly use the extensive and intensive test procedures (e.g., 4,000 pages on a fluidic-catalyst cracking unit, or cat cracker). Software such as the asset management system (AMS) for automated proof testing can reduce human error and the test time by orders of magnitude. Just think of manually trying to force all the combinations of 50 instruments for just one SIF, which could be readily be the case for a cat cracker.

Stan: Since Greg and I are instrumentation engineers at heart, what are some of the implications of SIS requirements on measurements and valves?

Len: You want diversity, but you need something that works best. It's difficult to choose the best technology. The quality of the instruments in terms of reliability and accuracy for the application conditions is critical. Materials of construction and method of installation must not increase the frequency of dangerous failures of the SIF capability that's inherent in the sensor, transmitter and valve design. A 1oo2 (where a vote of 1 out of 2 devices provides required redundancy) leaves the system vulnerable to spurious trips. Since shutdown and startup of a process system is the most dangerous mode of operation, and puts stress on process equipment decreasing its reliability, a 2oo3 system (where a vote of 2 out of 3 provides the redundancy) is preferred by most large continuous plants.

Greg: A middle-signal selection, where the middle signal of three transmitters is used, provides the benefits of a 2oo3 redundancy. Using the middle signal for process control also helps a loop in terms of reducing the effect of process and electromagnetic noise, offsets and slow sensor response, plus inherently protects against a single failure of any type.

The ability to compare the performance of individual measurements to the middle value is a valuable tool for diagnostics. If you have just two measurements and they disagree, which one is right? With middle-signal selection, the one furthest from the middle is the prime suspect. For a large chemical intermediates plant I worked with, middle-signal selection greatly improved onstream time and process control. For all Monsanto and Solutia plants, middle-signal selection was a best practice for all pH loops.

Len: Diagnostics, including deviation alarms for early warning and partial stroke testing of valves, have a big effect on SIL calculations. The proof test frequency that includes a complete test from sensor to valve is a key aspect.

Stan: Where are we coming up short?

Len: People don’t pay enough attention to the final elements, even though they're 85% of the total effort. How do you know a valve meets the leakage specifications? Can you test it inline, or do you need to pull the valve and test it in the shop? Process material that can coat or erode seal and seat surfaces can cause much greater leakage. Two valves in series may be needed to achieve reliability. Streams may need to be SIL 2 for the associated process equipment to meet SIL 1. People don’t fully realize the consequences of multiple streams with a higher SIL. If you consider there could be four streams with temperature- and pressure-compensated differential pressure (DP) transmitters, there could be 36 transmitters for a 2oo3 redundancy. A smart DP with integrated temperature and pressure sensors may reduce this to 12 transmitters.

Greg: Adherence to the leakage specification may be deficient in SIS applications, but is excessive in process control systems. The specification of the leakage rate needed for an SIS by definition increases the stiction near shutoff, leading in many cases to the wrong type of valve for throttling in control loops as detailed in the this month’s feature article, "Don't let control valves ruin process control." Control valves designed for throttling should not be used as SIS isolation valves and vice versa.

Stan: What about the response time?

Len: You need to calculate the process safety time (PST), and make sure the SIS can respond within 50% of the PST. A response may need to be faster due to a nonlinear response. The valve response time may be the biggest concern. The installed valve flow characteristic needs to be included in calculation of the stroking time because the initial change in flow might be quite small for some types of trim (e.g. equal percentage). The valve signals may need to be ramped and feedforward signals used to avoid upsetting the control loops on other process units. For measurements, the worst-case sensor response time (e.g., coated sensor) must be considered in the selection of the trip setpoint.

Greg: For pH electrodes, the effect of glass electrode age and the hydrated surface as well as fluid velocity and coatings on response time is enormous. Velocity and coatings also slow down temperature measurements, but are generally superseded by effect of the thermal conductivity of the thermowell or protection tube and to a greater extent by the fit of the thermocouple (TC) or resistance temperature detector (RTD) sensing element within the thermowell or tube. The immersion length is critical for reducing thermal conduction errors and making sure the tip is at the right point in the temperature profile. The sensor location is also important for getting a truly representative measurement. For more guidance, see my ISA books, "Advanced pH Measurement and Control—3rd edition" and "Advanced Temperature Measurement and Control—2nd edition."

Stan: Look for us next month to conclude this series with the best practices for SIL calculations and the top reasons why SIS fail.

"The Beach Boys" (Greg and Stan) Top 10 Hits

Stan is enjoying the beach in retirement in Naples, Fla. I thought about going back to the beach I grew up next to (Jones Beach, Long Island), but it was knee deep in snow this past January. I did just visit my cousin who lived next door to me, but left for the West Coast to be a surfer dude. As a retired, very successful, former technical leader at Rockwell Automation with a home within sight of the beach (San Clemente, Calif.), he now gets to surf almost every day. This inspired us to think of our Top 10 Hits as "Beach Boys," and what if our surfboards had a GPS and a SIS. We might even be able to go to "Surf City" with Jan and Dean.

10. I get around (the plant)
9. Fun, fun, fun (on startup)
8. In my room (the control room)
7. Help me Rhonda (fix this valve)
6. Wouldn’t it be nice (if the valve spec actually required the valve to stroke)?
5. Do You want to dance (or take a stance on valve response)?
4. Be true to your school (even if you didn’t learn how to tune a loop)
3. Surfing USA (the next big wave in technology)
2. Good vibrations (won’t trip our compressor)
1. Little deuce coupe (with surfboard GPS and SIS)

About the Author

Greg McMillan | Columnist

Greg K. McMillan captures the wisdom of talented leaders in process control and adds his perspective based on more than 50 years of experience, cartoons by Ted Williams and Top 10 lists.