Safety Solutions Shine at Triconex Conference

More than 160 visitors took in and participated in dozens of sessions at Invensys Triconex's 17th annual Technical Conference 2007 last week at the Moody Gardens Hotel in Galveston, Texas. The company covered its upcoming I/O and Trident development plans and showed recent work with Foundation fieldbus safety-instrumented systems, HART developments and dynamic simulation. In the conference's first presentation, "Partial Stroke Testing (PST): The Good, The Bad and The Ugly," Robin McCrea-Steele, of Invensys' Premier Consulting Services, reported that PST's perceived advantages are that it provides an improvement to the safety integrity level (SIL) of the SIF; delivers predictive maintenance data; may allow extension of the full stroke test (FST); might overcome IEC 61511 architectural constraints; may reduce the need for valve bypasses; and allows a valve to be always available to respond to a process demand during a test period. PST's perceived disadvantages are that it tests only 30%-70% of valve DU failures; isn't applicable to tight shut-off valves; may increase spurious trip rates; incorporates additional equipment with its own testing requirements; potentially converts the valve/PST smart equipment assembly to a Type B complex subcomponent, per IEC 61508-2; build up forms at 10% of stroke if PST always strokes 10%; and that it makes plant managers nervous. McCrea-Steele also advised users to determine which failure modes are detectable by PST; use "field-based" failure rate data; consider implications of PST smart PE equipment with its own potential λDU testing requirements; be aware that frequent PST may increase MTTF spurious; used PST to improve the RRF of the SIF; use PST to extend the full-stroke testing period; and do not use PST to justify decreasing redundancy requirements. The second paper, "Plant SIS Auditing," was presented by Clark Cogswell of Shell Global Solutions, who reported that the three key elements of excellent asset integrity are people, management systems and equipment integrity. People must be staff-trained, motivated and fully competent for their jobs. Management systems need to have all necessary procedures in place, be effectively used and continuously updated. And equipment integrity means having solid SIS hardware in place, no SIS failures on demand, minimum nuisance trips, long term repair and established replacement plans. Cogswell stresses that to manage their SIS assets effectively, users must ask themselves if they've assessed their SIS and determined a SIL for each one? Written an SRS for each SIS? Added or upgraded SIS to close gaps? Tested SIS at the proper frequency? Made sure their test procedures and records in good order? Determined if their operators put the SIS in bypass to prevent trips? And have data that proves their SIS is performing as designed? Cogswell adds that Shell uses a review-work process based on measuring the effectiveness in SIS management and not just having all the right hardware, procedures and good intentions. "Plants are judged against internal Shell standards which are based on best practices and industry standards," he says. "These standards are developed and conducted by a team of international subject matter experts (SMEs). The review creates a report of specific, actionable, risk-prioritized recommendations for improvement. It includes a consistent, objective scoring process based on 1,000 points of excellence." Management systems reviewed at Shell include stationary pressure equipment, rotating machinery, electrical and power distribution, protective instrument systems and controls, civil infrastructure and storage tanks, safeguarding systems, and onshore and offshore E&P equipment. These are evaluated for leadership and administration, skills, training and competency, procedures and practices, quality assurance and control, engineering and maintenance, prevention and controls, and records, tools, and references. In the third presentation, Kevin Arnold and John Thomassee, both of Chevron Phillips Chemical LP, demonstrated how their facility uses SISs to help produce 3 billion pounds of plastics per year. Their plant uses 12 Triconex systems and many hardwired systems that are separate from its basic process control system (BPCS). These manage 250 safety functions rated at SIL1, 2 and 3 in 1,900 SIS instruments and conduct 1,000 SIS proof tests. Because having an installed SIS is only the beginning of ensuring system integrity, the two explain that Chevron Phillips uses SIS equipment identification, including SIS instrument tag names ending in "X," a diamond symbol on DCS graphics for SIS interlocks, give all SIS instruments an engraved red metal tag, as well as safety instrument loop diagrams (SILD), SAP functional locations and SIS controller symbols on P&IDs. They also employ proof-testing objectives to expose covert failures, and verify SIS field sensor calibration and operation, operation of SIS final control element, SIS logic solver I/O, and alarm and trip logic settings. "This is done to maintain and verify that the SIS is good as new to perform per design if/when needed," says Arnold. These proof-test procedures (PTP) include a formal validation process, detailed work instructions and support information. The testing process consists of performing job safety analyses with all involved parties, ensuring the process is in proper condition, checking that required bypasses are properly installed, conducting testing, following all test steps in order, determining if devices pass the test, making sure bypasses installed for testing are removed, returning equipment back to service after testing and completing documentation. Subsequent auditing and continuous improvement involves tracking actual process demands on SIF, actual device performance, and failure type as safe, degraded or dangerous, as well as asking are procedures and schedules being followed? "If the culture of the facility isn't willing to support SIS, then the result is a net negative investment, not only in resources, but also safety, because people will assume they are protected by a safety system, when in fact they may not be," stated Arnold and Thomassee. "SIS can't be viewed as "˜keeping the plant from running,' but rather as "˜keeping the plant running safely and reliably.' So, management must consistently make it clear with actions, not just policy statements, that the only acceptable state of plant operation is safe operation. In addition, the SIS coordinator/champion serves as a dedicated resource. All maintenance activities are documented, and failures are investigated and reliability tracked. Past practices, previously acceptable work quality, and "˜close-enough' mindset may no longer be adequate."