SOME USERS are embracing safety standards, some are confused by the terminology, some just don’t understand it at all, and some are afraid to talk about it in public. Many just turn safety issues over to process control vendors, and some work hand-in-hand with outside experts (See Figure 1 below). In this article, we’ll look at how some users and vendors are dealing with safety issues.
Making Stuff Safely
Eric Marcelo, supervisor at the Nestle Philippines coffee factory in Cagayan de Oro City, Philippines, says his plant has a positive attitude toward safety. He even understands all the safety requirements that apply to his plant. “We were given training at the start of our employment, and whenever there are changes in standards or installations,” he says. “Basically speaking, safety is everyone's concern. We have a safety officer for the whole factory, safety champions for each department, and safety experts for certain processes. The safety expert ensures that safety procedures, interlocks and safety features of equipment and processes are followed or adhered to. Any changes will have to be cleared through him and will undergo complete analysis before permission to proceed is given. In certain situations, any suggestions or problems he receives, or is made aware of, will be sent to the R&D center for more thorough analysis and testing.”
The sunset of old IEC safety regulations and the dawning of new SIS and SIL rules make safety systems a real challenge for control engineers, especially at large installations, such as the Rompetrol Rafinare refinery and chemical complex in Romania.
Some users turn to automation vendors to solve their safety issues. For example, the Rompetrol Rafinare refinery and chemical complex, located on the Black Sea in Navodari, Constanta, Romania, recently installed two safety instrumented systems (SISs).
Cristian Pariza, Rompetrol’s automation/systems engineer, managed the installation of SIL 3-rated DeltaV SIS technology from Emerson Process Management to protect the refinery’s gas-fired burners for atmospheric distillation/vacuum distillation (AD/VD) heaters. In addition, SIL 3-rated SIS equipment was placed on polypropylene plastic and pyrolysis units in the facility's petrochemical plant. Configuration, startup, and post-startup activities were conducted by a team of refinery and Emerson engineers.
"Looking at the AD/VD project in particular, the safety system consists of three identical subsystems, one for each heater," says Pariza. "Each subsystem is housed in a dedicated cabinet (See Figure 2 below) containing 18 logic solvers, 270 I/O points, redundant power supplies, and redundant communications with the plant network.
The DeltaV safety systems at Rompetrol are housed in a dedicated cabinet containing logic solvers, I/O points, redundant power supplies, and redundant communications.
Meanwhile, the Rashtriya Chemicals and Fertilizers plant in Chembur, Mumbai, India, manufactures 900 metric tons per day of ammonia, plus quantities of urea, nitric acid, and other chemicals. When its engineers wanted to update Rashtriya’s mostly pneumatic and relay-based control systems, they decided to do the process controls and safety systems all at the same time, using an integrated system from Honeywell (See Figure 3 below).
This new system includes an Experion PKS control system and a SIL-3 rated Safety Manager, which focuses on safety-related process variables, and prevents unacceptable access or interference from operators or maintenance personnel. Safety Manager also is used for compressor-process interlocks, and initiates an emergency shutdown if unhealthy process values are detected. This prevents unsafe shutdown practices, which can cause injuries or damage plant equipment. It also limits nuisance trips.
FIGURE 3: FERTILIZER SAFETY
Similar to Rashtriya and Rompetrol’s safety equipment, Triconex’s Trident system integrates process controls and safety at oil and gas wells for the Al Noor and Al Shomu oil fields in the desert of South Oman. The oil wells are unmanned, and operate continuously. The main function of the Trident PLC at the wellheads is to act as an instrumented protective system for the pipeline to a production station, the wellhead, and the oil reservoir. Trident’s triplicated architecture helps maintain production of the well from a single fault or processing error. If a hardware fault occurs, the module can be replaced on-line, so the well can keep operating and flowing at all times.
Teams Refine Answers
As you might expect, some users in refineries are somewhat reluctant (or prohibited) from talking about safety issues. Two end users—Ed and Bob—described their company’s efforts, but have to remain anonymous.
Ed claims to understand all the safety requirements, as far as control systems, process equipment and Safety-Instrumented Systems (SIS) are concerned.
“Within this sphere, I’m very knowledgeable about the design, maintenance, and operation of safety-instrumented systems,” says Ed. “This doesn’t imply I know it all, but rather that I am competent enough to lead and oversee design efforts.”
Ed reached that point by leading his plant’s safety effort. “I participated in the early phases of developing our internal SIS standard and application practices, and most recently in the design and application of several systems. While I can’t claim to know it all, experience and knowing who else in and outside the company to call for answers to certain questions does help.”
Refineries are big places with lots of equipment, and no one can be expected to know all their safety regulations. “My knowledge is limited to the design of systems and the intent of our standards. It doesn’t extend to the specific process hazards of any given process. No control engineer could be reasonably expected to understand all the hazards of the processes in his facility, nor should he advertise or assume that he does.”
Like Marcelo’s coffee plant, Ed and Bob’s refinery takes a team approach to safety. “The team determines where safety systems need to be applied and what their design should be,” he explains. "The team is run by a project engineer, who is knowledgeable about safety system design. Other team members include Operations, Engineering, Instrumentation, and Maintenance departments. We use outside consultants to facilitate the design meetings, develop the detailed design, and implement the system in cooperation with the control group. For design, it’s best to involve external consultants, who are experts at SIS design and implementation. We also have corporate support on safety system design and process technologies.
“Once systems are operational, the responsibility for operating them safely falls to the operations organization, while maintenance and support falls to the instrument maintenance and controls group. The controls group provides a lot of support for troubleshooting and ‘design intent interpretation.’ ”
Because refineries are subject to many rules, Ed’s team has to meet ISA S-84, API-521, API-556 and NFPA-85 specs. They also use Triconex’s Trident to meet SIS requirements. However, the refinery goes beyond the rules. “While ISA S-84 is a performance-based standard, and this is a good thing, it’s not enough,” he says. “Our internal standards and design practices are more prescriptive.”
Our other refinery engineer, Bob, takes a similar approach. “We have a fire and safety manager, a PSM coordinator for OSHA 1910 Process Safety Management, and a corporate charter related to safety,” he says. “The fire and safety manager has all the responsibilities and authority of being a manager of a department that has corporate scrutiny. The PSM coordinator is primarily responsible for paper.”
Bob explains that safety requirements are necessarily widespread in a refinery. “There’s process safety related to relief valves, vessel pressure ratings, design and SIS,” he notes. “Also, there’s personnel safety, such as clothing, training, ergonomic designs, and injury reduction. Then there’s infrastructure safety, including electrical safety and physical property protection, such as fences, barriers, lighting, cameras, and guards.”
Because of its complexity and scope, safety is an ongoing task. “We use Triconex PLCs to meet our basic practice specification which is based on S84. We’re currently revising our Basic Practice to meet the revised S84, which follows the IEC specification,” adds Bob. “We follow the safety lifecycle in our design phase, do SIL reviews, develop SRSs, and do everything advised by our safety consulting firm. We require our primary engineering contractor to work with our designated safety consultant to complete designs. We presently have safety systems on all of our processes, with one-third meeting the S84 standard, but with plans to convert all the plants on a scheduled basis. We have active projects to convert six plants this year.”
What You Don’t Know
Understanding all the aspects of safety is a daunting task. Mike Reilly, an engineer at Flint Hills Resources, a refining and chemical company in Wichita, Kan., says he understands his safety rules…he thinks. “But you don't know what you don't know,” says Reilly.
In a recent survey of Control’s readers, we asked: “Do you understand all the safety requirements that apply to your plant, such as ISA S84, SIL, PSM, ESD, etc.?” More than half the respondents answered “no.”
Chris Conklin, senior engineering specialist at Dow Corning Corp. in Midland, Mich., says he too doesn’t understand all of his safety requirements. “We went through a major workforce reduction a few years ago, and we lost significant knowledge regarding instrumentation, process controls, and safety instrumented systems,” he explains. “So, to answer the question honestly, I would have to say we don’t understand all of the safety requirements that apply to our manufacturing site with respect to safety instrumented systems.”
So who does? “Basic safety responsibility and authority currently resides in the safety and loss control department,” adds Conklin. “However, as far as I know, no one in that group has the knowledge or understanding about the safety requirements with respect to S84, SIL, ESD, etc. In our group, we recently identified this as an issue, and we’re seeking someone who can become our subject-matter expert in safety-instrumented systems.”
Len Laskowski, Emerson’s technical consultant and engineering fellow, adds, “Today nearly all companies are experiencing the lack of staffing to deal with all the new regulations, standards, and other issues. Some companies with long-established guidelines dealing with SIS systems are updating their internal standards to stay current with international standards such as IEC61511. Others, who had no or minimal guidelines, find it easier to just adopt the new standard. Some companies are still trying to assess the new standards, and determine what they must do to be compliant, and there are a few that have yet to do anything.”
Louis Szabo, business development manager at Pepperl+Fuchs, says end users are confused about safety requirements. “For instance, in one case, a customer used a ‘rule of thumb’ they obtained from Exida that provided parameters for a generic IS barrier,” he says. “Their understanding of MTBF data was incorrect, as was their understanding of SIL1 through SIL4. To them, MTBF meant ‘Mean Time Before Failures,’ instead of the actual ‘Mean Time Between Failures’ definition. SIL1 meant one year, SIL 2 meant 10 years, SIL3 meant 100 years, and SIL4 meant 1,000 years. This misconception was cleared up, and they’re now safer for it. In another case, a customer’s safety system was never tested. They experienced a failure in the primary control system, and the back-up never triggered, resulting in a chemical spill and a $10,000 EPA fine.”
Charles Fialkowski, product manager at Siemens Energy & Automation has similar horror stories. “I've heard some major oil and gas companies say, ‘Most here don't know how to spell SIL,’ which is rather scary. While I don't question their corporate knowledge, it's usually the local plants that are hurting the most for information and knowledge. From my personal perspective, over the past 10 years, I’ve seen considerable increase in knowledge and awareness across the board, which is very encouraging.”
Read the Manuals!
Unfortunately, improving safety is complicating by safety’s own standards nomenclature. Laskowski explains, “Just for the record, ANSI/ISA 84.00.01-2004 Part 1 is really IEC 61511-1, with the exception of clause 1y, the grandfather clause. This is frequently referred to as S84 in SIS circles. This standard doesn’t govern development of equipment to be used in SISs, nor does OSHA’s STD 29CFR1910.119, commonly referred to as PSM. Instead, Emerson and other vendors use IEC61508 as the benchmark to develop hardware and software for equipment that will be SIL rated and then TÜV certified as acceptable to use in SIL-rated applications.” No wonder so few users understand safety issues.
Scott Hillman, safety management systems manager at Honeywell, is TÜV-certified, so he appreciates how tough it is to get up to date. “Users are taking safety rules very seriously, and are earnestly attempting to meet these requirements,” he says. “They’re struggling with interpreting the standards, how to apply them, and what resources they have to implement them. A few end-users have the capability to respond internally. Most customers, however, will make use of the safety expertise available at Honeywell or other supplier organizations to implement their safety requirements into a safe, available, user-oriented safety solution. They realize that safety isn’t just a regulation they have to meet, and that it’s good business to operate their plant safely.”
The cost of safety is often misunderstood, too. Connie Chick, manager of the PACSystems group at GE Fanuc, says users are confused. “They are getting confused a lot of times by our own industry, which sometimes uses safety as a selling point. The customer doesn’t understand what a ‘total installation’ requires. For instance, a SIL-3 triplicate system can involve triplicated everything—I/O, devices, etc.—which then becomes really expensive. Jumping to that level is a real cost hit, and you need to understand whether it’s truly required for the application.”
If you want to do it yourself, Hillman has some advice. “End-users must read the applicable manuals to determine how to implement the system to meet the SIL3 certification. It’s a ‘buyer-beware’ scenario. They must realize that TÜV certificates are one thing, but the information in the safety, installation, and implementation manuals dictate how the system must be implemented to meet the SIL level. These describe the restrictions and requirements to implement to the SIL level. Those restrictions often represent additional configuration and cost to the end-user.
“For example, a safety manual may require that the end user add an external relay to the output of the safety system to meet SIL3. The relay provides an alternative means to de-energize the loop, and if it’s not implemented in that manner, then safety is jeopardized. But if it is implemented correctly, it adds to the total cost of that application.”
Lakowski adds, “While we see the entire spectrum of experience, when it comes to dealing with SIS, most customers are aware of the standards, but haven’t fully come to appreciate the requirements. Since IEC61511 is a performance standard, measures of performance are required. The good news/bad news is that some engineering is needed to develop the performance measures. In reality, there’s more work for engineers to do to implement this IEC standard than was the case in the old days of ‘cookbook’ or prescriptive standards. In every proposal that we send out involving smart SIS with DeltaV SIS, we break out the steps of work in the IEC61511 Safety Life Cycle. There are more than 40 steps we recognize in the portion of the lifecycle normally associated with projects.”
Honeywell installed an integrated control and safety system for British Petroleum’s Clair offshore platform.
“Honeywell engineers participated in SIL Safety Integrity studies to categorize the safety, environmental and commercial integrity level for every aspect of the platform,” explains Coleman. “Honeywell’s fire and gas engineers were involved with the EPC contractor and the Topsides 3D model to locate gas detectors, smoke and heat detectors, and fire and gas closed-circuit TV cameras. Abnormal Situation Management (ASM) standards were used in generating the HMI to minimize information displayed to the operator to safely operate the platform. This included an alarm minimization review, in which every alarm in the Clair system was reviewed, and uniquely identified with priority, cause, and remedial action.”
Coleman says working with one vendor is a huge benefit. “We don’t have two vendors supplying two different interfaces. This helps us avoid unnecessary communications, and makes graphics and displays consistent.”
Likewise, a systems integrator can help with installation. “We have folks that are trained in the workings and specifications of SIS systems, but we don’t engage in defining these systems, only in executing the plans of the owners,” says Cliff Speedy, project engineer at C&I Engineering in Louisville, Ky. “We’ll participate in the planning of the systems, but most of the real definition comes either from experts from the corporation or from hired SIS consultants. We’ve become real experts at estimating and installing these systems, rather than experts at defining them.”
Hillman adds that Honeywell also provides services that cover the entire safety lifecycle, or they will help you do it yourself. “Our project engineers and our integration centers are certified to the TÜV international standards,” he says. “We’re approved by TÜV to train and certify to the safety standards, so end-users can design and install themselves. We host regular training classes, and are listed on the TÜV site as certified trainers. In addition, our development center, factory, and our project engineers are certified.”
Siemens does the same. “We offer advanced tools to assist the end user thru all critical phases of the safety lifecycle,” says Fialkowski. “We can provide front-end engineering services for HAZOP and SIL validations, we have ‘Centers of Excellence’ for the oil and gas and chemical industries, and we offer pre-certified safety designs in applications like burner management systems and fire and gas.”
Ged Farnaby, North American business development manager for the Safety Solutions Group of ABB says his company can help, too. “ABB has made it a priority to help customers with safety system implementations, and to ensure our internal compliance for these solutions,” he says. “We have numerous certified safety engineers worldwide, as well as dedicated Centers of Excellence for safety. We’ve worked with our quality and engineering groups to produce a set of guidelines and procedures to ensure that all safety systems are designed and delivered for full compliance to ANSI/ISA 84.00.01 2004 Part 1-3 (IEC 61511-3 Mod).”
In addition, Triconex and Invensys work together to help users. “Triconex and Invensys provide TÜV-certified engineering resources worldwide, which assist in the design, programming, implementation and installation of safety instrumented systems,” says Luis Duran of Triconex. “Beyond a stringent quality assurance scheme and best engineering practices, providing qualified personnel in safety matters is particularly important as experienced plant personnel are getting scarce.”
Laskowski adds, “In addition to classroom, on-site training, and e-learning courses, Emerson offers courses on SIS at its PlantWeb University online learning center. The courses provide fundamentals and practical tips for SIS planning, selection and implementation, plus information on basic SIS concepts, design and installation, operation and maintenance, safety standard compliance, and new SIS technologies.”
It probably would be beneficial to learn as much as you can about SIL, SIS and all the other safety regulations. But if you don’t have time, you can turn it all over to your process control vendor.
Leaders relevant to this article: