SOME USERS are embracing safety standards, some are confused by the terminology, some just donāt understand it at all, and some are afraid to talk about it in public. Many just turn safety issues over to process control vendors, and some work hand-in-hand with outside experts (See Figure 1 below). In this article, weāll look at how some users and vendors are dealing with safety issues.
Making Stuff Safely
Eric Marcelo, supervisor at the Nestle Philippines coffee factory in Cagayan de Oro City, Philippines, says his plant has a positive attitude toward safety. He even understands all the safety requirements that apply to his plant. āWe were given training at the start of our employment, and whenever there are changes in standards or installations,ā he says. āBasically speaking, safety is everyone's concern. We have a safety officer for the whole factory, safety champions for each department, and safety experts for certain processes. The safety expert ensures that safety procedures, interlocks and safety features of equipment and processes are followed or adhered to. Any changes will have to be cleared through him and will undergo complete analysis before permission to proceed is given. In certain situations, any suggestions or problems he receives, or is made aware of, will be sent to the R&D center for more thorough analysis and testing.ā
The sunset of old IEC safety regulations and the dawning of new SIS and SIL rules make safety systems a real challenge for control engineers, especially at large installations, such as the Rompetrol Rafinare refinery and chemical complex in Romania.
Ā
Some users turn to automation vendors to solve their safety issues. For example, the Rompetrol Rafinare refinery and chemical complex, located on the Black Sea in Navodari, Constanta, Romania, recently installed two safety instrumented systems (SISs).
Cristian Pariza, Rompetrolās automation/systems engineer, managed the installation of SIL 3-rated DeltaV SIS technology from Emerson Process Management to protect the refineryās gas-fired burners for atmospheric distillation/vacuum distillation (AD/VD) heaters. In addition, SIL 3-rated SIS equipment was placed on polypropylene plastic and pyrolysis units in the facility's petrochemical plant. Configuration, startup, and post-startup activities were conducted by a team of refinery and Emerson engineers.Ā Ā
"Looking at the AD/VD project in particular, the safety system consists of three identical subsystems, one for each heater," says Pariza. "Each subsystem is housed in a dedicated cabinet (See Figure 2 below) containing 18 logic solvers, 270 I/O points, redundant power supplies, and redundant communications with the plant network.
The DeltaV safety systems at Rompetrol are housed in a dedicated cabinet containing logic solvers, I/O points, redundant power supplies, and redundant communications.
Meanwhile, the Rashtriya Chemicals and Fertilizers plant in Chembur, Mumbai, India, manufactures 900 metric tons per day of ammonia, plus quantities of urea, nitric acid, and other chemicals. When its engineers wanted to update Rashtriyaās mostly pneumatic and relay-based control systems, they decided to do the process controls and safety systems all at the same time, using an integrated system from Honeywell (See Figure 3 below).
This new system includes an Experion PKS control system and a SIL-3 rated Safety Manager, which focuses on safety-related process variables, and prevents unacceptable access or interference from operators or maintenance personnel. Safety Manager also is used for compressor-process interlocks, and initiates an emergency shutdown if unhealthy process values are detected. This prevents unsafe shutdown practices, which can cause injuries or damage plant equipment. It also limits nuisance trips.
FIGURE 3: FERTILIZER SAFETY
Similar to Rashtriya and Rompetrolās safety equipment, Triconexās Trident system integrates process controls and safety at oil and gas wells for the Al Noor and Al Shomu oil fields in the desert of South Oman. The oil wells are unmanned, and operate continuously. The main function of the Trident PLC at the wellheads is to act as an instrumented protective system for the pipeline to a production station, the wellhead, and the oil reservoir. Tridentās triplicated architecture helps maintain production of the well from a single fault or processing error. If a hardware fault occurs, the module can be replaced on-line, so the well can keep operating and flowing at all times.
Teams Refine Answers
As you might expect, some users in refineries are somewhat reluctant (or prohibited) from talking about safety issues. Two end usersāEd and Bobādescribed their companyās efforts, but have to remain anonymous.
Ed claims to understand all the safety requirements, as far as control systems, process equipment and Safety-Instrumented Systems (SIS) are concerned.
āWithin this sphere, Iām very knowledgeable about the design, maintenance, and operation of safety-instrumented systems,ā says Ed. āThis doesnāt imply I know it all, but rather that I am competent enough to lead and oversee design efforts.ā
Ed reached that point by leading his plantās safety effort. āI participated in the early phases of developing our internal SIS standard and application practices, and most recently in the design and application of several systems.Ā While I canāt claim to know it all, experience and knowing who else in and outside the company to call for answers to certain questions does help.ā
Refineries are big places with lots of equipment, and no one can be expected to know all their safety regulations. āMy knowledge is limited to the design of systems and the intent of our standards. It doesnāt extend to the specific process hazards of any given process. No control engineer could be reasonably expected to understand all the hazards of the processes in his facility, nor should he advertise or assume that he does.ā
Like Marceloās coffee plant, Ed and Bobās refinery takes a team approach to safety. āThe team determines where safety systems need to be applied and what their design should be,ā he explains. "The team is run by a project engineer, who is knowledgeable about safety system design. Other team members include Operations, Engineering, Instrumentation, and Maintenance departments. We use outside consultants to facilitate the design meetings, develop the detailed design, and implement the system in cooperation with the control group. For design, itās best to involve external consultants, who are experts at SIS design and implementation. We also have corporate support on safety system design and process technologies.
āOnce systems are operational, the responsibility for operating them safely falls to the operations organization, while maintenance and support falls to the instrument maintenance and controls group. The controls group provides a lot of support for troubleshooting and ādesign intent interpretation.ā ā
Because refineries are subject to many rules, Edās team has to meet ISA S-84, API-521, API-556 and NFPA-85 specs. They also use Triconexās Trident to meet SIS requirements. However, the refinery goes beyond the rules. āWhile ISA S-84 is a performance-based standard, and this is a good thing, itās not enough,ā he says. āOur internal standards and design practices are more prescriptive.ā
Our other refinery engineer, Bob, takes a similar approach. āWe have a fire and safety manager, a PSM coordinator for OSHA 1910 Process Safety Management, and a corporate charter related to safety,ā he says. āThe fire and safety manager has all the responsibilities and authority of being a manager of a department that has corporate scrutiny.Ā The PSM coordinator is primarily responsible for paper.ā
Bob explains that safety requirements are necessarily widespread in a refinery. āThereās process safety related to relief valves, vessel pressure ratings, design and SIS,ā he notes. āAlso, thereās personnel safety, such as clothing, training, ergonomic designs, and injury reduction. Then thereās infrastructure safety, including electrical safety and physical property protection, such as fences, barriers, lighting, cameras, and guards.ā
Because of its complexity and scope, safety is an ongoing task. āWe use Triconex PLCs to meet our basic practice specification which is based on S84. Weāre currently revising our Basic Practice to meet the revised S84, which follows the IEC specification,ā adds Bob. āWe follow the safety lifecycle in our design phase, do SIL reviews, develop SRSs, and do everything advised by our safety consulting firm. We require our primary engineering contractor to work with our designated safety consultant to complete designs. We presently have safety systems on all of our processes, with one-third meeting the S84 standard, but with plans to convert all the plants on a scheduled basis. We have active projects to convert six plants this year.ā
What You Donāt Know
Understanding all the aspects of safety is a daunting task. Mike Reilly, an engineer at Flint Hills Resources, a refining and chemical company in Wichita, Kan., says he understands his safety rulesā¦he thinks. āBut you don't know what you don't know,ā says Reilly.
In a recent survey of Controlās readers, we asked: āDo you understand all the safety requirements that apply to your plant, such as ISA S84, SIL, PSM, ESD, etc.?ā More than half the respondents answered āno.ā
Chris Conklin, senior engineering specialist at Dow Corning Corp. in Midland, Mich., says he too doesnāt understand all of his safety requirements. āWe went through a major workforce reduction a few years ago, and we lost significant knowledge regarding instrumentation, process controls, and safety instrumented systems,ā he explains. āSo, to answer the question honestly, I would have to say we donāt understand all of the safety requirements that apply to our manufacturing site with respect to safety instrumented systems.ā
So who does? āBasic safety responsibility and authority currently resides in the safety and loss control department,ā adds Conklin. āHowever, as far as I know, no one in that group has the knowledge or understanding about the safety requirements with respect to S84, SIL, ESD, etc. In our group, we recently identified this as an issue, and weāre seeking someone who can become our subject-matter expert in safety-instrumented systems.ā
Len Laskowski, Emersonās technical consultant and engineering fellow, adds, āToday nearly all companies are experiencing the lack of staffing to deal with all the new regulations, standards, and other issues. Some companies with long-established guidelines dealing with SIS systems are updating their internal standards to stay current with international standards such as IEC61511. Others, who had no or minimal guidelines, find it easier to just adopt the new standard. Some companies are still trying to assess the new standards, and determine what they must do to be compliant, and there are a few that have yet to do anything.ā
Louis Szabo, business development manager at Pepperl+Fuchs, says end users are confused about safety requirements. āFor instance, in one case, a customer used a ārule of thumbā they obtained from Exida that provided parameters for a generic IS barrier,ā he says. āTheir understanding of MTBF data was incorrect, as was their understanding of SIL1 through SIL4. To them, MTBF meant āMean Time Before Failures,ā instead of the actual āMean Time Between Failuresā definition. SIL1 meant one year, SIL 2 meant 10 years, SIL3 meant 100 years, and SIL4 meant 1,000 years. This misconception was cleared up, and theyāre now safer for it. In another case, a customerās safety system was never tested. They experienced a failure in the primary control system, and the back-up never triggered, resulting in a chemical spill and a $10,000 EPA fine.ā
Charles Fialkowski, product manager at Siemens Energy & Automation has similar horror stories. āI've heard some major oil and gas companies say, āMost here don't know how to spell SIL,ā which is rather scary. While I don't question their corporate knowledge, it's usually the local plants that are hurting the most for information and knowledge. From my personal perspective, over the past 10 years, Iāve seen considerable increase in knowledge and awareness across the board, which is very encouraging.ā
Read the Manuals!
Unfortunately, improving safety is complicating by safetyās own standards nomenclature. Laskowski explains, āJust for the record, ANSI/ISA 84.00.01-2004 Part 1 is really IEC 61511-1, with the exception of clause 1y, the grandfather clause. This is frequently referred to as S84 in SIS circles. This standard doesnāt govern development of equipment to be used in SISs, nor does OSHAās STD 29CFR1910.119, commonly referred to as PSM. Instead, Emerson and other vendors use IEC61508 as the benchmark to develop hardware and software for equipment that will be SIL rated and then TĆV certified as acceptable to use in SIL-rated applications.ā No wonder so few users understand safety issues.
Scott Hillman, safety management systems manager at Honeywell, is TĆV-certified, so he appreciates how tough it is to get up to date. āUsers are taking safety rules very seriously, and are earnestly attempting to meet these requirements,ā he says. āTheyāre struggling with interpreting the standards, how to apply them, and what resources they have to implement them. A few end-users have the capability to respond internally. Most customers, however, will make use of the safety expertise available at Honeywell or other supplier organizations to implement their safety requirements into a safe, available, user-oriented safety solution. They realize that safety isnāt just a regulation they have to meet, and that itās good business to operate their plant safely.ā
The cost of safety is often misunderstood, too. Connie Chick, manager of the PACSystems group at GE Fanuc, says users are confused. āThey are getting confused a lot of times by our own industry, which sometimes uses safety as a selling point. The customer doesnāt understand what a ātotal installationā requires. For instance, a SIL-3 triplicate system can involve triplicated everythingāI/O, devices, etc.āwhich then becomes really expensive. Jumping to that level is a real cost hit, and you need to understand whether itās truly required for the application.ā
If you want to do it yourself, Hillman has some advice. āEnd-users must read the applicable manuals to determine how to implement the system to meet the SIL3 certification. Itās a ābuyer-bewareā scenario. They must realize that TĆV certificates are one thing, but the information in the safety, installation, and implementation manuals dictate how the system must be implemented to meet the SIL level. These describe the restrictions and requirements to implement to the SIL level.Ā Those restrictions often represent additional configuration and cost to the end-user.
āFor example, a safety manual may require that the end user add an external relay to the output of the safety system to meet SIL3. The relay provides an alternative means to de-energize the loop, and if itās not implemented in that manner, then safety is jeopardized. But if it is implemented correctly, it adds to the total cost of that application.ā
Lakowski adds, āWhile we see the entire spectrum of experience, when it comes to dealing with SIS, most customers are aware of the standards, but havenāt fully come to appreciate the requirements. Since IEC61511 is a performance standard, measures of performance are required. The good news/bad news is that some engineering is needed to develop the performance measures. In reality, thereās more work for engineers to do to implement this IEC standard than was the case in the old days of ācookbookā or prescriptive standards. In every proposal that we send out involving smart SIS with DeltaV SIS, we break out the steps of work in the IEC61511 Safety Life Cycle.Ā There are more than 40 steps we recognize in the portion of the lifecycle normally associated with projects.ā
Honeywell installed an integrated control and safety system for British Petroleumās Clair offshore platform.
āHoneywell engineers participated in SIL Safety Integrity studies to categorize the safety, environmental and commercial integrity level for every aspect of the platform,ā explains Coleman. āHoneywellās fire and gas engineers were involved with the EPC contractor and the Topsides 3D model to locate gas detectors, smoke and heat detectors, and fire and gas closed-circuit TV cameras. Abnormal Situation Management (ASM) standards were used in generating the HMI to minimize information displayed to the operator to safely operate the platform. This included an alarm minimization review, in which every alarm in the Clair system was reviewed, and uniquely identified with priority, cause, and remedial action.ā
Coleman says working with one vendor is a huge benefit. āWe donāt have two vendors supplying two different interfaces. This helps us avoid unnecessary communications, and makes graphics and displays consistent.ā
Likewise, a systems integrator can help with installation. āWe have folks that are trained in the workings and specifications of SIS systems, but we donāt engage in defining these systems, only in executing the plans of the owners,ā says Cliff Speedy, project engineer at C&I Engineering in Louisville, Ky. āWeāll participate in the planning of the systems, but most of the real definition comes either from experts from the corporation or from hired SIS consultants. Weāve become real experts at estimating and installing these systems, rather than experts at defining them.ā
Hillman adds that Honeywell also provides services that cover the entire safety lifecycle, or they will help you do it yourself.Ā āOur project engineers and our integration centers are certified to the TĆV international standards,ā he says. āWeāre approved by TĆV to train and certify to the safety standards, so end-users can design and install themselves. We host regular training classes, and are listed on the TĆV site as certified trainers. In addition, our development center, factory, and our project engineers are certified.ā
Siemens does the same. āWe offer advanced tools to assist the end user thru all critical phases of the safety lifecycle,ā says Fialkowski. āWe can provide front-end engineering services for HAZOP and SIL validations, we have āCenters of Excellenceā for the oil and gas and chemical industries, and we offer pre-certified safety designs in applications like burner management systems and fire and gas.ā
Ged Farnaby, North American business development manager for the Safety Solutions Group of ABB says his company can help, too. āABB has made it a priority to help customers with safety system implementations, and to ensure our internal compliance for these solutions,ā he says. āWe have numerous certified safety engineers worldwide, as well as dedicated Centers of Excellence for safety. Weāve worked with our quality and engineering groups to produce a set of guidelines and procedures to ensure that all safety systems are designed and delivered for full compliance to ANSI/ISA 84.00.01 2004 Part 1-3 (IEC 61511-3 Mod).ā
In addition, Triconex and Invensys work together to help users. āTriconex and Invensys provide TĆV-certified engineering resources worldwide, which assist in the design, programming, implementation and installation of safety instrumented systems,ā says Luis Duran of Triconex. āBeyond a stringent quality assurance scheme and best engineering practices, providing qualified personnel in safety matters is particularly important as experienced plant personnel are getting scarce.ā
Laskowski adds, āIn addition to classroom, on-site training, and e-learning courses, Emerson offers courses on SIS at its PlantWeb University online learning center. The courses provide fundamentals and practical tips for SIS planning, selection and implementation, plus information on basic SIS concepts, design and installation, operation and maintenance, safety standard compliance, and new SIS technologies.ā
It probably would be beneficial to learn as much as you can about SIL, SIS and all the other safety regulations. But if you donāt have time, you can turn it all over to your process control vendor.

Leaders relevant to this article: