7.0. Safety Instrumentation
Safety instrumentation systems form an important part of the book. In the following discussions a glimpse of these systems has been presented so that reader can get some idea about the same while going through the details in subsequent chapters. After IEC 61508/61511 came into effect, it has been found that there are two schools of thought. One group advocates for separation between BPCS and SIS. The other group does not find it wrong to combine BPCS with safety as long as it follows standards IEC 61508/61511with appropriate SIL. In reality, it is not the question of finding wrong or right but to judge the situation. This purely depends on how the stipulations in standard have been interpreted and implemented. It is quite common to have integrated systems where both systems have been combined or integrated. Also it is not that these are not permitted in the latest edition of standards. Prior to going in for complex interpretations it is better to understand the system. So, the reader’s attention is drawn to Figs. I/7.0-1 and I/7.0-2. In these figures, it has been attempted to focus on the fact that apart from normal operation of the plant through BPCS, there are separate SISs so that in case of single failure of component, plant safety is not endangered. In Fig. I/7.0-1, normal level control is carried out by BPCS and there is separate safety system. So, even if controller of BPCS fails, it is possible to take safety measure through SIS to block the feed, with the help of block valves to save the system.
Apart from these safety systems in general there are other safety measures also to be considered to combat emergency situations. Fig. I/7.0-2 shows these probable protection layers. These protection layers are:
• Alarm and safety instrumentation: In this figure alarm and SIS has been treated as single layer but in reality they are treated separately. Details available in subsequent chapters, independent alarm is to draw the attention of human being to take safety action. Whereas if human response fails then there will be SIS to take automatic action even may trip the system/subsystem.
• Mechanical safety such as safety/relief valve, that is, to release the material safely.
• Physical separations such as dikes, or safety walls—containment.
• Last stage—most important: Emergency plan: escape route, etc.
From the preceding, it is clear that in reality there could be stages of protection layers in the plant to meet emergencies. Before going for further details it is necessary to understand a few terms with their meanings, so that future discussions could be understood well.
7.1. Commonly Used Terms
7.1.1. BPCS
BPCS stands for basic process (plant) control system. This system handles the process controls and monitoring for the process. It takes the input from process sensors processes it according to control and monitoring strategy fixed at design stage to produce output for output devices/final control element, so that the process behaves according to design. Sometimes it also undertakes safety functions. According to IEC 61511, “BPCS is a key layer of protection which responds to input signals from the process, its associated equipment, other programmable systems and/or operator and generates output signals causing the process and its associated equipment to operate in the desired manner but which does not perform any safety instrumented functions with a claimed SIL ≥ 1.”
7.1.2. SIS
SIS stands for safety instrumented system. SIS is designed to prevent or mitigate from happening of a hazardous event, by taking the process to a safe state whenever a predefined or predetermined conditions occur to the system. It is a combination of sensors, logic solvers, and final control elements. In PEs, it consists of both hardware and software. In fact, emergency shutdown system (though shown separately in Fig. I/7.0-2) will be a part of the same. There could be a number of SIF (defined next) in SIS.
7.1.3. SIF
SIF stands for safety instrumented function. SIF consists of sensors, logic solver, and final control element combination. SIF takes the system or process in to safe zone in the event of hazardous situation/event, which is determined by predefined conditions for the process (see Clause 8.1 also, for definition as per various standards).
7.1.4. Functional Safety
According to ISA, “the ability of SIS or other means of risk reduction to carry out the actions necessary to achieve or to maintain a safe state for the process and its associated equipment.” Also, functional safety in SIS highly depends on proper functioning of sensors, logic solver, and FCE so that reduced risk level could be achieved. In that sense, it also means proper functioning of these components also (see Clause 8.1 also, for definition as per various standards).
7.1.5. SIL
SIL stands for safety integrity level. It is a measure of performance of an SIS. It is determined by PFD for SIF (SIS). There are four SIL levels represented by number, viz. SIL 1, 2, 3, 4. Higher the SIL number, the better will be the performance and lower will be PFD value. However, with an increase in SIL number, the cost and complexity of the system increases, but risk level reduces. It is worth noting that there could be individual component PFD but not SIL. SIL is only given to a system (SIS). SIL certification can be issued by the company (self-certification allowed), or other competent authority to indicate that appropriate procedure, analysis, and calculation have been followed and compatible for use in appropriate SIL level. Proof test and full IEC certifications need further discussions presented later in the book (see Clause 8.1 also, for definition as per various standards).
7.1.6. PFD
PFD is the probability that SIF/SIS fails to perform its intended safety function during a potentially dangerous condition. PFDavg is normally used in calculations when regularly inspected and tested.
7.1.7. MTBF
MTBF stands for mean time between failures. It is defined as inverse of failure rate. Actually it is inverse of failure rate minus mean time to repair (MTTR). If MTTR is small, then MTBF = (1/Failure Rate).
7.1.8. SIS Implementation
As per ANSI/ISA 84 and IEC 61511, there shall be multi-disciplinary approach which follows life cycle analysis PHA before implementing SIS. So, SIS implementation requires all above activities to be performed. However, fire and gas systems automatically initiate process action for mitigation and taking the system in to safe state to natural SIS.
7.2. Control Objective and Layers of Protections
All processes, whatever the application may be, plants faces major challenges all times. Therefore, it is essential that there shall be suitable control system, which is able to keep the system running with minimum unwanted downtime. So, basically control systems are designed to meet a number of well-defined objectives.
7.2.1. Control Objectives
Control objectives shall include but not limited to the following.
• Overall safety comprising safety to personnel, equipment, environment, etc.
• Smooth and well-controlled operation of the plant with maintenance of product quality at desired productivity level with profitability.
• Monitoring, performance calculation, system diagnostics, etc.
• Response shall be limited mainly to continue operation without harm.
• Ability to manage multiple risks and face gracefully the emergency situations.
In order to meet all these requirements as per relevant standards there shall be several layers of protections in the systems so that no single failure can affect the process.
7.2.2. Layers of Protections
As shown in Fig. I/7.0-2, there are five layers of protection. In the above drawing, one layer of protection, “alarm” is missing. This is done purposefully to indicate that alarm may be a layer of protection but is dependent on human intervention. These protection layers are:
• Alarm system: Alarm is like wakeup call! Manual intervention is desired and not automatic action except alarm generation. Alarm storing and management could be a part of overall control system. Alarm systems may or may not use common instruments but should be independent. Alarm systems generates alarm failure for instrument and/or system failure also, for example, Tx failure or system diagnostic alarm. It keeps operator alert against hazard to people, equipment, and environment. It calls for human action. It is the first stage of protection layer to BPCS (only manual intervention necessary hence not free from possibility of human error as result of the too many alarm may make the situation more grave), just before SIS to become active, for example, pre-trip alarm.
• SIS: This is the first automatic protection layer to BPCS and second overall layer of protection. It is desired that this shall be independent of BPCS. Even if these are combined it is necessary to ensure that single failure does not take toll of safety. SIS may stop part of plant operation and/or diverts some flow safely, etc. It may have separate set of instrumentation to detect and take safety action in the event of instrument/system failure. It has to be more aggressive than BPCS for safety functions. Under SIS, there will be several interlocks and protections to save the system and in many places like off shore design, ESD is considered as last resort or emergency plan achievable through PEs.
• Diversion of flow safely: All the above systems discussed are part of electronic system requiring power. As a next layer of protection there are mechanical devices (requiring no power to meet power failure situations) to divert the flow safely. Safety and relief valves are used to in case to depressurize when SIS fails to take care (e.g., say due to control power failure). Pressure relief valve diverts the fluid for safe passage. These relief valves are spring force to close so that when pressure is below setting it is closed. Many cases rupture discs are used but in that case system needs to be closed to attain the disc. To a certain extent quartz bulb in sprinkler system does the same function.
• Containment: Many cases the hazard is not allowed to propagate hence containment functions are used. In these cases materials or hazardous events are not allowed to reach workers, etc. Dike, safety wall, etc., are examples of the same.
• Emergency plan: This is to meet the hazard events so that people are not harmed. Fire fighting, evacuations, escape routes are examples of the same. So far as instrumentation is concerned, ESD could be considered as emergency plan achieved through PEs, hence in the book many times ESD may be referred as last resort. But reader to keep in mind that ESD belongs to SIS.
7.3. SIS Boundary and Layout
SIS, like BPCS, consists of sensors, final control elements, and logic solver. Sensors and final control elements interface with logic solver through input and output processing section of logic solver which could be programmable electronic device (say, PLC) as shown in Fig. I/7.3-1. In this diagram, user interface and interface with BPCS have been shown through communication bus. Here, it is interesting to note that there could be separate BPCS and SIS, but these two could be integrated as long as they meet the requirements of standards like IEC 61508/61511 or ANSI/ISA 84. In view of the same in the drawing BPCS has been shown in dotted meaning that integration is possible.
Double boxes around the SIS signifies SIS protection layer boundary. It also signifies that even when SIS and BPCS are separate but there could be communication and user interface to a certain extent.
7.4. SIS Related Issues
In this part, a short discussion shall be presented on a few major issues, which affect the SIS selection process. Before starting the discussions, it is better to understand that each plant will have unique problem/hazard and solution for the same shall be specific to the plant. This is more so, when operation criticality, financing power, etc. varies from plant to plant. A solution in one plant may not be totally acceptable for the other plant. Also in some cases there are too many options with large variations amongst them, it is very difficult to judge which one will be better for one's application. It is not purchasing one mobile phone from myriad selection possibilities, so that it can be replaced the other day. In this case of selection of SIS for a plant, not only cost but also question of lives is involved. So, it is definitely better to follow some guidelines so that a few common important issues are well covered and selection could a standard one meeting the requirements of the standards. Discussions put forward below pertains to E/E/PEs involved in SIS.
7.4.1. Hardware Issues
There are a number issues involved in selecting hardware for PEs in SIS. Some of these issues have been listed below:
• Redundancy: Only in those cases where uptime is not critical, or system can wait in those cases redundancy may not be considered. Other than those cases unless there is extreme cost constraint redundancy is considered. In case of sensors 1oo2 or 2oo3 redundancies are considered depending on criticality. Similar is the situation for FCE in critical applications. Whenever redundant FCE/FE is given redundant FCE/FE follows the active one so that in case of change over it immediately takes over. This is explained with the help of an example: hydraulic coupling scoop tube of a boiler feed pump (BFP) is used to control the BFP speed, i.e., the feed flow. In that case, standby BFP scoop tube follows the same for running BFP, so that in case of change over it immediately takes over and boiler does not starve. Here there is another question; if auto selection fails how to select the healthy ones. In case of processors, I/Os the selection of redundancy is more critical. Here the issue involved (mainly for logic solvers) shall include but are not limited to the following:
• How the output from the processors will be handled; is it by hi/lo selection, or by voting? Similar will be the situation for I/Os—by diode auctioneering!
• In case of processor how output will be inhibited and when to use it?
• Whether these will be in dual redundant mode, one active other passive but update always so that change over can take place without bump in the system. If so, all modules associated with the redundant one will be in service, then what will happen if any module fails? Also, in case of difference between the two how to decide which one is correct and healthy!
• Similarly, in hot standby mode how to diagnose health of two processors, better to use third system to monitor the health of other processor.
• In going in such a way how much redundancy to be involved even with self or other diagnostic, is it possible to have 100% diagnostic feature in all? In that cases system design shall be such that there will be graceful shutdown in most (cannot be all foolproof) of the cases.
• The issue is not too much different when one goes for 2oo3 because in one failure it is voted out but when two fail situation is similar. However, it is definitely clear from the discussions that triplicate is better options. TMR could be a better solution for critical applications as they offer better fault tolerance. See Fig. I/6.1.2-1.
• Special size considerations: This is very important for offshore applications where it is always aim to reduce the size and weight of the vessel. So in case of too much redundancy, there will appreciable increase in volume and weight so, in these applications necessary consideration must be put for it. Similarly, due consideration is necessary for leaving behind spare module, spare slot with wiring also. Flexibility: most of the systems are of variant levels of SIL. However, it is better to use same level of redundancy for all cases. So, it is guided by the redundancy demand of higher SIL.
• Environmental impact: Some of the C&I items could be placed in the field whereas for some it is not possible. When things are placed in the field wiring involvement and complexity will be less. For field mounted devices, capability to withstand harsh atmosphere need to be evaluated along with EMI effect, etc. Here, enclosure IP class play important role, so that they can be used long time in field atmosphere. In case of hazardous areas in the plant, another thing to be considered suitable ex proof enclosure as applicable. On the other hand, if a device is placed indoors such requirement may be less and IS or other (e.g., isolator) can be used. So cost-effectiveness is to be compared (e.g., it is always cheaper to go for an FM-approved field transmitter than to use IS circuit).
• Third-party system integration: This is basically software requirement still said here because in many cases it is necessary to share data between the systems from different vendors. If these were hardwired connections there will be lots of cabling and complex wiring which may not be acceptable to all cases (especially in case of offshore applications). So, it is important while selecting a system to have such facility. System integration in SIS is acceptable as long as it meets the requirements of the standards.
• Miscellaneous issues: There are a few issues like scan time, I/O redundancy, I/O distribution, etc. that also need attention. These will be discussed at length later in the book.
7.4.2. Software Issues
There are certain guidelines in IEC 61511/508 so, these need to be followed:
• Programming language. As IEC 61511 ladder logic, functional block diagram, instruction list, structured text, and sequence function chart are allowed so, vendor must support the same (at least one which need to be followed). Cause and effect is very good for F&G with certain advantages but may not be used for complex systems. So based on application, appropriate language is to be chosen and to see that the vendor support the same.
• Ease of programming and configuration of the system is one of the keys for system selection. Also, PLCs in SIS have some restrictions so these should be spelled out and while selecting the vendor, demonstration to show easiness and flexible configuration (will be advantageous).
• Safety and security: Since the system is meant for SIS, so the system must have enough diagnostic features to detect any probability of failure at early stage. Also the system shall have the capability to recover from such error as possible and/or change over the system to ensure safe operation of the same. In this regard, the redundancy issue has already been discussed. Many systems offer some sense of redundancy in software also. This means in these systems it is possible to take the system to safe state in case of any program crash, etc. (this is some what like starting of computer in safe mode). There shall be sufficient built-in security to save the system from cyber attack. Also there shall be several levels of access control so that software tampering/change is not possible easily, and it would require authentication.
• Online changes registering; it shall be possible to change the program online and load it to the system on line without degradation and not bypassing any safety shutdown. This is very useful in practical use so that many systems can be added or deleted.
• Force operation. In most of vendor's systems it is possible to carryout force I/Os during commissioning and maintenance. However, this can be done only by an authorized person and this operation must be in safe condition.
• Integration of Fieldbus and other systems: As stated in connection with hardware, there suitable provisions for integrating various field bus systems, OPCs, etc. so that an integrated network is possible [for further reading see Chapter VII of Power Plant Instrumentation and Control Handbook – Elsevier].
7.4.3. Company Issues
This is not a purely technical issue. It is related to confidence and relationship issue. As stated earlier, there is a wide selection of vendors with different technologies to offer to achieve the same goal. How to choose one! Many times people forget that even an experienced person working in plant may not find a better solution for a problem in his plant but one vendor can! This happens because vendor normally knows his system better. Reverse is also true at times. So it is necessary both need to work in a team.
• Knowledge sharing: Frankly speaking dealing with SIS requires some good experience and exposure to good engineering practices. Vendor to be chosen in such a way that vendor should know his system as well as application of its product in the plant in the question. Reputed manufacturers have advantage here as they have good data bank for applications, which could help plant owner to get better solutions.
• New technology: It is always better to go for a new technology so that a chance of getting obsolete is less. Here there is a key question! In case a plant comprised of several sections built in “X” technology/system, and is it worth going for a new section with new technology/system! It has one advantage that people get chance for early familiarization. However there are a few problems; for a new system spare inventory need to be kept and/or there could be compatibility problem also. Also, if totally a new vendor is selected, then in addition to first two issues discussed, confidence-building will be another issue. However if the existing system discards some technology and adapt new one and the vendor is trusted then it may be wise decision to go for it to ensure future support (as for old technology support may be withdrawn). Withdrawal of Window XP support for PC is a classical example.
• It is essential that necessary post-ordering support (technical and administrative) is absolutely essential. So for vendor selection, the same must be taken into consideration. Many times, large vendors gets the support through local representative or local companies which may not be in a position to render enough technical support. Remote operation of big vendor in such cases may finally proven to be costly.
Now after these short discussions on SIS, it will be nice to know what is functional safety and safety integrity level.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.