Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Basic Process Control Systems Used for Safety Instrumented Functions

Basic Process Control Systems Used for Safety Instrumented Functions

Ratings: (0)|Views: 2 |Likes:
Published by Oky Febrihantoro

More info:

Published by: Oky Febrihantoro on Sep 21, 2013
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Edward M. MarszalChristopher P. WeilKenexis Consulting Corporation2929 Kenny RoadSuite 225Columbus, OH 43221(614) 451-7031edward.marszal@kenexis.comchristopher.weil@kenexis.com
Since the release of standards defining the proper implementation of safety instrumented systems,there has been a great deal of misunderstanding related to the actual requirements for separation of the Basic Process Control System (BPCS) from the Safety Instrumented System (SIS). Thisuncertainty has been amplified by proponents on both sides of the issue. One group believes that if the BPCS is designed in accordance with IEC 61508 to the appropriate Safety Integrity Level (SIL),combined BPCS and SIS is acceptable and would advocate this integrated system to be considered a “good engineering practice”. The other group feels that absolutely no safety functionality should beperformed in the BPCS and an absolute separation of functionality between the BPCS and SIS shouldbe observed. As with any standard that requires interpretation, both camps are right and wrong. There aresituations where employing safety functionality in the BPCS is an appropriate decision. This paper willexamine some common examples of these situations, and provide nomenclature for future shorthanddescriptions of this functionality, including:Courtesy ActionMimic ActionBPCS-Only Protective FunctionPre-Emptive StrikeAdditional (Non-Safety Critical) InputsThe benefits of combined systems have been extensively promoted. Combined systems are typicallycomposed of IEC 61508 compliant SIS logic solver that also serves as the BPCS. If a proper risk analysis is performed on these systems, it is very difficult to justify their use. The integrityrequirements for combined systems is extremely high because there are failure modes that willsimultaneously generate a hazard and also disable multiple protection layers. This paper willdemonstrate that for most process plants with typical likelihood, consequences, and risk acceptancecriteria, if a combined system were to be used it would require a SIL 5 to SIL 6 rating which is notcurrently available, or defined by the standards. This paper will also demonstrate the high level odetail and effort that is required to justify a combined system, which is significantly higher than if separate systems were used.
The Basic Process Control System (BPCS) is responsible for normal operation of the plant and in manyinstances is used in the first layer of protection against unsafe conditions. Normally if the BPCS failsto maintain control, alarms will notify operations that human intervention is needed to reestablishcontrol within the specified limits. If the operator is unsuccessful then other layers of protection, e.g.pressure safety valves, inherently safe process design, or Safety Instrumented System need to be inplace to bring the process to a safe state and mitigate any hazards.
For this hierarchy to be effective it is critical that each layer of protection be independent or separate.This means that multiple layers (e.g., BPCS and SIS) must not contain common components that inthe event of a single failure would disable multiple protection layers. In the case of SIS and BPCS,the traditional design practice of separation would prevent the SIS layer from becoming disabledwhen the BPCS layer experiences a problem.Consider the following accident case history where failure of a single component, which was sharedby the BPCS and the SIS, resulted in a situation where shutdown was required and simultaneouslyprevented the safety action from being taken.
In the last five years a US refinery experienced the devastating effects caused by placing a demandon a safety function while simultaneously inhibiting the safety function at the same time. Thescenario occurred as follows:1.
The insulation bag around flow transmitter FT-101 becomes displaced and fails to provide properinsulation2.
Flow transmitter FT-101 taps freeze, also freezing the process variable3.
FIC-101 set point is lowered4.
FIC-101 closes FV-101 in an attempt to lower the process variable5.
FT-101 and FSLL-101 fail to sense the low flow condition because the process variable is frozen inplace (literally), and in turn fail to close fuel gas valve XV-1026.
Heater-101 pass tubes overheat and rupture causing a large fire and total destruction of theheaterThe elimination of single failures that can disable multiple protection layers has lead to manydiscussions about separation. This reasoning has been a leading factor in the separation of the SISfrom the BPCS. Responsible designers and governing bodies have made standards that enforce thisseparation.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->