This action might not be possible to undo. Are you sure you want to continue?
Edward M. Marszal Christopher P. Weil Kenexis Consulting Corporation 2929 Kenny Road Suite 225 Columbus, OH 43221 (614) 451-7031 email@example.com firstname.lastname@example.org
Since the release of standards defining the proper implementation of safety instrumented systems, there has been a great deal of misunderstanding related to the actual requirements for separation of the Basic Process Control System (BPCS) from the Safety Instrumented System (SIS). This uncertainty has been amplified by proponents on both sides of the issue. One group believes that if the BPCS is designed in accordance with IEC 61508 to the appropriate Safety Integrity Level (SIL), combined BPCS and SIS is acceptable and would advocate this integrated system to be considered a “good engineering practice”. The other group feels that absolutely no safety functionality should be performed in the BPCS and an absolute separation of functionality between the BPCS and SIS should be observed. As with any standard that requires interpretation, both camps are right and wrong. There are situations where employing safety functionality in the BPCS is an appropriate decision. This paper will examine some common examples of these situations, and provide nomenclature for future shorthand descriptions of this functionality, including: • • • • • Courtesy Action Mimic Action BPCS-Only Protective Function Pre-Emptive Strike Additional (Non-Safety Critical) Inputs
The benefits of combined systems have been extensively promoted. Combined systems are typically composed of IEC 61508 compliant SIS logic solver that also serves as the BPCS. If a proper risk analysis is performed on these systems, it is very difficult to justify their use. The integrity requirements for combined systems is extremely high because there are failure modes that will simultaneously generate a hazard and also disable multiple protection layers. This paper will demonstrate that for most process plants with typical likelihood, consequences, and risk acceptance criteria, if a combined system were to be used it would require a SIL 5 to SIL 6 rating which is not currently available, or defined by the standards. This paper will also demonstrate the high level of detail and effort that is required to justify a combined system, which is significantly higher than if separate systems were used.
the traditional design practice of separation would prevent the SIS layer from becoming disabled when the BPCS layer experiences a problem. This means that multiple layers (e. .INTRODUCTION The Basic Process Control System (BPCS) is responsible for normal operation of the plant and in many instances is used in the first layer of protection against unsafe conditions. or Safety Instrumented System need to be in place to bring the process to a safe state and mitigate any hazards.g. inherently safe process design. Consider the following accident case history where failure of a single component. resulted in a situation where shutdown was required and simultaneously prevented the safety action from being taken. LAYERS OF PROTECTION For this hierarchy to be effective it is critical that each layer of protection be independent or separate.g. If the operator is unsuccessful then other layers of protection. BPCS and SIS) must not contain common components that in the event of a single failure would disable multiple protection layers. In the case of SIS and BPCS. alarms will notify operations that human intervention is needed to reestablish control within the specified limits. e. which was shared by the BPCS and the SIS.. pressure safety valves. Normally if the BPCS fails to maintain control.
Heater-101 pass tubes overheat and rupture causing a large fire and total destruction of the heater The elimination of single failures that can disable multiple protection layers has lead to many discussions about separation. . FIC-101 set point is lowered 4. The scenario occurred as follows: 1. This reasoning has been a leading factor in the separation of the SIS from the BPCS. also freezing the process variable 3. Flow transmitter FT-101 taps freeze.In the last five years a US refinery experienced the devastating effects caused by placing a demand on a safety function while simultaneously inhibiting the safety function at the same time. FT-101 and FSLL-101 fail to sense the low flow condition because the process variable is frozen in place (literally). The insulation bag around flow transmitter FT-101 becomes displaced and fails to provide proper insulation 2. and in turn fail to close fuel gas valve XV-102 6. Responsible designers and governing bodies have made standards that enforce this separation. FIC-101 closes FV-101 in an attempt to lower the process variable 5.
The closing of the double block valves are the necessary and sufficient action that must function to bring the reactor to a safe state when a temperature limit is exceeded. it is not without its shortcomings.OVERLAP OF BPCS AND SIS A separate SIS minimizes the risk of common cause failures and is the traditional industry standard. In many cases the SIS will also have ownership of equipment that is “additional” to the necessary and sufficient equipment. Though separation allows for safer operations. . An example is show below: High temperature in Reactor-102(indicating potential runaway reaction) initiates reactant shutdown. The closing of LV-102 is an “additional” action which has no safety consequences but is an action that is good engineering which assists in easy startup. The SIS has ownership of the necessary and sufficient equipment to execute the required safety instrumented functions to bring the process to a safe state.
SIS.e. When LT-102 senses a low level in V-101 the SIS commands XV-102 to close. on command from the SIS. The advancements in technology allowing easy data mapping and networking between the SIS and BPCS have enabled these “additional” functions or actions to be easily implemented. Courtesy Action Action taken by the BPCS on a final element controlled by the BPCS that is in the same service as an SIS final element.The BPCS has ownership of many functions that industry experts would agree should be executed in addition to the safety instrumented functions. the BPCS can not be considered an independent layer of protection because failure of FIC-101 loop could be the initiating event that causes the low level. The risk analysis for the following determined that LT-102. .. but are nonsafety critical. In this case. In this case. a “Courtesy Action” can be accomplished by the BPCS because the final element flow control valve (LV-101) is in the same service as shutoff valve XV-102. Consider the following example. and XV-102 were the necessary and sufficient equipment to mitigate the potential hazard of a low level in V-101 (i. These actions focus on equipment associated with the Safety Instrumented Function (SIF) controlled by the SIS. which then places LIC-101 in manual and 0% output closing LV101. The SIS communicates activation of the shutdown to BPCS. provided 100% of the required risk reduction).
The BPCS has independent sensors and final elements in the same service as the SIS. In this scenario the BPCS mimic might be considered layer of protection since failure of either PT-101 or the TIC-103 loop would not result in a demand being placed on the system.Mimic Action Action taken by the BPCS to mimic SIS action. In the following example it was determined that PT-102. The BPCS is programmed to mimic the SIS in that when PT-101 senses low pressure in this service PSLL-101 commands TV-103 to close. SIS. performing the same action with no additional equipment required. When PT-102 senses low pressure in this service the SIS commands XV-102 to close. the BPCS may contain sensors and final elements that are in an identical service to equipment that is utilized by the SIS. and final element temperature control valve TV-103 is in the same service as shutoff valve XV-102. A “Mimic” can also be accomplished by the BPCS because the sensor PT-101 is in the same service as PT-102. This action can also be done simply by having a high signal from PT-101 cause TIC-103 to be placed in manual with 0% output. . Creating a protective function employing these BPCS inputs and outputs is a simple matter of programming. and XV-102 where the necessary and sufficient equipment required to mitigate the potential hazard of a low pressure in this service. In some cases. mimic actions may be considered independent protection layers. This technique maximizes the effectiveness of existing assets and in some cases can be used as an independent protection layer to “buy down” the integrity requirements of the associated safety instrumented function. In many cases.
Since the SIL selection resulted in 0.e. the user has the flexibility to employ the function in whatever hardware platform is convenient (or even not employ the function at all). Consider a tank overfill protection function for aqueous ammonia. Risk analysis for the following example demonstrated that no SIS is required to reduce the risk of overfill to a tolerable level (i. .BPCS-Only Protective Function Action taken by the BPCS that has been determined require a risk reduction of less than SIL 1. SIL selection results in SIL 0). Most instances of BPCS-Only protective functions are employed more for convenience to operations than for safety reasons..
SIS. . A “Pre-Emptive Strike” can be accomplished by the BPCS when any 5 of the 50 temperatures in the reactor are greater than set point.Pre-Emptive Strike Action taken by the BPCS to place the process into a safe state prior to the SIS taking action. and closing XV-101 were the necessary and sufficient equipment to mitigate the potential hazard of a high temperature in Reactor101. no BPCS layer of protection can be counted in this example since the failure of TIC102 loop could be the initiating event that causes the high temperature and the final elements that are employed are not separate from the SIS. The BPCS signals the SIS to take the same safety actions as a high temperature in the reactor. In the following ethylene oxide reactor example TT-101A-F. This action may be considered in the SIL selection analysis if failure of the BPCS is not the initiating event that causes the hazard. In this example.
This course of action was selected instead of supply another separate and dedicated valve for BPCS. but not always clear. While this may seem appropriate. Upon completion of the batch.Additional (Non-Safety Critical) Inputs Inputs to the BPCS initiate shut down actions that are non-safety critical. In some cases. closure of the feed valves is not a safety critical action. Since the SIS already contains two valves that are capable of stopping the feed flow. a decision is made to utilize the SIS valves. At this phase in the reaction. stopping of feed is required prior to removing the reaction products from the vessel. While the BPCS contains the measurements and status information. but for convenience. Physical separation is defined as the requirement that the basic process . One can argue that the most recent standards allow the use of combined SIS/BPCS system. by way of a DCS command. it should not be undertaken without completely understanding the requirements of the standard and the dramatically increased degree of analysis. Consider the following batch operation. Guidelines for Safe Automation of Chemical Processes defines separation as shown below. input measurements or process status information contained in the BPCS may indicate that the process should be shutdown. I-1 XY 101A SV I-1 XY 10AB SV BATCH COMPLETE IAS IAS UY 123 M FEED FC FC XV-101A XV-101B COOLANT OUT R-102 REACTOR TT 101A TT 101B SIS COOLANT IN COMBINED SYSTEMS Industry guidance for separation is abundant. A safety function which detects high temperature stops feed to the reactor. to close the valves at the end of a batch. Not for safety reasons. Separation – The physical and functional isolation of all hardware and software elements. for example the end of a batch. if the logic solver used meets the higher requirements of the SIS. the valves that need to be moved are often “owned” by the SIS.
The Center for Chemical Process Safety of the American Institute of Chemical Engineers makes the following recommendation.2 Where the SIS is to implement both safety and non-safety instrumented function(s) then all the hardware and software shall be treated as safety instrumented function(s) to the highest SIL required by the SIS. the software operating systems. local. SIS separation from the BPCS is required to ensure that safety and environmental aspects of the SIS are consistent with user. In the process industries. and the application programs. final elements. the safety instrumented functions should be separated from the non safety instrumented functions. NOTE 1 Wherever practicable. The term safety interlock function was replaced with the term safety instrumented function after the release of the ISA 84. and international standards and guidelines because separation will: • • Minimize the effects of human error on the SIS from normal BPCS activities.01 – 2004 (IEC 61511 – 2002). IEC 61508 and IEC 61511 standards. This may require the separation of BPCS and SIS sensors. industry standards. have also developed requirements for separation of basic process control and safety. that the failure of any non-SIF does not cause a dangerous failure in the SIF) then this requirement does not have to be satisfied. allowing the PES (programmable electronic system)-based SIS to achieve a level of security and integrity equal to or better than a direct-wired SIS Minimize common mode faults (both hardware and software). manufacturer. national. The SIS should have separate identification.. I/O components. If it can be shown that there is adequate independence between the safety instrumented function(s) and non-safety instrumented function(s) (i. A number of resources that have published guidance on safety instrumented system design recommend the separation of basic process control systems. 1 . documentation. Some communications may be allowed between separate components as long as no common mode failures can occur. Protect safety system software from unintentional changes.. Separation issues should be considered at the early stage of control system conceptual design. and logic solvers.e. in the BPCS) Provide access security Ensure that SISs are maintained safely and correctly Facilitate stand-alone testing and maintenance of the SIS and BPCS Ensure security and integrity.2. Functional separation is achieved through the elimination of common-mode failures in execution of the BPCS and SIS functions. by isolating the PES-based SIS from process control induced programming changes (i. This standard presents the following requirements. • • • • • In addition to the guidelines and best practices.e. 11.control function (regulatory control – BPCS) and the safety interlock function 1 (SIS) be performed in different logic solvers. programming and maintenance. SIS design is typically performed in accordance with ISA 84.01.
11. The additional risk is dependent on the dangerous failure rate of the shared component because if the shared component fails a demand will be created immediately that the SIS may not be capable of responding to. NOTE When a part of the SIS is also used for control purposes and a dangerous failure of the common equipment would cause a demand for the function performed by the SIS than a new risk is introduced.2. All shared code or equipment is then designed to the highest SIL that the respective code or equipment is required to meet. detailed. Sensors and valves are examples of where sharing of equipment with the BPCS is often considered. then the basic process control system shall be designed to be separate and independent to the extent that the functional integrity of the Safety Instrumented System is not compromised. The basic process control system is qualified as a safety instrumented system to the highest SIL contained in the logic solver. The statements shown above and specifically those drawn from the relevant standards show a strong preference for separation between SIS and BPCS functions. In order to justify the use of the combined BPCS/SIS system. where a failure of that device results in a failure of the basic process control function which causes a demand for the safety instrumented function. Create adequate independence between the safety and non-safety application software code so that the non-safety BPCS application code does not need to be designed and continually tested as though it were a safety function of the highest SIL contained in the logic solver (which is expected to be SIL 3). .10 A device used to perform part of a safety instrumented function shall not be used for basic process control purposes. The ISA 84. but can be construed to allow combination of the two types of systems in certain narrow circumstances after a large amount of rigorous. 2. Operating information may be exchanged but should not compromise the functional safety of NOTE 2 Devices of the SIS may also be used for functions of the basic process control system if it can be shown that a failure of the basic process control system does not compromise the safety instrumented functions of the safety instrumented system. unless an analysis has been carried out to confirm that the overall risk is acceptable. For that reason additional analysis will be necessary in these cases to ensure that the dangerous failure rate of the shared equipment is sufficiently low.2. 3.NOTE 2 Adequate independence means that neither the failure of any non-safety functions nor the programming access to the non-safety software functions is capable of causing a dangerous failure of the safety instrumented function. 1. 11.01 -2004 (IEC 61511 – 2002) clauses listed above provide clear requirements that must be met when combining BPCS and SIS functionality into the same device. 11.4 If it is intended not to qualify the basic process control system to this standard. NOTE 1 the SIS. The hardware and software of each individual SIF and the individual BPCS functions are separated to the greatest degree possible.2. and expensive analysis. demonstration of the following requirements must be made.3 Where the SIS is to implement safety instrumented function(s) of different safety integrity levels then the shared or common hardware and software shall be treated as belonging to the highest safety integrity level unless it can be shown that the safety instrumented functions of lower safety integrity level can not negatively affect the safety instrumented functions of higher safety integrity levels.
the extent of “shared equipment”. An analysis of the ramifications of combined BPCS and SIS is not a trivial task. Ensure that the overall risk of scenarios where the BPCS/SIS failure will directly lead to a consequence is sufficiently low. Ensure that the CPU logic solver is designed to the highest SIL of any functionality that is to be implemented by the logic solver (expected to be SIL 3). and quantitatively verify that the risk posed by failure of the “shared equipment” is tolerable. Analyze each safety instrumented function. Review the impact of systematic programming failures. In addition. The SIF are reviewed to determine all of the initiating events that can place a demand on the SIF. Demonstrate that equipment which is shared by BPCS and SIS (i. Confirm that for all SIF that there is no single device where failure of that device results in a failure of the basic process control function which causes a demand for the safety instrumented function. This frequency will then be compared against the site’s tolerable risk guidelines. the cost of performing a study can be prohibitively expensive. use of a combined system can not typically be justified on a financial basis (due to the additional cost of study) let alone the problems with justification on a safety basis. 1. simultaneously placing a demand on the SIF and preventing its ability to respond to that demand. This will require that BPCS and SIS functions do not share field equipment (including I/O cards). 6. The SIF List will contain a description of the action taken by the system along with all inputs and outputs of the function that are safety relevant. This will be performed by preparing a fault tree analysis that will quantitatively estimate the frequency at which a logic solver CPU will result in an unwanted accident through random hardware failures. 4. in the experience of the authors. CPU logic solver) is designed to the highest SIL contained in the system (expected to be SIL 3). As a result.e. the field equipment (sensors and final elements) are reviewed to ensure that the BPCS field equipment is completely separate from the SIF field equipment (including I/O cards). . It was determined that demonstration of the bullet points listed above. for each SIF. there are a number of common situations where the result of the study will show that separation is absolutely essential. other than the CPU of the logic solver. 2. While completion of steps 1 through 6 is possible.4. could be performed by completing the following steps.. recommendations should be prepared and implemented to separate the functions. When BPCS function failures can place a demand on the SIF. is tolerably low. and methods to prevent systematic failures by functionally separating logic solver application programming will be presented. which would then demonstrate compliance with relevant sections of the applicable standards. Prepare a list of safety instrumented functions (SIF List) that are to be implemented by the combined control system. If any commonality of equipment is identified. and that BPCS and SIS software code is functionally separated. This analysis will require development of a list of all scenarios under which a combination of SIS and BPCS could result in a single failure that will simultaneously create a demand on the SIS and also prevent it from being able to take action. 5. which is only expected to include the logic solver CPU. 3. 5. Determine. and that the risk posed by failure of the CPU. in some case greater than the hardware cost.
The reactor is also equipped with a SIF that will detect a high temperature in the reactor and stop feed. or about 1 x 10-10 per hour. an additional analysis is required to ensure failure of common components will not result in intolerable risk levels. the this failure mode will have to occur at a tolerably low frequency. As the reaction progresses. I-1 XY 101A SV I-1 XY 10AB SV IAS IAS M FEED FC FC XV-101A XV-101B COOLANT OUT COOLANT IN R-102 REACTOR TT 101A TT 101B SIS TIC 102 TT 102 Traditional layer of protection analysis style SIL selection might yield a requirement of SIL 3 or SIL 2 depending on the effectiveness of pressure relief and other independent protection layers. we can assume that the failure rate achieved by that logic solver will fall into the SIL 3 range. If the tolerable risk criteria for the facility that the SIS design is based on was an individual risk of fatality of 1 x 10-5 per year (which is conservative. and the consequence of this event were 10 or more fatalities. the basic process control system slowly increases the amount of cooling water in order to maintain the reactor temperature at its set point. but not out of line with industry). then the tolerable frequency of this accident would be 1 x 10-6 per year. Analysis of the failure modes of combined components.Example of Analysis of Combined System Common Failure Consider a situation where a combined system is being used to control the temperature in a reaction vessel where the reaction products are prone to a runaway decomposition. but will also prevent the SIS from taking action. and would be equivalent to a SIL 5 or SIL . If we further assume that a SIL 3 certified logic solver was selected. Unfortunately. But in order to justify use of a combined system. specifically the CPU for this system will demonstrate that a failure of the CPU which causes the CPU outputs to be ‘frozen’ into position will not only place a demand on the SIS. If a combined system is to be justified. because the BPCS will not be able to regulate the temperature rise. As described earlier. this frequency is 1 x 10-10 per hour. This situation is shown in the figure below. a failure rate performance of 1 x 10-10 per hour is so stringent that it falls outside of the defined SIL ranges. which will cause an explosion with significant consequences.
. considering common equipment failures. use of a combined system can not be justified because the risk posed by the process.6. is too high. In this scenario. if those levels of performance were defined.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.