Is independence needed for process safety systems?

This review from June 2009 considers the independence needed for process safety systems after the first demonstration of the Foundation Fieldbus (FF) for safety integrated functions (SIFs) at Shell in Amsterdam.

The good thing about discussions on plant safety is that they tend to involve engineers.

In fact, such discussions usually end up with the engineers making the decisions, in contrast to other business management discussions.

The manager responsible for the safety system on the process plant is surely the person who always sits outside any pressure from the commercial and production management, in as much as he can, when the business has to be viable.

If the safety system chosen and used is not adequate and an accident causes damage and injury, there is no longer a plant and there is probably significant compensation to pay; the business is then certainly not viable.

The automation systems of major plants are, quite reasonably, being integrated to include the process-control system, the maintenance management system, the electrical systems, the communications and the security.

Efficient management requires that all the data for a modern business must be accessible on the same system and must efficiently use the same data in order to smooth decision making.

In a new installation, the capital costs can be reduced significantly by planning these systems as integrated systems and reducing wiring, hardware and interfaces.

The major automation contractors encourage this view and will offer the total system, but the question remains as to how far this integration should be extended to include the safety instrumented systems (SIS), such as emergency shutdown systems, fire and gas systems, burner management systems and turbomachinery control systems.

The view of the major automation contractors seems to be that the SIS should be a part of the process-control system and should share the same platform, because this reduces the costs to the end customer of the integration necessary when the SIS is from a separated system.

This recognises that SIS systems are expensive, both in the components used and the engineering involved, and they, therefore, make up a significant part of the total project work and revenue for the contractors.

However, the very integration that apparently saves costs for the customer could be a step too far in reducing the safety system independence and could introduce common modes of failure or commonality between control and SIS logic.

There has to be a separation of design and concept between safety systems and control systems so that they should use different basic approaches to achieve the result – a safely controlled plant.

The current version of the IEC61508 standard (which could, of course, be modified in subsequent editions) embodies this principle – it states that the ‘safety system shall be independent of the control system’.

This requirement introduces a demand for a safety system source that is independent of, and prepared to work with, the main control system supplier.

Within major automation contractors, the safety systems group has always been separated from the control systems group, but the very integration of systems required by plant management means that the base platforms are moving closer together.

The only real independent supplier is now Hima.

An interesting parallel to this requirement for safety arises in reviewing the integration of systems that might be subject to hackers.

The firewall between the two aspects of such an integrated system has to be considered in the light of concern, particularly in the US, that hackers can penetrate the outer firewall to the control system via external communications interfaces.

The safety system and its second protective firewall to the control system has to be unaffected by the penetration and software abilities of that same hacker.

This is always an interesting point for discussion among safety professionals.

In May, four demonstrations were organised to show how FF communications could be used in safety applications.

This followed on from the granting of TuV Protocol Type Approval for the FF SIS specifications up to SIL3 in 2006.

The main demonstration was hosted by Shell Global Solutions in Amsterdam and, although attended by 15-20 members of the press, they accounted for less than 10 per cent of the audience; the rest were engineers who had come together to discuss the technology.

The working demonstration was shown on a miniature plant system and used a Hima logic solver working with a Yokogawa Centum control system and asset management, as well as field equipment from various manufacturers on the FF segments.

The same general pattern was used for the other sites, with two Aramco demonstration units in Saudi Arabia using Yokogawa and Invensys Triconex logic solvers and BP Gelsenkirchen using a Honeywell safety manager.

Chevron in Houston demonstrated an Emerson DeltaV SIS working alongside a DeltaV asset management system (AMS).

Within the FF SIF demo units, the communications were treated as a black ‘unmonitored’ channel between intelligent devices and the logic solver; there were no peer-to-peer communications.

The apparent Capex advantage of using FF segments is to bring considerable wiring and installation time savings to safety systems, since, at present, all field systems use single-loop-powered 4-20mA communications.

In the Shell demonstration in Amsterdam, Audun Gjerde of Shell Global Solutions conducted the live SIF demo.

Functions demonstrated included high- and low-level trips, the partial stroke testing of valves and a partial stroke test that was interrupted by the ESD.

The last example showed that, even in the middle of a partial stroke test, the ESD could successfully take over and shut down the system during an abnormal situation.

Two-out-of-three voting was demonstrated using various Fieldbus SIF devices.

The system also reacted successfully to a loss of temperature probe, as well as a measurement validation alarm and a diagnostic alarm generated from a dry probe on a level device.

Gjerde said: ‘By implementing Foundation SIF, Shell anticipates less testing of final elements thanks to smart testing and diagnostics, as well as online testing and partial stroke testing.

‘This will result in early detection of dangerous device failures – and fewer spurious plant trips.

‘With smart online testing and diagnostics, we will be able to run for longer periods of time without shutting down the plant for testing purposes.

‘We will also save on the cost of adding a second or third device in many cases.

Shell Global Solutions has an overall initiative to better utilise FF systems and capabilities to reap Opex benefits and strongly support the SIF initiative as a part of this project.

Within Shell, FF is the de facto standard for new builds and the company has 100+ current FF projects involving 200,000 field devices.

To gain Opex benefits, FF must be better utilised in terms of reliability and availability by using diagnostics and self checking, as well as savings made in operational time by remote monitoring, allowing reduced manning.

Peter Eigenraam of Shell said: ‘Foundation SIF helps you know you are safe, not think you are safe.

In addition, Shell sees extension of FF into the SIS functions as a key initiative in gaining these Opex benefits across more of the total input/output (I/O) on a project, since safety systems account for a large portion of the I/O on major projects.

The Saudi Aramco demonstration and field evaluations scheduled for 2009 will use two separate FF-SIF systems from Yokogawa and Invensys Triconex.

The Aramco presentation in Amsterdam was made by John Rezabek, controls specialist at the ISP (ex-BP Chemicals) butanediol plant in Lima Ohio.

He is an experienced industrial user of FF systems and is also chair of the FF End User Advisory Council.

Rezabek quoted the main reasons for SIF systems as the capability to identify and anticipate failures, the ability to undertake partial and full valve stroking and a reduced manual testing regime.

He said: ‘Foundation Fieldbus SIF makes sense – it delivers real-time diagnostics built in.

This view is endorsed by Shell, which acknowledged the lead FF offers in delivering diagnostic information.

The company is keen for suppliers to develop further diagnostic capabilities across their installed instrumentation.

Discussions in Amsterdam were under no illusions; the development of FF SIF field transmitters and controllers with good diagnostics, approved for hazardous-area use and then certificated for use in FF-SIF systems, will not be possible within a two- to three-year timescale, so they cannot be expected until 2011 at the earliest.

However, the demand from end users exists and will mean that these will be developed and implemented.

There are challenges to overcome in incorporating these devices in safety systems, which might involve maintaining the distinct and separate teams of process design and safety system design, negating some of the possible benefits of common engineering standards.

The hardware and software barriers, such as firewalls, between the systems will be the subject of a lot of future discussion, but with such open discussions as have already started between the supplier and user engineers, as demonstrated at Shell in Amsterdam, the objective is set.

One Response

  1. Dear Nick,

    Please do update me on the result done by Saudi Aramco, BP and Chevron.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: