How history, principles and standards led to the safety PLC Article 1
The process industries often deal with large quantities of flammable, explosive and hazardous chemicals, and they have a long history of incidents resulting in lost lives, lasting injuries and environmental as well as property damage. Experiences gained from these have led to the use of safety instrumented systems (SIS), whose sole purpose is to maintain plants in safe condition. SISs have evolved over time, and numerous safety-related standards have been written to specify their design and implementation (Figure 1)Safety instrumentation is not exclusively an instrument and control engineering subject. Successful implementation of an SIS project depends on knowledge of other disciplines, as well as a well-defined safety management system within the company. Without proper support structures and a good understanding by all involved in defining safety requirements, safety instrumentation on its own will be unlikely to deliver the levels of safety expected of it.
SISs are control systems that take the process to a safe state on detection of conditions that may be hazardous in themselves, or if no action were taken, could eventually give rise to a hazard. SISs perform safety instrumented functions (SIF) by acting to prevent the hazard or mitigate its consequences. Alternative names for an SIS include trip and alarm system, emergency shutdown system, safety shutdown system, safety interlock system and safety-related control system.
Note that the SIS is designed to be a separate control system that acts independently of any other controls or personnel, such as the basic process control systems (BPCS) or fire and gas (F&G) system (Figure 2).
SISs are normally regarded as being structured in three parts: sensors to measure, detect atmospheres, and determine process and equipment online conditions; a logic solver to evaluate the plant conditions, make decisions and output signals; and actuators to execute the required actions. SISs also have interfaces to users and other control systems to send shutdown and safety commands.
The degree of confidence that can be placed in the reliability of the SIS to perform its intended safety function is known as its safety integrity. The concept of safety integrity includes all aspects of a safety system needed to ensure it does its job. One of these aspects will be hardware reliability and the way it responds under all conditions. Other aspects include the accuracy of the design and the level of understanding of the hazards that went into the design.Safety system engineers recognize it's helpful to grade safety integrity into four distinct bands of risk reduction capability known as safety integrity levels (SIL). Figure 3 shows how four SILs are recognized and how these levels encompass four ranges of risk reduction factor (RRF) capability.The required RRF provides a scale of performance for the ability of a safety system to reduce risk. We can use RRF as a measure of safety integrity.
The safety requirements of the application determine the SIL that must be met by the entire system. It follows from the structure of the SIS that all three subsystems must individually be good enough to ensure that overall safety integrity meets the intended SIL. This is a useful concept because it means we can concentrate on each subsystem separately at the basic engineering stage.
The SIL 1 safety system is the most commonly used, and provides risk reduction in the range from 10:1 to 100:1. In the process industries, the highest SIL rating normally used is SIL 3. SIL 4 is only used under very special circumstances such as nuclear plants. SIL levels 1 to 3 represent a coarse scale of safety performance for the SIS. The challenge is to specify the right SIL for any particular problem.
The SIL is chosen based on the required level of risk reduction, but the SIS is only one layer in the plant’s total risk reduction strategy. This strategy can be fully described by a layer of protection analysis (LOPA) where each of a number of safety measures work together to prevent potential incidents (Figure 4). Protection layers can be divided into two main types: prevention layers that try to stop the hazardous event from occurring, and mitigation layers that reduce the consequences after the hazardous event occurs (Figure 5). Examples of prevention layers include:
Plant design: Plants should be designed as far as possible to be inherently safe. This is the first step in safety, and techniques such as using low-pressure designs and low inventories are obviously the most desirable route to follow wherever possible.
Process control and work procedures: The control system and the working procedures for operators play a role in providing a safety layer since they try to keep the machinery or process within safe bounds. However, their contribution to plant safety is limited and can sometimes be overrated.Alarm systems: These have a very close relationship to SIS but they don't have the same function. Alarms are provided to draw the attention of operators to a condition that is outside the desired range of conditions for normal operation. Such conditions require some decision or intervention. Where this intervention affects safety, the limitations of human operators have to be allowed for.
Mechanical or non-SIS protection layers: A large amount of protection against hazards can often be performed by mechanical safety devices such as relief valves or overflow devices. These are independent layers of protection and play an important role in many protection schemes.
Shutdown systems: The SIS provides a safety layer by taking automatic and independent action to protect personnel and plant equipment against potentially serious harm. The SIS doesn't require a response from an operator.
Using more than one method of protection is generally the most successful way of reducing risk. The idea of protection layers and successive risk reduction is only valid if the layers are fully independent of each other. It assumes if one layer fails, the other layers will still do the job. If there's a possibility that two or more layers could fail at the same time, the assumptions become invalid and the protection systems are said to have a common cause failure.
Until the 1980s, the codes of practice for design and use of trip and alarm systems were set down by major chemical and petrochemical companies. Their codes of practice established most of the ground rules used today. They provided a solid and well-proven technical basis for essentially hardwired, logic safety systems based on analog sensors or direct acting switches, and using relays or hardwired, solid-state modules for logic solving. The codes of practice served industry well, and became the starting point for standards to allow more industries and equipment suppliers to use and provide suitable safety systems and components. These include the IEC 61508 and IEC 61511 standards (Figure 6).
IEC 61511 explains in its introduction that it's to be used by those who are managing, designing, implementing or operating a SIS application in a process or similar plant. The safety equipment they may have to buy should be engineered in accordance with IEC 61508. We should use IEC 61511 for plant safety projects and use 61508 for design and manufacture of safety system products. IEC standards are finding worldwide international approval. In particular, IEC 61511 was developed in cooperation with U.S.-based companies and the ISA. In the U.S., it's published as ANSI/ISA S84.01-2004 (IEC 61511 Mod).
IEC 61508, Part 1, was released in 1999, and later parts were released in 2000. The standard was the result of more than 10 years of committee activities and represents a comprehensive attempt to cover all aspects of the design and operation of SIS using programmable electronics. The principles laid down in this standard are widely applicable to functional safety systems in any form of industry.
The article was first published in controlglobal