Chemical, petrochemical, mining, gas compression and many other types of plant and manufacturing facilities are very dangerous places to work due to the presence of risk: risk due to fire, explosion, tank overflow, gas release or chemical exposure. The only way to eliminate these risks is not to build or operate these plants, but that’s not practical because these plants produce material that is useful, necessary and important in everyday life.
In order to minimize the risk, process control is installed to maintain the safe operation of the plant assisted by a robust detection, alarm and reporting system and operated by trained, qualified personnel. But often these measures alone cannot reduce the risk of injury, fire, explosion or other risks to a tolerable level.
Regardless of the type of risks, the process design itself, the Basic Process Control System, Alarms and operational intervention provide the first layer of protection for the process. In process design, care is taken to specify lines, equipment and valve sizes, the material of construction and proper accessories. The basic process control system – BPCS is installed with appropriate instruments, controls and monitoring logics to allow the plant to be operated within the safest ranges of pressure, temperature, level and flow-rate. Alarms are configured to allow the operators to react to abnormal conditions and take corrective actions before a risk becomes an accident. Even with all these layers of protection in place, the risk may still be too great to prevent an accident from happening. The BPCS, whose characteristic is slow to respond to maintain system stability, so their control loop would take long time to fully close the valve then fail to immediately isolate the system. There are some BPCS designs which was integrated with safety functions such as interlock or trip actions into the control loop, however these functions are easily bypassed or deactivated by the operator and be forgotten to reactivate. The alarm system comprises an enormous number of alarm signals combined with light or sound, and also could be deliberately and/or inadvertently ignored without executing any correcting actions.
A couple of examples illustrate this: in 1974, a Nylon plant in Flixborough, UK exploded, killing 28 and injured 100 people; 1984 a gas leak in a fertilizer plant in Bhopal, India killed over 3000 and injured more than 200,000 people; more recently in 2005, an explosion in Texas City Refinery killed 15 and injured 150 people. All of these 3 plants had control systems, alarms and trained operators, but these first layers of protection do not reduce the hazard risk to a tolerable level. The risk associated with the production of Flixborough was not all well-defined and the proper controls were not in place to minimize those risks. At Bhopal, systems were in place to prevent the resulting gas leak but did not take into account the scenario that led to the accident. In Texas City, several technical and operation shortcomings led to an explosion.
In order to mitigate the risks like the ones above, OSHA (The Occupational Safety and Health Administration) and several companies in the chemical industry, along with ISA and other professional groups, embraced the idea of defining risks, not as isolated processing line or tank risks, but as risks associated with process functions as a whole. The way functional safety would be addressed in a plant in order to reduce functional risks was to install a separate, well-designed Safety Instrumented System (SIS).
The SIS represents an additional layer of protection above the first three-layer discussed previously. This layer should provide at least a 10-fold decrease in the risk of the operation. This decrease can be called a risk reduction factor of equal to or greater than 10. So as we have seen many levels of protection are required to reduce the risk of an operation to a tolerable level.
A SIS is comprised of sensors, logic solvers and final control elements for the single purpose of taking the process to a safe state when predetermined conditions are violated. This means SIS is a separate set of devices from the Basic process control system. In order to provide a risk reduction factor greater than 10 times, it cannot be interlinked with the basic process control system and any of the shortcomings of that system. The SIS is designed around individual functions in the plant, called Safety Instrumented Functions, or SIF. The logic solver takes the SIS inputs and determines what the state of the SIS outputs should be for that SIF.
In designing a SIS, the design team must do a detailed risk analysis, identifying all of the potential risks and deciding which of the risk level require a SIF to be defined. This can be done qualitatively by HAZID/ HAZOP, quantitatively by QRA; by identifying, determining and ranking risk using a risk matrix or detailed estimation.
Even a Safety Instrumented System has a probability to fail. What if one of the components in SIS fail or malfunction when it is required? The probability that a component, whether input, output, or logic solver will fail to cause the SIF to not respond when called upon is called the Probability of Failure on Demand, or PFD. When we design an overall SIS for each SIF, we need to determine the overall PFD for each function that is required. If we determine the PFD should be less than 0,01 or 1,00E-02 then our SIF needs to be designed to a Safety Integrity Level of 2 or SIL 2 and so on as determined in the following table.
Suffice it to say, the higher the SIL, the more reliable the SIF will be. A SIL of 4 is possible but is usually not practical or economically feasible.
IEC-61511/ IEC-61508 Standards prescribe a methodology for developing and documenting the system. Certain design principles should be followed, such as:
- Not allowing on-line changes to a logic solver;
- Requirements for testing the SIF;
- Management of Change process for making any changes to the system once the design has been approved.
In conclusion, the goal of the SIS is to reduce the risk of accident or injury and is only one of many layers of protection that a plant uses to safeguards the process, equipment, personnel and the community. But when implemented correctly, it can provide a very large reduction in the overall risk profile and confidently safeguards your facilities.