Separating process control and safety systems

Process safety: Keeping process control and safety systems separate is crucial, but knowing what to separate and integrate and why is critical. Learn about safety instrumented function (SIF) and layers of protection analysis (LOPA).

By Scott Hayes May 30, 2020

 

Learning Objectives

  • Process safety functions help prevent unplanned hazardous-substance releases that could result in a major safety incident.
  • Many factors affect the safety of an integrated control and safety system solution.
  • Process safety system and control integration should involve a trained safety professional.

Process safety functions help prevent unplanned substance releases (such as hazardous material) that could result in a major incident. For instance, an operator interacts with a control system – typically a distributed control system (DCS) or programmable logic controller (PLC) – to control a chemical process. If a hazard occurs and the control system can’t achieve the required risk reduction on its own, a safety instrumented function (SIF) is implemented to reduce the hazardous risk to an acceptable level.

This application of separate layers of protection to reduce the risk of a hazardous event is often called layers of protection analysis (LOPA). If one protection layer fails to mitigate the occurring hazard, an additional layer is added.

Degrees of separation for control and safety systems

An ongoing process safety discussion centers around the degrees of separation required between the layers of the control system and the safety functions. Keeping process control and safety systems separate is important, and various industry standards (ANSI/ISA-84.01/IEC 61511, Functional Safety – Safety Instrumented Systems for the Process Industry Sector, Parts 1-3) require it.

How separate is separate, though?

A strict interpretation would be to use a safety instrumented function (SIF) with disparate devices, such as different transmitters, logic solvers and final elements from different manufacturers and programmed by different individuals.

In a simple example, a control system fills a tank with a level transmitter and control valve on the fill line. An SIF could be added to prevent overflow that includes a separate level transmitter, a separate logic solver and a separate valve to stop the inlet flow.

These layers of protection are independent of each other, but common failures can still occur that could prevent both level transmitters from working. What if the tank was intended to be a certain capacity but was changed to a smaller capacity at some point? Both transmitters could have an incorrect range, though. This common cause failure could occur even if the transmitters included different sensing technologies and were calibrated by different people.

2 failure types defined: Common cause, common mode

According to industry standards, an analysis is required to confirm protection layers are independent. This analysis determines whether the overall required risk reduction is achieved. It looks at two types of failures:

  • Common cause failures, which occur when multiple (often identical) components fail due to shared causes. Typical examples of shared causes include impact, vibration, temperature, contaminants, miscalibration and improper maintenance.
  • Common mode failures, which occur when several subsystems fail in the same way for the same reason.

Know when to integrate process safety functions

Are there advantages to integrating the separate process safety functions? In the earlier simple example, if both level transmitters are shared between the two logic solvers, the following advantages are possible:

  • The two measurements can be compared and even a minor discrepancy can be brought to the operator’s attention. This could allow a faulty transmitter to be replaced or other action taken before the problem in the process even begins.
  • Either process transmitter crossing the safe setpoint could close both valves.

Certain safety precautions are prudent when sharing instrumentation. For instance, the process transmitters should be powered by and wired to the process safety logic solver. The measurement can be communicated to the process control system for control or interlock action. If the communication fails (even if it is hardwired), the control system should still take the safe action.

Most companies and experts agree that integrating or sharing transmitters is acceptable, if correctly analyzed and implemented. The topic gets more heated when discussing integrating the logic solvers.

Some people believe in the stricter interpretation to keep the process control and safety systems separate with different manufacturers. Others believe one manufacturer can provide both, but in separate processors, on the same network and with the same operator visibility.

Some feel a separate programming environment is required, while others do not. Some even propose the separate functions be executed on the same redundant processors.

5 advantages of integrated control and safety systems

Many factors affect the safety of an integrated process control and safety system solution. If the risks and failure modes and causes are analyzed and found acceptable, there are advantages including:

  • Improved (or better) operator experience – Integrated alarms and actions provide a clear picture of the whole process. A common system can allow the operator to better understand the way the system performs.
  • Integrated action – If a safety function is tripped, what else needs to happen? Integrating allows easier programming of other actions like stopping pumps or parking columns after the trip occurs.
  • Simulation ease – It is easier to simulate the entire system.
  • Ease of maintenance – More common spare parts and equipment simplify and improve maintenance activities.
  • Minimal training – If the design environments are integrated, fewer trained resources are required.

2 areas of caution with integrated control and safety systems

The biggest issues, however, with integrating control and safety systems, include:

  • Common cause failures – The risk that a failure in the control system will also affect the safety system. These common cause failures can take many forms:
    • Hardware – Failure of a component
    • Software – A firmware or application bug could have the same effect on separate logic solvers.
  • Operating and engineering discipline – If the systems are integrated, the programming is more likely to inadvertently change a safety protection. The same is true for technicians working on a transmitter.

The bottom line is integrating control and safety systems is possible and has many advantages, but facilities should carefully weigh the pros and cons. Regardless of the safety system and solutions used, consider consulting a trained safety professional who understands the process standards requirements and can perform an upfront process safety analysis and make recommendations regarding the complicated required protection layers and devices.

Scott Hayes is a program manager at Maverick Technologies, a CFE Media content partner. Edited by Chris Vavra, associate editor, Control Engineering, CFE Media, cvavra@cfemedia.com.

MORE ANSWERS 

Keywords: process safety, process manufacturing, system integration

Process safety functions help prevent unplanned hazardous-substance releases that could result in a major safety incident.

Many factors affect the safety of an integrated control and safety system solution.

Process safety system and control integration should involve a trained safety professional.

ONLINE 

Go to www.controleng.com for more stories about process safety under the process manufacturing section.

Consider this 

What challenges have you encountered with process control system integration and how have you overcome them?

Original content can be found at Control Engineering.


Author Bio: Scott Hayes is a program manager at MAVERICK Technologies. He has 20 years of experience in process control. He is a licensed Control System Engineer and a TUV certified function safety engineer.