Integrating process safety systems

London - The really good thing about discussions on plant safety is that they tend to involve engineers. In fact such discussions usually end up with the engineers making the decisions, in contrast to other business management discussions.

The manager responsible for the safety system on the process plant is surely the person who always sits outside any pressure from the commercial and production management, in as much as they can, when the business has to be viable. If the safety system chosen, and used, is not adequate, and an accident causes damage and injury, then there is no plant any more, and probably significant compensation to pay: the business is then certainly not viable.

Major safety system suppliers include: ABB Process Systems (Safeguard) with 400 installations since 1978; Emerson Process Management (DeltaV SIS) Introduced 2004; HIMA (HIMax and others) >20,000 systems since 1970; Honeywell (Safety Manager) 20 years of expertise; Invensys Process Systems (Triconex) >7000 systems since 1983; Yokogawa (ProSafe-RS), with over 300 projects since 2005.

The automation systems of major plants are, quite reasonably, being integrated, to include the process control system, the maintenance management system, the electrical systems, the communications and security. Efficient management requires that all the data for a modern business must be accessible on the same system, and efficiently use the same data, to smooth decision making. In a new installation the capital costs can be reduced significantly by planning these systems as integrated systems, and reducing wiring, hardware and interfaces.

The major automation contractors encourage this view, and will offer the total system: but how far should this integration be extended to include the SIS, the Safety Instrumented Systems (emergency shutdown systems, fire and gas systems, burner management systems, and turbomachinery control systems)?

The view of the major automation contractors seems to be that the SIS should be a part of the process control system, and share the same platform, because this reduces the costs to the end customer of the integration necessary when the SIS is from a separated system. This recognises that SIS systems are expensive, both in the components used and the engineering involved, and they therefore make up a significant part of the total project work, and revenue for the contractors.

However the very integration that apparently saves costs for the customer, could be a step too far in reducing the safety system independence, and introduce common modes of failure or commonality between control and SIS logic. There has to be a separation of design and concept between safety systems and control systems, so that they should use different basic approaches to achieve the result, a safely controlled plant.

The IEC 61508 standard, current version - this could, of course, be modified in subsequent editions - embodies this principle in that it states the “Safety system shall be independent of the Control System”.

This requirement introduces a demand for a safety system source that is independent of, and prepared to work with, the main control system supplier. Within major automation contractors, the safety systems group has always been separated from the control systems group, but the very integration of systems required by plant management means that the base platforms are moving closer together.

An interesting parallel to this requirement for safety arises in reviewing the integration of systems that might be subject to hackers. The firewall between the two aspects of such an integrated system has to be considered, in the light of concern, particularly in the US, that hackers can penetrate the outer firewall to the control system via external communications interfaces.

The safety system and its second protective firewall to the control system has to be unaffected by the penetration and software abilities of that same hacker. This is always an interesting point for discussion amongst safety professionals.

Fieldbus demos

Last May, four demonstrations were organised to show how Foundation Fieldbus (FF) communications could be used in safety applications: this followed on from the granting of TuV Protocol Type Approval for the FF Safety Instrumented Systems specifications up to SIL3, in 2006. The main demonstration was hosted by Shell Global Solutions in Amsterdam, and although attended by 15-20 press, these were less than 10% of the audience: the rest were the engineers who had come together to discuss the technology.

The working demonstration was shown on a miniature plant system, and used a HIMA Logic Solver working with a Yokogawa Centum control system and asset management, plus field equipment from various manufacturers on the FF segments. The same general pattern was used for the other sites, with two Aramco demonstration units in Saudi Arabia using Yokogawa and Invensys Triconex logic solvers, and BP Gelsenkirchen using a Honeywell Safety Manager. Chevron in Houston demonstrated an Emerson DeltaV SIS working alongside a DeltaV AMS asset management system.

Within the FF SIF demo units the communications was treated as a black ‘unmonitored’ channel between intelligent devices and the logic solver: there were no peer to peer communications. The immediately apparent CAPEX advantage of using FF segments is to bring considerable wiring and installation time savings to safety systems, since at present all field systems use single loop powered 4-20mA communications.

Audun Gjerde of Shell Global Solutions conducted the live SIF demo at the Amsterdam event. Functions demonstrated included high and low level trips, partial stroke testing of valves, and a partial stroke test that was interrupted by the ESD. The last example showed that even in the middle of a partial stroke test the ESD could successfully take over and shut down the system during an abnormal situation.

Two out of three (2oo3) voting was demonstrated using various fieldbus SIF devices. The system also reacted successfully to a loss of temperature probe, as well as a measurement validation alarm and a diagnostic alarm generated from a dry probe on a level device.

Gjerde commented, "By implementing Foundation SIF, Shell anticipates less testing of final elements thanks to smart testing and diagnostics, as well as online testing and partial stroke testing. This will result in early detection of dangerous device failures - and fewer spurious plant trips. With smart online testing and diagnostics, we will be able to run for longer periods of time without shutting down the plant for testing purposes. We will also save on the cost of adding a second or third device in many cases."

Shell Global Solutions have an overall initiative to better utilise FF systems and capabilities to reap OPEX benefits, and strongly support the SIF initiative as a part of this project. Within Shell, FF is the de facto standard for new builds, and their Peter Eigenraam commented that they had 100+ current FF projects involving 200,000 field devices.

To gain OPEX benefits, FF must be better utilised in terms of reliability and availability, by using diagnostics and self–checking, plus savings made in operational time by remote monitoring allowing reduced manning. “Foundation SIF helps you know you are safe, not think you are safe” commented Peter Eigenraam, but in addition Shell sees extension of FF into the SIS functions as a key initiative in gaining these OPEX benefits across more of the total I/O on a project, since safety systems account for a large portion of the I/O on major projects.

The Saudi Aramco demonstration and field evaluations scheduled for 2009 will use two separate FF-SIF systems, from Yokogawa and Invensys Triconex. The Aramco presentation in Amsterdam was made by John Rezabek, Controls Specialist at the ISP (ex-BP Chemicals) butanediol plant in Lima Ohio, an experienced industrial user of FF systems - he is also chair of the FF End User Advisory Council.

John quoted the main reasons for SIF systems as the capability to identify and anticipate failures, the ability to undertake partial and full valve stroking, and a reduced manual testing regime. He then summarised his view as: “Foundation Fieldbus SIF makes sense – it delivers real time diagnostics built-in.”

Rezabek's view was endorsed by Shell expert, who acknowledged that the lead FF offers in delivering diagnostic information, and were keen for suppliers to develop further diagnostic capabilities across their installed instrumentation.

The future

Discussions in Amsterdam were under no illusions: the development of FF SIF field transmitters and controllers with good diagnostics, approved for hazardous area use and then certificated for use in FF-SIF systems will not be possible within a 2-3 year timescale, so cannot be expected till 2011 at the earliest.

But the demand from end-users exists and will mean that these will be developed, and implemented. There are challenges to overcome in incorporating these devices in safety systems, which might indeed involve maintaining the distinct and separate teams of process design and safety system design, negating some of the possible benefits of common engineering standards.

The hardware and software barriers, such as Firewalls, between the systems will be the subject of a lot of future discussion: but with such open discussions as have already started between the supplier and user engineers, demonstrated at Shell in Amsterdam, the objective is set.