The Safety Instrumented Systems are used to monitor the condition of values and parameters of a plant within the operational limits and, when risk conditions occur, they must trigger alarms and place the plant in a safe condition or even at the shutdown condition.
The safety conditions should be always followed and adopted by plants and the best operating and installation practices are a duty of employers and employees. It is important to remember that the first concept regarding the safety law is to ensure that all systems are installed and operated in a safe way and the second one is that instruments and alarms involved with safety are operated with reliability and efficiency.
The Safety Instrumented Systems (SIS) are the systems responsible for the operating safety and ensuring the emergency stop within the limits considered as safe, whenever the operation exceeds such limits. The main objective is to avoid accidents inside and outside plants, such as fires, explosions, equipment damages, protection of production and property and, more than that, avoiding life risk or personal health damages and catastrophic impacts to community. It should be clear that no system is completely immune to failures and, even in case of failure; it should provide a safe condition.
For several years, the safety systems were designed according to the German standards (DIN V VDE 0801 and DIN V 19250), which were well accepted for years by the global safety community and which caused the efforts to create a global standard, IEC 61508, which now works as a basis for all operational safety regarding electric, electronic systems and programmable devices for any kind of industry. Such standard covers all safety systems with electronic nature.
Products certified according to IEC 61508 should basically cover 3 types of failures:
IEC 61508 is divided in 7 parts, where the first 4 are mandatory and the other 3 act as guidelines:
Such standard systematically covers all activities of a SIS (Safety Instrumented System) life cycle and is focused on the performance required from a system, that is, once the desired SIL level (safety integrity level) is reached, the redundancy level and the test interval are at the discretion of who specified the system.
IEC61508 aims at potentializing the improvements of PES (Programmable Electronic Safety, where the PLCs, microprocessed systems, distributed control systems, sensors, and intelligent actuators, etc. are included) so as to standardize the concepts involved.
Recently, several standards on the SIS development, project and maintenance were prepared, as IEC 61508 (overall industries) already mentioned, and is also important to mention IEC 61511, focused on industries with ongoing, liquid, and gas process.
In practice, in several applications it has been seen the specification of equipment with SIL certification to be used in control systems, without safety function. It is also believed that there is a disinformation market, leading to the purchase of more expensive pieces of equipment developed for safety functions where, in practice, they will be used in process control functions, where the SIL certification does not bring the expected benefits, making difficult, inclusive, the use and operation of equipment.
In addition, such disinformation makes users to believe that they have a certified safe control system, but what they have is a controller with certified safety functions.
With the increase of usage and applications with digital equipment and instruments, it is extremely important that professionals involved on projects or daily instrumentation are qualified and have the knowledge on how to determine the performance required by the safety systems, who have domain on calculations tools and risk rates within the acceptable limits.
In addition, it is necessary to:
The simple use of modern, sophisticated or even certified equipment does not absolutely ensure any improvement on reliability and safety of operation, when compared with traditional technologies, except when the system is deployed with criteria and knowledge of advantages and limitations inherent to each type of technology available. In addition, the entire SIS life cycle should be in mind.
Commonly we see accidents related to safety devices bypassed by operation or during maintenance. Certainly it is very difficult to avoid, in the project stage, that one of such devices are bypassed in the future, but by a solid project that better satisfies the operational needs of the safety system user, it is possible to considerably eliminate or reduce the number of non-authorized bypass.
By using and applying techniques with determined or programmable logic circuits, failure-tolerant and/or safe failure, microcomputers and software concepts, today is possible to project efficient and safe systems with costs suitable for such function.
The SIS complexity level depends a lot on the process considered. Heaters, reactors, cracking columns, boilers, and stoves are typical examples of equipment requiring safety interlock system carefully designed and implemented.
The appropriate operation of a SIS requires better performance and diagnosis conditions compared to the conventional systems. The safe operation in a SIS is composed by sensors, logic programmers, processors and final elements designed with the purpose of causing a stop whenever safe limits are exceeded (for example, process variables such as pressure and temperature over the very high alarm limits) or event preventing the operation under unfavorable conditions to the safe operation conditions.
Typical examples of safety systems:
We have seen in the previous article, in the third part, some details on the models of fault trees analysis, Markov model and some calculations.
In the forth part, we will see some points about the SIF Verification Process.
A Safety Instrumented System (SIS) is a critical layer for the accident prevention. A SIS performs several SIFs (Safety Instrumented Function) and is typically composed by sensors, logic analyzers and final elements of control. Acceptable probability of failure on demand (SIL - Safety Integrity Level ) for each SIF need to be determined for the project and subsequent verification.
The safety analysis is made over the SIFs risks levels.
A Pressure transmitter and a Positioner are part of the SIF, for example;
There are several methods to identify the SILs required to SIFs. One of them is the Layer of Protection Analysis, LOPA, a technique of risk analysis which is applied following the use of a qualitative technique for hazard identification, such as, HAZOP (Hazard and Operational Study). Derived from a risk quantitative analysis tool, the frequency analysis by an event tree, LOPA may be described as a semiquantitative technique, as it provides a risk estimative.
The control systems are projected to keep the process within the specific process parameters considered as acceptable for the normal and safe operation of the plant. When the process exceeds the normal operation limit, it may present potential risk to human life, environment, and assets. In the evaluation stage, the risks are identified together with its consequences and the ways to prevent their occurrence are defined.
The risk identified will have its probability reduced according to capacity of the system providing preventive layers. The risk reduction establishes three criteria:
The user should have domain of information on the equipment, so it is possible to conduct a good analysis of SIF performance. The constructive techniques with a tolerance view concerning the component failures prevent that a single failure causes a device failure. Finally, the performance calculation determines if the SIS keeps the project expectations regarding the desired integrity level. The SIS reliability is defined by some parameters:
For each SIF, at least the following information should be analyzed:
It is necessary to take care of the choice of equipment working in safety systems. Certified pieces of equipment should be specified according to IEC61508 or complying with the “prior use” criteria according to IEC61511.
Proven in Use (PIU) is a characteristic defined by IEC61511 (clause 11.4.4) in which if a equipment has already been successfully used in safety applications and meets some requirements (see below, then the HTF (hardware tolerance fault) can be reduced and, with that, use it in safe applications with lower costs:
The major advantage is that it is possible to standardize Equipment for use in control and Equipment for safety with a much lower cost.
By hardware analysis, called FMEDA (Failure Modes Effects and Diagnostics Analysis) it is also possible to determine the failure rates and the instrument modes. Such analysis type is an extension of the known FMEA method, the methodology of Failure Mode and Effect Analysis. In that case, the FMEDA identifies and calculates the failure rates in the following categories: Detectable safe, non-detectable safe, detectable dangerous and non-detectable dangerous. Such failure rates are used to calculate the safety coverage factor and the risk factor
Once the safety integrity level and its requirements are calculated, then the equipment, redundancy levels and tests are to be chosen, according to the SIF demand. After that, with the information of each equipment and device, it is calculated by equations, tree analysis, Markov model and other techniques if the equipment chosen meet the safety requirements.
Figure 1 shows the most common examples of architecture for safety systems, where several techniques are used according to the voting system and desired SIL:
Figure 1 - Typical examples of architecture for safety systems
For SIFs, the failure probability may be interpreted as the transition of a device from the operation state to the state where it is no longer playing the role to which it was specified.
When the device is tested, the PFD (t) is reduced to the initial value. That involves two implicit assumptions:
As the result, the test interval is a imperative factor to determine the reached SIL classification.
Figure 2 - Transition and PFD states
In practical terms, the aim is the reduction of failures and, consequently, the reduction of shutdowns and operational risks. The purpose is to increase the operational availability and also, in terms of processes, the minimization of variability with direct consequence to the profitability increase.