Industrial Process Safety - A Layered Approach
In the daily life of a process automation engineer, a large number of the decisions and actions taken ultimately involve the safety of operators, infrastructure, and equipment - many more than we tend to recognize. It's not always so obvious how many (or how few) degrees of protection stand between a normal operation and a significant emergency, especially for more mundane systems that don't fail in spectacular ways.
With this thought in mind, we're too-often shocked when we hear about incidents where virtually no safety measures were in place, which motivates us to write this article sharing ideas about how engineers can conceptualize safety decisions using a unique layered approach. After that, we'll discuss how engineers can apply this concept in their own normal process control projects.
When discussing process safety, it's appropriate to orient the conversation around published standards that can set the stage, as safety tends to be a highly regulated arena that differs between industries and countries. For this discussion, we’ll share the below graphic that describes LOPA - Layers of Protection Analysis, a form of standardized process hazard analysis that chemical engineers tend to apply in major public-facing emergencies, as referenced from this American Institute of Chemical Engineers presentation.
Fig. 1 Layers of Protection Analysis Diagram
From this graphic, we see normal process controls tracking a valve's condition down at the bottom, with a process alarm layer directly above that. In practice, this shows us that alarms are the first level of defense against any process upsets. Above that, dedicated safety systems are introduced, followed by physical mitigation devices such as relief valves and physical containment barriers. Should the issue surpass these measures, we're now dealing with plant-wide or community-wide emergencies. While this article is not dealing with catastrophic safety concerns of this magnitude, what we're trying to take away from this graphic is the role of layers that envelope any given process system, and how we might take inspiration from this layering concept in common control and instrumentation applications. Keeping these layers in mind, let's dig further into the specific alarm and safety system layers next.
Differences between Automated Process Controls and Safety Instrumented Systems
In the domain of process safety, there are two distinct categories of safety provisions that serve specific purposes. The first is what we might call 'normal' process controls, which are your routine PLC or PAC features that take programmatic action any time a process variable exceeds a predetermined limit. Examples include:
1. High level alarm on a water tank that automatically closes the incoming water supply valve.
2. Low pressure alarm on a steam line that sounds an audible beacon to alert operators.
3. Timeout alarm on a logic controller when a field instrument does not respond in an allotted amount of time.
The second category of safety controls is referred to as Safety Instrumented Systems (or SISs), which are dedicated, ultra-high integrity control systems that explicitly monitor for and react to safety-related conditions. Safety Instrumented Systems consist of hardware, software, operational practices, and performance certifications rooted in reliability, resilience, and redundancy even under emergency conditions. SIS components are installed in parallel to normal process control systems, and only execute logic known as Safety Instrumented Functions (SIFs). These systems are heavily deployed in hazardous material, oil & gas, petrochemical, and similar high-hazard processes.
While Safety Instrumented Systems resemble normal process control systems very closely being made up of instrumentation, controllers, actuators, and the like, they are physically constructed and certified to higher standards and must be kept entirely separate from normal controls. Examples include:
- On a hazardous chemical fluid storage tank, a dedicated SIS high-level switch protects against overflowing the tank which can harm nearby operators. In the event of an overflow, this normally-closed switch is opened, which signals a dedicated safety logic controller and downstream redundant emergency fill valve to close. This system would be activated when the normal process control system fails to stop the issue itself.
- Across a multi-system processing plant producing thermoplastics, a central hazardous vapor recovery system unexpectedly shuts down, resulting in these vapors flowing into employee spaces and causing asphyxiation. Dedicated SIS pressure sensors detect this loss of function, and immediately engage emergency ventilation fans and dampers throughout the workspace. Audible beacons are sounded to alert operators, who evacuate the building until maintenance can resolve the recovery system's problem.
To learn more about Safety Instrumented Systems, refer to these governing technical codes: IEC 61508 Functional Safety of Electrical/Electronic/Programmatic Safety-Related Systems; IEC 61511 Functional Safety & Safety Instrumented Systems for the Process Industry; and ISA84 Instrumented Systems to Achieve Functional Safety in Process Industries.
As we can see, Safety Instrumented Systems take safety to an entirely new level over normal process controls. While these systems are not required or installed in the vast majority of manufacturing facilities, process control engineers can take many points away from these systems for use in their everyday projects, which we'll outline below.
Non-SIS Safety Considerations
Safety Instrumented Systems are world-class safety solutions, but there are plenty of reasons why they are not mandated in most industries - notably cost, complexity, and legal liability implications. Even so, process engineers can still take plenty of inspiration from the tenets of SISs in everyday projects, using everyday instruments and devices, coded with everyday logic. How, readers may ask? Here are six ways:
1. Hazard Risk Assessment - even for projects not governed by specific safety standards, engineers and project leaders should always perform a hazard risk assessment. This assessment helps engineers think through and understand how their control functions influence operators, infrastructure, and the wider public, no matter how small the system. With this information in hand, engineers can then make design and functional decisions to heighten safety where they may not have thought to before.
2. Redundancy - a very easy safety-oriented practice is to build redundancy into process systems, addressing the risks of having single points of failure. Devices can fail, wiring circuits can get damaged, controller logic can get jumbled over years of edits - there are any number of reasons why single hardware and software instances can misbehave, which is where redundant backups in hardware and software form can provide added reliability and protection.
3. Think Across Systems, Not Within Systems - process safety is a protective umbrella that applies over entire systems and facilities. For this reason, engineers are encouraged to think about safety provisions across systems, not only within individual systems. Too often, packaged systems stand apart from wider control platforms and automatic responses, which leaves other systems and personnel vulnerable to hazards. Simple solutions at the whole-plant level, such as implementing master alarm and notification systems, as well as interlocking external dependent processes, can more holistically ensure safety.
4. React, Notify, Control - when evaluating alarm conditions from purely a safety standpoint, it's often most desirable that controls react to mitigate the hazard first, then notify operators to take immediate action, and then collectively control for external conditions to bring the system back to a safe state. The important part is implementing the best sequence of events that instantaneously protects personnel, and reflecting this priority when designing logic circuits, writing code sequences, and elevating alarm code lines.
5. Document, Document, Document! - even in today's age of natively digitized design, system documentation and knowledge transfer still often fall short. Simply put, engineers must definitively document all process control functions, specifications, and nuances, especially those involving safety. Documentation helps other supporting engineers maintain the system's original safety functions, as well as stands as the foundation that all future system changes should be built upon such that no critical safety protections are lost.
6. Test and Train, Often - continuing our above point, documentation is indeed the foundation that systems should be built upon, but only thorough, ongoing testing and training keep the control system standing tall. Safety Integrated Systems require frequent physical confirmation that automatic reactions work to protect against hazards, and we can apply this same expectation to non-SIS processes for the same reason. Further, conducting training during these fail-state tests gets operators familiar with how the system responds to safety events, amplifying each person's resilience in managing through a hazardous situation.
As a veteran-owned small business, Whitman Controls is dedicated to supplying premium quality, reliable, technologically advanced instrumentation for use in nearly any application.
Our Bristol, CT manufacturing facility embodies over 40 years of engineering, fabrication, and customer service expertise, serving both end-user and manufacturing customers nationwide through direct and distribution channels.
Our values drive us to provide the highest level of servant partnership that you can find. To discuss your applications or to learn more about our capabilities, please contact us at (800) 233-4401, via email at [email protected], or online at www.whitmancontrols.com.
