State of the Art IEC 61511 Gives Manufacturers the Ability to Identify Process Hazards and then Create Safeguards to Protect the Facility
“The fact you have had 20 years without a catastrophic event is no guarantee that there won’t be one tomorrow.” — Professor Andrew Hopkins, Australian National University.
By Gregory Hale
There is a phrase people use, called “Monday Morning Quarterbacking,” which essentially means with more knowledge, things could have been different. Whether you are talking about the big game on Sunday or some issue at home or at work, there is no doubt increased knowledge and understanding can truly put everything in perspective.
That same phrase can also apply to some of the major catastrophes that hit the industry.
Take the December 2005 Buncefield disaster in the United Kingdom, where a fuel storage tank overfilled and caused a massive explosion. When you look back, a high-level switch should have detected the tank was full and shut off the supply, but it failed to operate. That switch failure should have triggered an alarm, but that also failed. Forty-one minutes later, 300 metric tons of unleaded fuel spilled through the roof vents, down the side of the tank, onto the ground inside the semi-enclosed compound surrounding several tanks. By 6:01 a.m., the first explosion occurred.
At BP’s Texas City Refinery, a disastrous explosion occurred in March 2005 in an isomerization unit at the site, resulting in 15 deaths and at least 170 injuries. The end result was workers overfilled the raffinate splitter with liquid, which led to an overheating of the liquid and the subsequent overpressurization and pressure relief according to a report issued after the accident. Hydrocarbon flow to the blowdown drum and stack overwhelmed it, resulting in liquids carrying over out of the top of the stack, flowing down the stack, accumulating on the ground, and causing a vapor cloud, which ended up igniting because a contractor left his pickup truck engine running.
Those are just two cases of massive billion-dollar disasters that were, upon further review, all preventable.
That is also why over the years, the recommendations from the Texas City oil refinery and Buncefield oil storage and transfer depot incident reports have accelerated the adoption of the IEC 61511 safety standard to a point where it is widely accepted as the state of the art.
A Process Standard
In short, IEC 61511 focuses on the process control environment, and it covers the design and management requirements for safety instrumented systems (SISs) from cradle to grave. The standard’s scope includes initial concept, design, implementation, operation, and maintenance through to decommissioning. It starts in the earliest phase of a project and continues through startup. It contains sections that cover modifications that come later, along with maintenance activities and the eventual decommissioning activities.
“The 61511 standard gives you a systematic way to assess the risk at a plant. All the other benefits flow after that,” said Chris O’Brien, CSFE, and partner at exida, a safety and security services provider and author of the book, Final Elements and the IEC 61508 and IEC 61511 Functional Safety Standards.
“Process safety is about identifying process hazards in the environment and creating safeguards to prevent them from happening,” said Mike Boudreaux, Director, Platform Business Development at Emerson Process Management.
“In the process automation environment, accidents don’t happen because someone made a mistake, a piece of equipment failed, a procedure wasn’t followed, or someone or somebody made a bad decision,” Boudreaux said. “Typically, just one of those problems wouldn’t cause a catastrophic failure. Rather, it is usually a combination of all of those happening at the same time. People did not follow procedures, equipment failed, and somebody made a bad decision and didn’t recognize the environment in which the decision was made. It all happens at the same time.”
To alleviate that problem, users need to understand, apply, and execute standards that can keep their environment as safe as possible. That is where IEC 61511 comes in.
The standard consists of three parts:
1. Framework, definitions, system, hardware and software requirements
2. Guidelines in the application of IEC 61511-1
3. Guidance for the determination of the required safety integrity levels (SIL).
IEC 61511 requires a management system for a SIS, which consists of a separate and independent combination of sensors, logic solvers, final elements, and support systems designed and managed to achieve a specified SIL. Additionally, there are four discrete integrity levels associated with SIL: SIL 1, SIL 2, SIL 3, and SIL 4. The higher the SIL level, the higher the associated safety level. As the SIL level increases, typically, the installation and maintenance costs and complexity of the system also increase. For the process industries, SIL 4 systems are so complex and costly they are not economically beneficial to implement.
A SIS may implement one or more safety instrumented functions (SIFs), which you can design and implement to address a specific process hazard or hazardous event. The SIS management system should define how operators intend to assess, design, engineer, verify, install, commission, validate, operate, maintain, and continuously improve the SIS. There should be a definition of the essential roles of the various personnel assigned responsibility for the SIS, and then they should develop procedures to support the consistent execution of their responsibilities.
IEC 61511 uses an order of magnitude metric, the SIL, to establish the necessary performance.
A hazard and risk analysis can identify the required safety functions and risk reduction for specified hazardous events. Safety functions allocated to the SIS are safety instrumented functions; the allocated risk reduction relates to the SIL. The design and operating basis ensures the SIS meets the required SIL. Field data collect through operational and mechanical integrity program activities to assess actual SIS performance. When the required performance is not what it could be, an action needs to take place to close the gap and ensure safe and reliable operation.
In today’s process control environment, answers do not come in simple equations, but reality often boils down to two factors: Safety and costs. SISs need to cost-effectively integrate with control systems and provide less frequent proof testing and scalable architectures.
“The benefit of 61511 is it gives you guidance so you can focus your activities on what needs to be done,” O’Brien said. “You can properly define where you can find the best areas to spend money. The quantitative aspect allows you to target the money to the right area. You can design the risk reduction to the proper areas.”
In essence, O’Brien said, the standard forces the user to look at the entire process to see where the true risk lies and not over design the system, so the company is not spending too much in one area and not enough in another.
Users also need increased capability to modify alarm limits based on process conditions and orderly shutdown procedures in case of an emergency.
A protective system needs to address overall health of safety loops by incorporating the checking of field devices into its overall design.
Consequently, the ability to provide an integrated safety solution from sensor to actuator should be an important criterion when selecting a SIS.
Suppliers are now offering similar systems for control and SIS where they use similar configuration procedures, programming languages, and maintenance procedures. The two systems communicate with each other but with adequate protection from corruption of one by the other.
“Process manufacturers are realizing the benefits of an integrated control and safety system (ICSS), Boudreaux said. “Existing single-vendor ICSS platforms have shown that an integrated system can meet the IEC 61511 requirements for independence, diversity, physical separation, and common-cause failures between protection layers.”
In addition, “business needs for lower engineering and lifecycle costs, reduced training and maintenance expenses, and improved asset and event management will continue to drive the trend of ICSS adoption as the preferred solution for process manufacturers,” Boudreaux said.
Sometimes, however, unless an assessment has gone on beforehand, systems don’t always work well together.
Take the case of one refinery at which a process fired heater had only one flow transmitter on the process fluid flow. The manufacturer used the flow sensor for process flow control and for low-flow shutdown to prevent overheating of the flow tubes inside the heater. The refinery was in a cold environment, so the flow sensor had an insulating cover to prevent freezing of the fluid in the impulse lines.
One day, the insulation fell off, the impulse lines froze, and the flow measurement remained stuck at the same reading. This became a problem when the operator reduced the setpoint to a lower level. The flow controller exhibited reset windup and closed the control valve, cutting off flow to the heater. Because the SIS was using the same measurement for the low-flow shutdown logic, the heater did not trip. In a short amount of time, the hydrocarbon in the process flow tubes overheated, causing an explosion.
The key point here is the user needs to do a risk analysis to confirm there is no negative impact on the demand rate for the SIS, and the overall dangerous failure rate meets risk reduction requirements. This sounds easy, but it can become very complicated.
When anyone starts a safety discussion, the idea of conducting a risk analysis usually comes into play. After all, in an inherently dangerous process, the level of risk is constantly evident.
Assessing risk means looking at the combination of probability and the severity of an unplanned event. That is, how often can it happen and how bad is it when it does? Examples of events and their associated risks in manufacturing operations include loss of life or limb, environmental impact, loss of capital equipment, and loss of production.
Loss of company image can also be a significant risk factor. Add to these issues the realities of increased environmental awareness, regulatory concerns, and the threat of litigation, and it is easy to see why risk reduction is an important factor for manufacturers.
The best way to reduce risk in a manufacturing plant is to design safe processes. While safety is always the goal, incidents do happen. Risks prevail wherever there are hazardous or toxic materials stored, processed, or handled.
Since it is impossible to eliminate all risks, a manufacturer must agree on a level of risk considered tolerable. After identifying the hazards, a manufacturer should perform a hazard and risk study to evaluate each risk situation by considering likelihood and severity. The user needs to weigh site-specific conditions, such as population density, in-plant traffic patterns, and meteorological conditions during the evaluation.
Certification Speeds Implementation
Manufacturers are responsible for designing and implementing safety systems that ensure a tolerable level of risk throughout the plant’s lifetime. In addition, manufacturers now have fewer engineering resources than they once did to address these regulations, standards, and other issues.
What helps get a manufacturer through the process is selecting technology and the right integration team to implement that technology. A manufacturer’s main focus is to keep making product; they don’t want to lose focus on their main priority. That is why users have to take a smart approach to safety with a wide range of field devices and logic solvers that are SIL-rated and independently certified by a third party. Essentially, they know when they get the equipment, it is ready to go.
“Improved device diagnostics are being driven by technology advancements in microprocessors and device design,” Boudreaux said. “Diagnostics reduce the dangerous undetected failure rates for devices. Automated online proof testing and device diagnostics will deliver safer systems because failures will be detected whenever they occur. For the diagnosed failures in field devices, digital communications will send device status information to the logic solver so the process can continue running safely while the device is repaired.”
When users are looking at safety requirements, they should look for any advantage they can get to save time and money. Here are some advantages to look for:
• Certification for use in SIL 1, 2, and 3 applications
• Flexible, modular, scalable, redundant and networked architecture for applications of any size, anywhere
• TÜV certified safety function blocks that simplify safety-logic development
• Non-intrusive simulation for comprehensive testing of safety logic before deployment
• Easy-to-use engineering tools and operator interface for safety and control systems
• Synchronized control system and SIS time and event collecting
• Intelligent alarm management
• Bypass management during startup sequences
• Automated performance monitoring, testing, and documentation
The beauty of internationally accepted 61511 is no matter where you go in the world, that one standard holds court and allows for accepted best practices for implementing the SIS.
O’Brien said the idea users adhere to the standard and consistently apply its parameters is a winning proposition for the industry.
“Depending on the degree of implementation, some look at the standard as a form of triage, where they can find the immediate problem and address it,” he said.
“There is a big learning curve and once you get past that learning curve, people think ‘yeah, that makes sense,’” he said. “They say, ‘I can see why it is important and why we need it.’ This is a significant move in the right direction.”