Reducing the risk

Paul Boughton

Start-up, shutdown and transition actions are often the most dangerous periods of operation in the process industries. Ian Curtis argues that companies could consider reducing the potential for human error by employing automated control through safety permissive sequencing at such times of high risk.

The use of Safety Instrumented Systems (SIS) is common throughout high hazard process industry sectors, particularly in the oil and gas, petrochemical, chemical and power industries. Here, compliance with the functional safety standards IEC 61508 and IEC 61511 is the accepted and preferred method of demonstrating that overall risk has been managed in accordance with the legal requirements facing all companies.

For continuous processes the probability of a hazardous condition occurring is often proportionately greater when the process is in a state of flux such as during start-ups, shutdowns and process transitions.

The safety instrumented systems associated with these processes are often designed around steady state conditions, but in order to accommodate the non steady state transitions, certain safety instrumented functions need to be bypassed or over-ridden. This is where the potential for risk starts to appear.

It seems incongruous that, just when it is needed most, the SIS in place is temporarily sidelined and we step away from the intent of the functional safety standards to leave operators to not only deal with the complexities inherent within any process transition, but also perform the SIS function as well.

For a continuous process plant such transitory states are often infrequent and can be of relatively short duration. In such cases it may be that making the safety instrumented system dynamic enough to provide protection at such higher risk occurrences is deemed to be simply not worth the time and expense involved.  The lack of similarity between processes or between the transition state and the steady state may make it too difficult, time-consuming and troublesome to consider and implement an automated SIS solution. In addition, it could be that the operator’s experienced judgment and ability to subjectively assess a complicated situation is seen as essential at such a stage.

However, the argument for an alternative view that sees automation technology support the operator during such phases can be seen. It is clear that the operator in question is likely to experience increased stress levels during a plant transition compared to when the operation is running in a steady state. Whilst plant operators commonly perform their role to the highest standards, nonetheless, human error has, after investigation, often been seen to contribute significantly to process safety incidents

[Page Break]

Safety standards limit the amount of risk reduction credit associated with an operator to a factor of 10 in a best case scenario (ie 10 per cent probability of failure on demand). Research demonstrates that for tasks which are more complex and performed seldom and within an unfamiliar situation, then the likelihood of human error and system failure is greatly increased - especially in the type of highly stressful situation that could lead to a hazardous and potentially life threatening incident.

In essence, as operators are walking the process transition tightrope they are being asked to remove their own safety net by applying bypasses and overrides to the safety systems in place and this to my mind does not make sense.

The lack of similarity between a transition state and steady state may mean that the basic process control system is less effective as a protection layer. A good example is loop tuning for loops in the steady state which may not work so well when the process is out of its normal operating range. All the more reason to not disable the existing safety instrumented systems in place.

It may be a challenge to cope with differing processes and scenarios whilst capturing the knowledge and experience of the best operators and embedding it within the SIS, but it could be argued that such efforts are worth it in the end if it makes process plants safer.

The dynamic nature of a transition state shouldn’t support the argument for not automating such phases - if anything I would argue it helps make a sound case for why companies should undertake an opposing approach.  If businesses can document a start-up procedure for an operator, then with the range of new tools for configuring SIS logic they can surely take this a further step and add key elements of automation to give the operator both back-up and certainty during such a critical phase of a process plant’s operation. Of course, the operator still has an important part to play, but by restoring the integrity of the SIS as an independent protection layer (IPL), companies can clearly make their plants safer, as well as removing unnecessary burdens and pressures on plant operators.

The key to effective knowledge capture is to involve the operations staff at the earliest possible stage of the project so they can play a full part in defining the requirements for the transition logic during the SIS development so it is fully incorporated in the safety lifecycle - rather than as an add-on at the end of the project.

Permissive sequencing is a tool that can help implement such additional logic so that the safety instrumented system steps beyond the steady state and plays a central role in maintaining safety through all the phases of the operation.

Keeping it simple is one of the key tenets of functional safety so implementation of permissive sequencing needs to be possible without introducing additional levels of complexity.  The advent of new SIS configuration tools now makes it practical for the safety instrumented systems to participate actively in the important, but potentially problematic process transitions.

The key underlying requirements for tools to implement a permissive sequencing solution are that they be dynamic enough to cope with a degree of complexity, but simple enough to be self documenting and easy to understand for the operator.

Permissive sequences for start-ups, shut downs and transitions share some common characteristics. Automated tool solutions have to be mindful of:

* Time dependencies.
* Changing variable thresholds or limits.
* Interlocks that vary or may need to be inhibited or overridden.

[Page Break]

The cause and effect diagram is often used as a method for documenting SIS logic requirements. It has the advantage of being readily understood by process engineers, C&I engineers and operators alike. By extending this methodology and using it directly as a configuration 'language' to both directly create logic and automatically generate the operator interface, both cost and risk can be reduced. By extending this cause and effect concept still further to accommodate the requirements of permissive sequencing, the SIS can also effectively manage key aspects of safety during process transition states providing valuable backup to the operator in a safe and effective manner.

Modern SIS includes tools are ideally suited to the task of helping automate start-up and shutdown sequences at process plants, as is already commonly witnessed through their extensive use within burner management systems. This practice should be extended further for other processes because of the over-riding and inherent safety benefits which can be achieved by producing an all-encompassing approach to process plant safety - whether in start-up, shut-down, transition or in steady state.

Reference: Permissive Sequencing and ISA 84 -The Shape of Things to Come. Gene Cammack, PE; Francisco Sanchez, PDVSA and Luis M. Garcia G. CFSE Siemens Energy & Automation, Houston, Texas, 2008

Ian Curtis is with Siemens Industry Automation & Drive Technologies, Where. Www.

Recent Issues