At last week’s Emerson Exchange, I had the chance to catch one of my favorite presenters, Mike Schmidt, who is a principle SIS consultant in Emerson’s refining and chemical industry center. What makes him a favorite is that he can really simplify concepts around process safety and safety instrumented systems (SIS) and make them easy to understand by those of us not steeped in safety. He also adds a touch of humor to keep the audience engaged and having fun while learning about the serious subject of process safety.
Mike co-developed with Emerson process safety engineer, Tim Forbis, the presentation, “What About…Using Bypasses, DBB, and Other Process Features in Safety Instrumented Functions”. Their abstract:
There are special design concerns when process features like double-block-and-bleed and isolation-and-bypass valve configurations are included in safety instrumented functions (SIFs). This talk addresses these concerns and also gives guidance on considerations for performing safety integrity level (SIL) verification calculations when incorporating these and other process design features in SIFs.
Mike provided guidance on four process examples including pump and discharge valve, multiple inlets (to a tank or vessel), double block and bleed, and unit bypass and isolation.
Let’s take the first example from the presentation of a pump and discharge valve. The safe state is stopping the flow by closing the discharge valve. The complication is the pump continuing to run causing a “deadhead” condition against the valve and risking pump damage. The typical function of the basic process control system (BPCS) is to stop the pump if the discharge valve is not open.
Mike and Tim’s recommendation was not to include the pump in the SIF for several reasons including:
- Pump damage is not a hazard protected against
- Pump damage does not warrant SIL-rated protection
- Less complexity means a better spurious trip rate
- Pump stop may not contribute to SIF purpose–stopping flow
- Few components decreases cost–initial investment and operating cost
Now, if deadheading the pump is its own hazard, use a separate SIF with hazard-specific trip conditions. For instance, if the deadhead condition causes the pump to leak leading to fire, then you must mitigate that risk. Or, if the pump stop is included in the SIF as a redundant means to stop flow, then trip on the same condition as the discharge valve. A separate trip condition based on valve action adds complexity and cost, compromises independence and results in worse Probability of Failure on Demand, Average (PFDAVG) and mean time to failure spurious (MTTFs).
A final consideration Mike shares is that if your logic solver, such as DeltaV SIS, has sequencing capabilities, the safety logic should stop the pump first and then close the valve.
The other cases also present recommendations and counter-recommendations based on the circumstances of the hazard to be mitigated. Mike’s key takeaways for the audience are that the actions for the SIFs may need to be different than the actions for process control in the same process. Also, the final control elements in the SIFs should be limited to those needed to accomplish the purpose of each SIF.
Adding more than is required increases the probability of failure on demand, increases spurious trips, increases investment costs, and increases ongoing operating and maintenance costs.
Update: One of the great suggestions from a customer (thanks Rich!) at last week’s Emerson Exchange was that I should consider recording the blog for those with long commutes. I thought we’d give it a whirl, so here is today’s post in podcast form. Next step will be to figure out how to get it to iTunes… stay tuned!