Emerson’s Mike Boudreaux has been receiving great questions on process safety and the IEC 61511 global safety standard during some of the recent Safety Lifecycle Seminars. He’s written a post to address one of them:
A very common topic of discussion is the sharing of field devices between the basic process control system (BPCS) and the safety instrumented system (SIS).
I have previously contacted Len Laskowski for his thoughts on questions about sharing SIS sensors with the BPCS. His initial response was:
The questions are good ones. They show an understanding of what is possible with today’s technology. The answers to these questions are not straightforward unless one is looking for NO as an answer. A subject like this is sure to be controversial and there are probably as many opinions as there are experts and a chapter in a book might not do justice to the subject.
For many existing installations in the process industries, sensors and valves are being shared by the BPCS and SIS. There is a wide variety of ways that this can be done, but the traditional method for sharing sensor data is by using signal splitters and wiring the same sensor to the SIS and the BPCS. Another approach uses modern integrated control and safety systems (ICSS) like DeltaV and DeltaV SIS, where the logic solver directly shares the input signal data with the process controller. This is sometimes done to reduce the amount of field devices that are installed in the process to reduce installation costs, wiring, piping design complexity, and sometimes to reduce fugitive emissions.
IEC 61511-1 provides some guidance in clauses 11.2.4, 11.2.9, and 11.2.10. In summary, the standard says:
- The BPCS and the SIS should be designed separate and independent, but SIS devices may be used for BPCS functions if it can be shown that a failure of the BPCS does not compromise the integrity of the SIS.
- A SIS device shall not be used by the BPCS for control if device failure results in a failure of the BPCS and causes a demand on the SIF, unless an analysis has been carried out to confirm that the overall risk is acceptable.
- If a shared component has a dangerous failure, a demand will be created for which the SIS may not be able to respond. Analysis should ensure that the dangerous failure rate of shared components is sufficiently low.
A process fired heater at a refinery had only one flow transmitter on the process fluid flow. The flow sensor was being used for both process flow control and for low-flow shutdown to prevent overheating of the flow tubes inside the heater. The refinery was in a cold environment and so the flow sensor had an insulating cover to prevent freezing of the fluid in the impulse lines.
One day, the insulation fell off and so the impulse lines froze and the flow measurement was stuck at the same reading. This becomes a problem when the operator reduced the setpoint to a lower level. The flow controller exhibited reset windup and closed the control valve, cutting off flow to the heater. Because the SIS was using the same measurement for the low-flow shutdown logic, the heater did not trip. In a short amount of time, the hydrocarbon in the process flow tubes overheated and an explosion occurred.
This example illustrates the fact that hardware fault tolerance is important when using the same sensors for both control and safety. Hardware fault tolerance can improve the reliability of the SIS and the BPCS, so that you won’t lose control or safety integrity when a single device fails. There are two basic options here: use 2 sensors with 1oo2 or 2oo2 voting or 3 sensors with 2oo3 voting in the SIS, and signal selection in the BPCS. There are other options, such as 2oo2D as Maruti Dey presented at Emerson Exchange 2010. The idea here is that overall reliability can be improved by sharing the hardware fault tolerance between the SIS and the BPCS.
Another traditional method is to install a SIS solenoid on the air supply to a control valve. If a safety demand occurs, then the SIS solenoid would actuate and close the valve. The problem with this approach is that the safety demand might be a result of the control valve being stuck. Therefore, the initiator for the event is failure of the same valve that is being relied on for safety shutdown. In this case, the SIS would not be able to bring the process to a safe state and the hazardous event would progress without protection.
For this reason, hardware fault tolerance at the valve level is needed. It doesn’t make sense to have two control valves in series and so you typically end up with a BPCS control valve and an SIS shutdown valve. In this case, then you might also consider using a SIS solenoid on the control valve for added reliability. However, this increases cost and complexity and can have unwanted impacts on overall reliability.
The key point here is that whatever you choose to do, you need to do the risk analysis to confirm that you are not negatively impacting the demand rate on the SIS and that the overall dangerous failure rate meets your risk reduction requirements. This sounds easy, but it can become very complicated and often cannot be performed using a typical layer of protection analysis (LOPA) method.
Instead, Markov modeling and other more rigorous quantitative analysis methods must be used. This can be very expensive and in some cases, the cost of the analysis can outweigh the savings in equipment and installation. The good news is that once you have done this kind of assessment, you can often re-use the analysis across multiple cases.
Len Laskowski provides the following guidance:
On the surface, with today’s technology one can share a transmitter. However, if one does such, they better know how that affects the LOPA study, the SIL calculations and the overall unit operations and of course safety. It is not free. It costs to share the signal and you better understand the costs and safety implications because you can negate the independence and protection of the SIS if done incorrectly. I have seen companies share transmitters between the SIS and the BPCS. It takes a fair amount of homework to do.
You probably need at least 3 transmitters before you consider it. You have to understand what you are doing and how you will affect the overall Safety Life Cycle both from an economic and safety viewpoint. On the surface, it may seem like a capital cost savings and there are times when you need to do it, but be careful it is not just that simple. It is much easier to analyze and defend a design when the layers of protection have been kept separate and distinct.