EMERGENCY SHUTDOWN SYSTEMS (ESS) / SAFETY INSTRUMENT SYSTEM (SIS)
SIS is typically implemented using Safety PLC (Programmable Logic Controllers). As the name suggest, it can be programmed so that logic implementation becomes significantly easier as compared to electrical-mechanical relays or solid state relays. The exception would be very small systems (low I/O count) where relay-based, solid state, pneumatic control may still be more cost effective.
As in general purpose PLC, Safety PLC is made of process module (CPU), input module, output modules and communication modules. The key differences are that the Safety PLC is typically:
Designed to eliminate known fail to dangerous modes
To achieve this, self-diagnostics with high coverage factor is highly essential
Redundancy are often used to prevent or control dangerous failure modes
Most of all, its imperative to have independent third party testing and verification in compliance to IEC61508 standard
For the process industry, the SIS usually watches over the process for anomalies. Under normal process condition, SIS is analogous to a watch dog quietly looking out for intruders. Since it is reasonable to state that all process plants are designed for continuous production rather than to trip, the SIS is normally dormant for its entire life cycle. However, everything fails in the end, it’s only a matter of time. When it does and process upset occurs, can the SIS operate on demand to safeguard personnel, plant asset and the environment? After all, this is the primary objective of the SIS.
SIS has to be designed to stringent safety performance criteria to weed out covert faults that might lead to failure on demand. This performance measure is technically defined by IEC61508/61511 as PFD (Probability to Fail on Demand). Alternatively, it can be translated to Safety Availability or RRF (Risk Reduction Factor).
So when does one decide if SIS is required? SIS will be implemented where the process hazard analysis exposes a gap between left-over risk after applying process design, mechanical and other non-SIS measures to reduce risk. As a result of iteration of this analysis for all potential hazards, SIFs are identified as a protective measure. SIF shutdown/interlock logic is typically represented in the form of cause and effect matrix (CEM) from Process Narratives and P&IDs. Each SIF is usually consists of a set of sensor(s) that watches process conditions for process upsets and initiates the relevant protective function. Additional operator switches and bypasses are also reflected as conditions to executive the outputs. These functions include alarming, tripping of valves and equipments, shutting down of process units and plant.
Some main considerations when designing SIS:
Knowing the targeted SIL for each SIF
Good understanding of the SIF (Safety Instrumented Function)
Choice of logic solver (Safety PLC) architecture: 1oo1D, 1oo2D, 2oo3 etc.
Choice of sensors and final elements, e.g. SIL-rated transmitter, partial stroking tested valves
Application of sensors, logic solver (Safety PLC), final elements shall abide strictly to the Safety Manual guidelines referenced in the Safety Certification
Verification of SIL on finalized design
Spurious trip rates
Online repair and changes flexibility
Ease of trouble shooting and maintenance
Proof test frequencies and procedures
There are many more details to be taken care of and so this list is not meant to be exhaustive but a sampling only. Other enhancement features that are not safety related but support plant operations are:
Communications to BPCS (or DCS) and subsystems
Integration into DCS without compromising functional safety and independence
Need for Operator Interface e.g. Graphics on DCS, independent HMI, Annunciator, Sequence of Event Recorder
Fieldbus/Hart transmitter accessibility
Overall foot print of Cabinets on system and marshalling
For the process industry, safety has always been high on the agenda. Whenever complacency takes the driver’s seat, nature has a way of reminding us by way of industrial accidents or near misses.
With the ratification of IEC61508 and subsequently IEC61511, functional safety has become more performance oriented than just good practices or prescriptive rules. However, many other issues arise as performance measures leave plenty of room for value judgement and imagination. These issues are being fervently debated, most constructively, some being revisited, and some better understood as a result.
The offshore industry is still predominantly based on API RP 14C (Recommended Practice for Analysis, Design, Installation and Testing of Basic Surface Safety Systems for Offshore Production Platforms) where guidelines on safety functions are of prescriptive nature. However IEC 61508 has gradually being referenced particularly its risk based approach to functional safety. First things first, the Safety Integrity Level of the Safety Instrumented Functions (SIF) has to determined prior to detail design specification, engineering and procurement of the SIS. Simply specifying an SIS to SIL 2 or 3 may lead to more questions than it answers.
Broadly speaking, the onshore/downstream industry primarily comprising Petrochemical plants and Refineries is the early adopters of the IEC 61508/61511 standard (for structural reasons more than willingness). Even then, these leaders of the pack are still wrestling with the application and practicality of IEC 61508 and IEC 61511 (specific function safety standard for the process industry) and will take awhile before ‘best practices’ in terms of applying these standards becomes a common place. In the meantime, SIS will continue to be implemented to meet its primary goal of protecting personnel, plant assets and the environment perhaps under various names such as:
SGS (Safeguard System)
IPS (Instrumented Protective System)
ESD (Emergency Shutdown System)
SDS (Shutdown System)
ESS (Emergency Shutdown System)
SRS (Safety-related System)
PES (Programmable Electronic System)
ICSS (Integrated Control and Safety System, of which SIS is part of)
SIS (of course)