Latest post

What is Basic Process Control Systems (BPCS) and how to determine Safety Integrity Level (SIL)

What is Basic Process Safety Control Systems (BPCS) and how to determine Safety Integrity Level (SIL)

What is Basic Process Control Systems (BPCS) and how to determine Safety Integrity Level (SIL)


This article provides detail information on Basic Process Control System and step by step approach to determine the Safety Integrity Level with examples.
Before going ahead, we try to understand different terms used in designing of process control systems and in determining Safety Integrity Level.

1. Basic Process Control System (BPCS)

The Basic Process Control System (BPCS) is process control system lies at innermost layer of protection and is the main control system for any modern process, without it, the processes would depend on local operators and controls. It makes process control safer and more efficient and is the main computer system of the operating process which receives information about the process, including pressure, temperature, flow and level transmitters on the system, equipment and output signals to manipulate the position of the controlled valves to ensure that the system continues to operate under desired operating conditions. The basic process control system is designed to keep the process in a safe area.

2. Safety Instrumented System (SIS)

A system made up of sensors, logic solvers and final control elements to put the process in a safe state when programmed conditions are deviated from its intended purpose. This may include emergency shutdown system (ESD), the safety stop system (SSS) and the safety interlock system. The safety instrumented system is an instrument system used to execute one or several instrumented safety functions.

3. Safety Instrumented Function (SIF)

An instrumental safety function (SIF) is defined as a function to be implemented by an SIS that is intended to automatically achieve or maintain a safe status for the process in relation to a specific hazardous event. The SIF is an independent safety loop or interlock that automatically brings the process to a safe state in response to specific initiating events. It consists of a sensor, a logical resolver and a valve called SIF (Safety Instrumented Function).

4. Safety Integrity Level (SIL)

The Safety Integrity Level (SIL) is used to define the reliability of a specific safety instrumented function (SIF) which is implemented by a safety instrumented system. SIL is a risk reduction measure provided by a specific safety instrumented function.

Safety Integrity Level (SIL) is a combination of sensors, a logic solver and final elements which detects dangers and puts the safe process. The safety instrumented function helps to respect the tolerable frequency. It requires equipment such as a pressure transmitter to detect high pressure in the process and signal the closure of a valve, but it also requires an operation to maintain this safety function.

5. Independent Protection layer (IPL)

The independent protection layer (IPL) is extrinsic safety systems and the backup processes transform the scenarios of unwanted initiating events into consequences prevention. They can be active or passive systems and the efficiency of the IPL is calculated as the probability of failure on demand, ie the possibility that a system does not fulfil its specific function.

6. Probability of Failure on Demand (PFD)

The probability of failure on demand (PFD) is the likelihood of dangerous failure on demand of the safety function. Simply put, we can say that the reliability range can be expressed as a probability of failure on demand (PFD) and is based on the dangerous failure rate, system diagnostics, proof test coverage and test intervals. Normally, an end element assembly will have a PFD to respond only to get desired Safety Integrity level.

7. Risk Reduction Factor (RRF)

The risk reduction factor (RRF) is the inverse of the PFD, the risk reduction factor can also be used to indicate the probability of failure of an instrumented function when the SIL mode is in low demand. The risk reduction factor is the inverse of the probability of default required, which is represented in years. RRF means the number of times the risk is reduced due to the application of a backup.

8. Layer of protection (LOP)

The layer of protection (LOP) is the protection of the process at different levels, from the design of the process controls, prevention, detection to mitigation. There are seven layers of protection for accident prevention and mitigation. Each layer is important because some are intended for prevention and others for protection. Staying inside the innermost protective layer is the key to increased plant availability and safe operation. Keep the other protective layers intact, ensure accident prevention and mitigation.

9. Layer of protection analysis (LOPA)

The Layer of protection analysis (LOPA) is a risk assessment tool developed within the framework of an international standard to quantify risks in order to reach a specific probability objective. It is a systematic decision-making process and one of the methods for determining the risk associated with various hazardous process events using their severity and the probability of the events occurring.
The main purpose of LOPA is to ensure that there is an appropriate layer of protection against the accident scenario.

10. Process hazard analysis (PHA)

PHA is fundamentally a loss causation and consequence model this helps a company understand what must be done to control the risk when you attend a PHA the team must first identified loss exposure and then evaluate the level of risk associated with each exposure before deciding on the appropriate control actions to be taken the goal of any loss control program is not to over protect the facility to the point where the asset becomes inoperable but also not to under protect resulting in excessive risk exposure
The purpose of Process Hazard Analysis (PHA) is to minimize the likelihood of the occurrences and consequences of a dangerous substance release by identifying, evaluating, and controlling the events that could lead to the release. It provides information that helps you make decisions to improve safety and reduce the effects of unwanted or unplanned emissions of highly hazardous chemicals.

Basic Process Control Systems (BPCS) - Detailed understanding

Basic Process Control Systems (BPCS) make process control safer and more efficient and are the main computer system of the operating process that receives information about the process, including pressure, temperature , flow and level of transmitters on the system, equipment and end signals to manipulate the position of the controlled valves in the process to ensure that the system continues to operate under the desired operating conditions.
Manual operation of valves to manipulate and control operating conditions, the basic process control system makes process control safer and more efficient, however some processes are not dangerous enough to warrant an instrumented safety system (SIS) or they were built before having a safety instrumented system in a facility. Some processes can mitigate risk using other means, including pressure relief valves or pressure safety valves, locally controlled stops, or hard-wired stops through the basic process control system. The decision to have a safety instrumented system in a new facility should be made at the start of the design process, as this can result in significant costs for analyzing the hazards of the process.

The Basic Process Control System (BPCS) and the Safety Instrumented System (SIS) can work together for process control. The basic process control system is the main computer system of the operating process that receives information about the process, including pressure, temperature, flow and level of transmitters on the system, equipment and transmits Signals to manipulate the position of the controlled valves in the process to ensure the system continues to operate under the desired operating conditions. It is a central processing unit and a computer that controls everything in the installation. for a better understanding, let's take the diagram below;


Diagram-1: Separator vessel basic process control system
Diagram-1: Separator vessel basic process control system

In the above Diagram-1, a two-phase supply of liquid and gas is supplied to the separator vessel which separates the liquid and the gas. Gas flow from the top of the vessel and liquid from the bottom. Now let's look at the level control loop on the separator vessel, here the transmitter indicating the level LIT-50 detects the level of the vessel and then transmits this signal to LC-50. The level control function on basic process control systems based on the received signal, LC-50 will send the signal to the LV-50 level control valve to open or close as required. If the level increases and is above the desired controller set point, then the LC-50 will send the signal which will open the LV-50 plus allowing more liquid to flow from the vessel. If the level decreases and is below the desired controller set point, then the LC-50 will send the signal that the LV-50 will close further to restrict the flow of liquid out of the vessel. Here we must think about consequences if the basic process controls malfunction.
Now here we need something that protects the process from any unwanted event. The Instrumented Safety System (SIS) is an independent computer system that monitors the system for potentially hazardous operating conditions. If the SIS detects a dangerous condition, it will send a signal to an end element, usually an actuated emergency stop valve or ESD V-100 that will isolate or shut down the system. This action is called the Instrumented Safety Function (SIF), which can have an associated Safety Integrity Level (SIL) rating that quantifies the reliability of the SIF. The SIS must be independent of the basic process control system with separate transmitters, end elements and an independent logic solver. Its role is to bring the process to a safe state in the event of a BPCS failure. To do this, the safety instrument system cannot effectively share any potential common cause failures with the basic process safety system that would jeopardize its ability to act. The safety instrument system acts as a second line of defence in the event of a basic process control system failure or a disturbed condition that the BPCS cannot control on its own. Thus, most of the time, the safety instrument system does nothing, not exactly the SIS, constantly receives signals from the process to ensure that it is operating safely.
Refer to Diagram-1 of the separator vessel, the level transmitter LIT-50 detects the level of liquid in the container and transmits a signal to the level controller LC-50 to the level control function on the SIS during normal operations. The BPCS will control the level and there is no need for the safety instrumented system to act. If the basic process control system fails and the vessel level begins to rise and the liquid level becomes too high and reaches the high-high alarm level or LAHH of LIT- 100, it signals it to the LC-100 controller, it will alarm and send a signal to close the ESD V-100. This will stop the process by shutting off the V-100 from the upstream liquid source, which will prevent the level in the container from further increasing. It is important to maintain the level of V-100 near the LC-50 set point, if the level in the container becomes too high, there is a potential to transport liquids to the compressor downstream on the gas system . This could cause catastrophic compressor failure.
Typically, a Hazard and operability Study (HAZOP) and a Layer of protection Analysis (LOPA) would identify the specific safety instrumented function and the specific safety instrumented system. An analysis of the protective layer must be carried out to identify the reliability of the instrumented safety function.
To know more about Layer of protection click here
It is important to understand the Basic Process Control Systems involved in a design when assigning guarantees safeguard and a HAZOP. These systems are used to maintain safe operating conditions by safeguarding the process functions as designed, making the process safer for operators working in the installation and avoiding potential damage to the equipment.

Step by step method to determine the Safety Integrity Level (SIL)

Safety Integrity Level (SIL) is used to define the reliability of a safety instrumented function (SIF) which is a combination of sensors, a logic solver and final elements which detects dangers and puts the safe process.
The SIL study is essentially carried out to determine the level of requirement of the safety functions at the level of the protective layers, the need and the type of level of safety integrity associated with the SIF as a function of the reliability and the criticality of the process.

The instrumented safety function helps to respect the tolerable frequency. It requires equipment such as a pressure transmitter to detect high pressure in the process and signal the closure of a valve, but it also requires an operation to maintain this safety function.

Safety instrumented function
Safety instrumented function (SIF) components 

Safety Instrumented Function is an automated function that can bring the process to a safe state.

The Safety Integrity Level (SIL) describes the ability to reduce risks and is applied strictly in the context of a Safety Instrumented Function (SIF). The Safety Integrity Level of an instrumented safety function defines a reliability range, this reliability range can be expressed as probability of failure on demand (PFD) or as risk reduction factor (RRF), which is the opposite of PFD.
Safety Integrity Level (SIL)
Reliability
Probability of Failure on Demand (PFD)
Risk Reduction Factor (RRF)
1
90 – 99 %
0.1 - 0.01
10 - 100
2
99 – 99.90%
0.01 – 0.001
100 - 1000
3
99.90 – 99.99%
0.001 – 0001
1000 – 10000
4
>99.99%
0.0001 – 0.00001
10000 - 100000
Table-1
SIL-1: System integrity essential to prevent minor incidents. Can be managed by good practice of process designing or can be controlled by manual operation and failure may be due to nuisance only. Here acceptable failure rate may be unlikely.
SIL-2: System integrity essential to prevent more serious incident may be single fatality and process control require SIS to prevent it. Here acceptable failure rate is remote.
SIL-3: System integrity essential to prevent most serious incident may be multiple fatalities and high reliable SIS is must to control the process in safe mode. Here acceptable failure rate is very remote.
SIL 4: System integrity essential to prevent disastrous accidents including huge loss to peoples, environment and property. At this level, SIL-4 ensure most reliable safe process system but much-much costly and need zero error maintenance and thus acceptable failure rate is extremely improbable.
In table-1 above, for SIL-1, the reliability is 90 to 99% whereas if we increase the SIL level, i.e. SIL-4, it has the highest reliability. It is very clear that the higher the level of safety integrity, the higher the reliability. Reliability is the probability that an element will perform a required function, under defined conditions, during a defined period of time. We can measure reliability in terms of mean time between failures (MTBF).
In Table-1, it is clear that SIL-4 has the highest reliability, but a higher level of safety integrity also means higher hardware cost and more frequent maintenance. It can also expose an installation to more troublesome movements. It is important to define the right level of safety integrity (SIL) for each safety instrumented function (SIF) when designing a process and therefore we have to perform a high-quality protective layer analysis. The International Electrotechnical Commission (IEC) has published two standards which provide methods of application, design, use and maintenance of automatic protection systems. The implementation of the use of automated controls to reduce risks is defined in the standards CEI 61508 and CEI 61511. CEI 61508 (part 6) presents simplified formulas for certain voted configurations, derived from the base CEI-61508 is used by device manufacturers to design high integrity components and IEC 61511 is used by process designers and operators to implement an instrumented safety function to achieve a risk reduction factor (RRF) objective such as hardware redundancy requirements and proof test intervals. The probability of failure on demand (PFD) is a measure of the effectiveness of a safety function. It expresses the probability that the safety function will not work when necessary.
In accordance with standard EN 61508 for the evaluation of the Safety Integrity Level" (SIL), other elements are also necessary to calculate the PFD of a safety-related function. The safety system monitors a process and acts when the process parameters exceed the parameter set for the safe and secure process to take steps to ensure the safety of the process. These safety systems are often called emergency stop/shutdown systems (ESD).
The PFD for a loop depends on the failure rates of all components of the loop. In order to calculate failure rates for transmitters, logic and valves, data must be collected on all possible failure states, including states that can be detected, states that cannot be detected by the software, etc. integrated diagnosis, the states which lead the component to default to a safe state and the states which lead to a dangerous state for the component as a whole. Generally, such data is obtainable for new SIL components, but frequently for legacy components.
Safety Integrity Level (SIL)
Reliability
Probability of Failure on Demand (PFD)
Risk Reduction Factor
1
90 – 99 %
0.1 - 0.01
10 - 100
2
99 – 99.90%
0.01 – 0.001
100 - 1000
3
99.90 – 99.99%
0.001 – 0001
1000 – 10000
4
>99.99%
0.0001 – 0.00001
10000 - 100000
Table-1 - Targeted Safety Integrity Level

Preparation for Safety Integrity Level (SIL) determination

Preparation requires collection of safety instruments data including complete list, equipment specifications, machine use instructions, operator competency and exposure of persons around it.
Again, refer to Table-1, suppose we have a high-pressure shutdown which has a probability of failure on demand of 0.01 or in other words 1% chance of failure on demand, so the shutdown meets the requirements of SIL-2. safety functions that meet this level of safety integrity level can achieve a risk reduction factor of 100 to 1000. Depending on the specific process, other layers of protection in place and the tolerable frequency of a consequence, an automated function can be critical to safety and must meet a minimum level of safety integrity.
Suppose that the shutdown of the high-pressure system is claimed to be at least 99% reliable or in other words that it has a risk reduction factor of at least 100 as a critical safety function, to ensure that it can respond to SIL-2. This means that we have defined a target for the level of safety integrity as SIL-2. We must conduct a SIL study to design, decide on the type of device such as sensors, logic solver, valves, hardware architecture, level of redundancy, etc. and systematically make operational decisions to achieve the level of safety integrity. This can also be called checking the safety integrity level.

For a better understanding, refer again to Diagram-1 of the two-phase separator tank system.
Diagram-1: Separator vessel basic process control system
Diagram-1: Separator vessel basic process control system and SIL study

Identify credible accidents scenarios and exposure

In the diagram-1 above, the separator vessel has a pressure control loop and a level control loop with a maximum allowable operating pressure slightly above the setpoint of the pressure safety valve at 3200 kPag. Consider the worst credible scenario as if the PV-50 malfunctions, the separation vessel may overpressure and may rupture and this may result in a single death.

Frequency estimation for credible accidents scenarios

Suppose the tolerable frequency of the business is 0.01% per year. According to the LOPA, this scenario is 100 times more likely to occur than the defined tolerable frequency, even with the PSV in place. This cannot be acceptable. Therefore, an additional risk reduction factor of 100 is necessary to further reduce the likelihood of the vessel over-pressure. The expert team then recommended adding a high-pressure shutdown as a guarantee. The high-pressure shutdown is a safety instrumented function which consists of a sensor, a logic controller and the end element. On the basis of the LOPA, the safety instrumented function must meet the requirements of SIL, which reduces the risk by 100 times.
Therefore, we must select an adequate and reliable safety instrumented function such as a pressure transmitter, a programmable logic controller and an end element.

Determination of Safety Integrity Level (SIL)

We need to determine the reliability of each component, then determine the last for the entire system. To determine the reliability of the safety instrumented function, we must calculate the probability of failure on demand (PFD) of each component with some equation. This equation only applies to components in low demand operation with a 1-on-1 voting logic, which means that there is no redundancy.
PFD = λDU x (TI ÷ 2 + MTTR) + λDD + MTTR
Where:
PFD : Probability of Failure on Demand
λDU : Dangerous Undetected failure rate
TI : Proof Test Interval
MTTR: Mean time to report
λDD : Dangerous Detected Failure rate
There are other equations for different voting logics such as 1 in 2 or 2 in 3. There are also different equations for the safety functions used continuously, which is a high demand operation. The dangerous undetected failure rate is the frequency of device failure without your knowing it. It is a hidden failure rate, the dangerous detected failure rate is the frequency of a failed device with diagnostics to alert people to a fault in the system. The proof test interval is the frequency with which the device is tested to make sure it works; the average repair time is the time required to repair or replace a device.
If we take a pressure transmitter case, it has a dangerous failure rate of 60 and hidden failures for 1 million hours of operation.
Therefore, the dangerous failure rate not detected for the pressure transmitter is
λDU = 6.0 x 10-7 failure/ hrs
Proof testing depends on operations and maintenance. Consider that proof test is carried out every 48 months to ensure the transmitter can produce the alarm signal in a high-pressure condition.
Therefore, Proof Test Interval (TI) = 35040 hrs (convert 48 months into hours)
Consider that crew takes 8 hrs to repair or replace the transmitter.
MTRR = 8 hrs
Transmitter has a dangerous detected failure rate of 15 failures per 1 million hours of operation.
λDD = 1.5 x 10-7 failure/ hrs
After getting the value of all the variables, calculate the probability of failure on demand of the pressure transmitter
PFD = λDU x (TI ÷ 2 + MTTR) + λDD + MTTR
PFD : Probability of Failure on Demand
λDU : Dangerous Undetected failure rate = 6.0 x 10-7 failure/ hrs
TI : Proof Test Interval = 35040 hrs
MTTR L Mean time to report = 8 hrs
λDD : Dangerous Detected Failure rate = 1.5 x 10-7 failure/ hrs
PFD = 6.0 x 10-7 x (35040 ÷ 2 +8) + 1.5 x 10-7 x 8 = 0.010518
Here 0.010518 is about 1% in any given year gives the reliability of senor.
Similarly, reliability of other components can be determined as no redundancy in decided safety instrumented function. Apply the same equation to all other components. After all the calculations, list of components and their corresponding probability of failure on demand would be available for determining the system PFD.
Then we need to determine the PFD of entire safety instrumented functions by summation of each component i.e.

PFDSIF = PFDPT + PFDin + PFDPLC + PFDpw + PFDout + PFDsol + PFDact + PFDvalve
Elements
PFD
Pressure transmitter
0.010518
Input - PLC
0.004388
Main processor - PLC
0.000051
Power supply - PLC
0.000002
Output - PLC
0.002194
Solenoid
0.010254
Actuator
0.005995
Valve
0.046975


PFDSIF = 0.080376     
The probability of failure on demand of the entire safety instrumented function is 0.080376
It is important to consider that PFD is the frequency with which the system is tested. Here we have assumed that the faults detected by the system itself by means of integrated diagnostic software can be quickly repaired. However, these failures which cannot be detected by the system itself will only become apparent during a full system test. During the period between failure and test, the system may not be available.
Before determining the PFD, we had set a safety integrity level target for our system and it was SIL-2. Now is the time to compare the result of our PFD calculation with our fixed safety integrity level target, i.e. SIL-2.
The calculated probability of failure on demand (PFDSIF = 0.080376) of this instrumented safety function is approximately 0.08, or approximately 8% chance of failure, or a risk reduction factor (RRF) of 12 , 44.
This is not acceptable; our requirement was that RRF must be greater than 100. Suppose we implement this function, then the process would still be 8 times more dangerous than expected. Therefore, we have to find another solution to increase the reliability of the system.
In the event that we cannot meet the safety integrity level requirements during the study, consider how to improve the reliability of the instrumented safety function by focusing first on the weakest element. Here, the final element, i.e. the valve, contributes 58% of the total failure. But before making any other decision, we need to consider the financial implications, the frequency of proof tests, the impact on operations, etc. There are many ways to find a solution to this problem, but simply using a SIL certified logic solver will not reduce the risk.

Conclusion
For safe and reliable operation of industry processes, each layer of protection is important and plays a different role in the prevention and mitigation part. Basic process control systems make process control safer and more efficient by receiving information about process parameters from sensors, and then processing them on the system to manipulate the position of the end elements to ensure that the system continues to operate under the desired operating conditions. The Safety Integrity Level (SIL) is used to define the reliability of a safety instrumented function (SIF) which is a combination of sensors, a logic solver and final elements which detects the dangers and puts the safe process.
The SIL study is mainly carried out to determine the level of requirement of the safety functions at the level of the protective layers, the need and the type of safety integrity level associated with the safety instrumented function according to the reliability and the criticality of the process. After calculating the safety integrity level, it must be compared to the target SIL level according to the company's PFD accessibility matrix. If they are not met, other elements that further contribute to the reliability of the failure should be reviewed or reconsidered.

Related Articles:



No comments

Please don't add links in the comments, they will be treated as spam comments