What is Basic Process Control Systems (BPCS) and how to determine Safety Integrity Level (SIL)
What is Basic Process Control Systems (BPCS) and how to determine Safety Integrity Level (SIL)
This
article provides detail information on Basic Process Control System
and step by step approach to determine the Safety Integrity Level
with examples.
Before
going ahead, we try to understand different terms used in designing of process
control systems and in determining Safety Integrity Level.
1. Basic Process Control System (BPCS)
The Basic
Process Control System (BPCS) is process control system lies at
innermost layer of protection and is the main control system for any modern
process, without it, the processes would depend on local operators and
controls. It makes process control safer and more efficient and is the main
computer system of the operating process which receives information about the
process, including pressure, temperature, flow and level transmitters on the
system, equipment and output signals to manipulate the position of the
controlled valves to ensure that the system continues to operate under desired
operating conditions. The basic process control system is designed to keep the
process in a safe area.
2. Safety Instrumented System (SIS)
A system made up of sensors, logic solvers and
final control elements to put the process in a safe state when programmed
conditions are deviated from its intended purpose. This may include emergency shutdown
system (ESD), the safety stop system (SSS) and the safety interlock system. The
safety instrumented system is an instrument system used to execute one or several
instrumented safety functions.
3. Safety Instrumented Function (SIF)
An instrumental safety function (SIF) is defined as a function to
be implemented by an SIS that is intended to automatically achieve or maintain
a safe status for the process in relation to a specific hazardous event. The
SIF is an independent safety loop or interlock that automatically brings the
process to a safe state in response to specific initiating events. It consists
of a sensor, a logical resolver and a valve called SIF (Safety Instrumented
Function).
4. Safety Integrity Level (SIL)
The Safety Integrity Level (SIL) is used to define the
reliability of a specific safety instrumented function (SIF) which is
implemented by a safety instrumented system. SIL is a risk reduction measure
provided by a specific safety instrumented function.
Safety Integrity Level (SIL) is a combination of sensors, a logic solver
and final elements which detects dangers and puts the safe process. The safety
instrumented function helps to respect the tolerable frequency. It requires
equipment such as a pressure transmitter to detect high pressure in the process
and signal the closure of a valve, but it also requires an operation to
maintain this safety function.
5. Independent Protection layer (IPL)
The
independent protection layer (IPL) is extrinsic safety systems and the backup
processes transform the scenarios of unwanted initiating events into
consequences prevention. They can be active or passive systems and the
efficiency of the IPL is calculated as the probability of failure on demand, ie
the possibility that a system does not fulfil its specific function.
6. Probability of Failure on Demand (PFD)
The
probability of failure on demand (PFD) is the likelihood of dangerous failure
on demand of the safety function. Simply put, we can say that the reliability
range can be expressed as a probability of failure on demand (PFD) and is based
on the dangerous failure rate, system diagnostics, proof test coverage and test
intervals. Normally, an end element assembly will have a PFD to respond only to
get desired Safety Integrity level.
7. Risk Reduction Factor (RRF)
The risk
reduction factor (RRF) is the inverse of the PFD, the risk reduction factor can
also be used to indicate the probability of failure of an instrumented function
when the SIL mode is in low demand. The risk reduction factor is the inverse of
the probability of default required, which is represented in years. RRF means
the number of times the risk is reduced due to the application of a backup.
8. Layer of protection (LOP)
The
layer of protection (LOP) is the protection of the process at different levels,
from the design of the process controls, prevention, detection to mitigation.
There are seven layers of protection for accident prevention and mitigation.
Each layer is important because some are intended for prevention and others for
protection. Staying inside the innermost protective layer is the key to
increased plant availability and safe operation. Keep the other protective
layers intact, ensure accident prevention and mitigation.
9. Layer of protection analysis (LOPA)
The
Layer of protection analysis (LOPA) is a risk assessment tool developed
within the framework of an international standard to quantify risks in order to
reach a specific probability objective. It is a systematic decision-making
process and one of the methods for determining the risk associated with various
hazardous process events using their severity and the probability of the events
occurring.
The main purpose of LOPA is to ensure that there is an appropriate
layer of protection against the accident scenario.
10. Process hazard analysis (PHA)
PHA is
fundamentally a loss causation and consequence model this helps a company
understand what must be done to control the risk when you attend a PHA the team
must first identified loss exposure and then evaluate the level of risk
associated with each exposure before deciding on the appropriate control
actions to be taken the goal of any loss control program is not to over protect
the facility to the point where the asset becomes inoperable but also not to
under protect resulting in excessive risk exposure
The purpose of Process Hazard Analysis (PHA)
is to minimize the likelihood of the occurrences and consequences of a
dangerous substance release by identifying, evaluating, and controlling the
events that could lead to the release. It provides information that helps you
make decisions to improve safety and reduce the effects of unwanted or
unplanned emissions of highly hazardous chemicals.
Basic Process Control Systems (BPCS) - Detailed understanding
Basic
Process Control Systems (BPCS) make process control
safer and more efficient and are the main computer system of the operating
process that receives information about the process, including pressure, temperature
, flow and level of transmitters on the system, equipment and end signals to
manipulate the position of the controlled valves in the process to ensure that
the system continues to operate under the desired operating conditions.
Manual
operation of valves to manipulate and control operating conditions, the basic
process control system makes process control safer and more efficient,
however some processes are not dangerous enough to warrant an instrumented
safety system (SIS) or they were built before having a safety instrumented system
in a facility. Some processes can mitigate risk using other means, including
pressure relief valves or pressure safety valves, locally controlled stops, or
hard-wired stops through the basic process control system. The
decision to have a safety instrumented system in a new facility should be made
at the start of the design process, as this can result in significant costs for
analyzing the hazards of the process.
The
Basic Process Control System (BPCS) and the Safety Instrumented
System (SIS) can work together for process control. The basic process
control system is the main computer system of the operating process that
receives information about the process, including pressure, temperature, flow
and level of transmitters on the system, equipment and transmits Signals to
manipulate the position of the controlled valves in the process to ensure the
system continues to operate under the desired operating conditions. It is a
central processing unit and a computer that controls everything in the
installation. for a better understanding, let's take the diagram below;
Diagram-1: Separator vessel basic process control system |
In
the above Diagram-1, a two-phase supply of liquid and gas is supplied to the
separator vessel which separates the liquid and the gas. Gas flow from the top
of the vessel and liquid from the bottom. Now let's look at the level control
loop on the separator vessel, here the transmitter indicating the level LIT-50
detects the level of the vessel and then transmits this signal to LC-50. The
level control function on basic process control systems based on
the received signal, LC-50 will send the signal to the LV-50 level control
valve to open or close as required. If the level increases and is above the
desired controller set point, then the LC-50 will send the signal which will
open the LV-50 plus allowing more liquid to flow from the vessel. If the level
decreases and is below the desired controller set point, then the LC-50 will
send the signal that the LV-50 will close further to restrict the flow of
liquid out of the vessel. Here we must think about consequences if the basic
process controls malfunction.
Now
here we need something that protects the process from any unwanted event. The Instrumented
Safety System (SIS) is an independent computer system that monitors the system
for potentially hazardous operating conditions. If the SIS detects a dangerous
condition, it will send a signal to an end element, usually an actuated
emergency stop valve or ESD V-100 that will isolate or shut down the system.
This action is called the Instrumented Safety Function (SIF), which can have an
associated Safety Integrity Level (SIL) rating that quantifies
the reliability of the SIF. The SIS must be independent of the basic
process control system with separate transmitters, end elements and an
independent logic solver. Its role is to bring the process to a safe state in
the event of a BPCS failure. To do this, the safety instrument system cannot
effectively share any potential common cause failures with the basic process
safety system that would jeopardize its ability to act. The safety
instrument system acts as a second line of defence in the event of a basic
process control system failure or a disturbed condition that the BPCS
cannot control on its own. Thus, most of the time, the safety instrument system
does nothing, not exactly the SIS, constantly receives signals from the process
to ensure that it is operating safely.
Refer
to Diagram-1 of the separator vessel, the level transmitter LIT-50 detects the
level of liquid in the container and transmits a signal to the level controller
LC-50 to the level control function on the SIS during normal operations. The
BPCS will control the level and there is no need for the safety instrumented
system to act. If the basic process control system fails and the vessel
level begins to rise and the liquid level becomes too high and reaches the
high-high alarm level or LAHH of LIT- 100, it signals it to the LC-100
controller, it will alarm and send a signal to close the ESD V-100. This will
stop the process by shutting off the V-100 from the upstream liquid source,
which will prevent the level in the container from further increasing. It is
important to maintain the level of V-100 near the LC-50 set point, if the level
in the container becomes too high, there is a potential to transport liquids to
the compressor downstream on the gas system . This could cause catastrophic
compressor failure.
Typically,
a Hazard and operability Study (HAZOP) and a Layer of protection Analysis (LOPA)
would identify the specific safety instrumented function and the specific
safety instrumented system. An analysis of the protective layer must be carried
out to identify the reliability of the instrumented safety function.
To know more about
Layer of protection click here
It
is important to understand the Basic Process Control Systems
involved in a design when assigning guarantees safeguard and a HAZOP. These
systems are used to maintain safe operating conditions by safeguarding the
process functions as designed, making the process safer for operators working
in the installation and avoiding potential damage to the equipment.
Step by step method to determine the Safety Integrity Level (SIL)
Safety
Integrity Level (SIL) is used to define the reliability of a
safety instrumented function (SIF) which is a combination of sensors, a logic
solver and final elements which detects dangers and puts the safe process.
The
SIL study is essentially carried out to determine the level of
requirement of the safety functions at the level of the protective layers, the
need and the type of level of safety integrity associated with the SIF as a
function of the reliability and the criticality of the process.
The
instrumented safety function helps to respect the tolerable frequency. It
requires equipment such as a pressure transmitter to detect high pressure in
the process and signal the closure of a valve, but it also requires an
operation to maintain this safety function.
Safety instrumented function (SIF) components |
Safety
Instrumented Function is an automated function that can bring the
process to a safe state.
The
Safety Integrity Level (SIL) describes the ability to reduce
risks and is applied strictly in the context of a Safety Instrumented Function (SIF).
The Safety Integrity Level of an instrumented safety function defines a
reliability range, this reliability range can be expressed as probability of failure
on demand (PFD) or as risk reduction factor (RRF), which is the opposite of
PFD.
Safety Integrity Level (SIL)
|
Reliability
|
Probability of
Failure on Demand (PFD)
|
Risk Reduction
Factor (RRF)
|
1
|
90 – 99 %
|
0.1 - 0.01
|
10 - 100
|
2
|
99 – 99.90%
|
0.01 – 0.001
|
100 - 1000
|
3
|
99.90 – 99.99%
|
0.001 – 0001
|
1000 – 10000
|
4
|
>99.99%
|
0.0001 – 0.00001
|
10000 - 100000
|
Table-1
SIL-1:
System integrity essential to prevent minor incidents. Can be managed by good
practice of process designing or can be controlled by manual operation and failure
may be due to nuisance only. Here acceptable failure rate may be unlikely.
SIL-2:
System integrity essential to prevent more
serious incident may be single fatality and process control require SIS to
prevent it. Here acceptable failure rate is remote.
SIL-3:
System integrity essential to prevent most
serious incident may be multiple fatalities and high reliable SIS is must to
control the process in safe mode. Here acceptable failure rate is very remote.
SIL
4: System integrity essential to prevent disastrous accidents including huge
loss to peoples, environment and property. At this level, SIL-4 ensure most reliable
safe process system but much-much costly and need zero error maintenance and
thus acceptable failure rate is extremely improbable.
In
table-1 above, for SIL-1, the reliability is 90 to 99% whereas if we increase
the SIL level, i.e. SIL-4, it has the highest reliability. It is very clear
that the higher the level of safety integrity, the higher the reliability.
Reliability is the probability that an element will perform a required
function, under defined conditions, during a defined period of time. We can
measure reliability in terms of mean time between failures (MTBF).
In
Table-1, it is clear that SIL-4 has the highest reliability, but a higher level
of safety integrity also means higher hardware cost and more frequent
maintenance. It can also expose an installation to more troublesome movements.
It is important to define the right level of safety integrity (SIL) for each
safety instrumented function (SIF) when designing a process and therefore we
have to perform a high-quality protective layer analysis. The International
Electrotechnical Commission (IEC) has published two standards which provide
methods of application, design, use and maintenance of automatic protection
systems. The implementation of the use of automated controls to reduce risks is
defined in the standards CEI 61508 and CEI 61511. CEI 61508 (part 6) presents
simplified formulas for certain voted configurations, derived from the base
CEI-61508 is used by device manufacturers to design high integrity components
and IEC 61511 is used by process designers and operators to implement an
instrumented safety function to achieve a risk reduction factor (RRF) objective
such as hardware redundancy requirements and proof test intervals. The
probability of failure on demand (PFD) is a measure of the effectiveness of a
safety function. It expresses the probability that the safety function will not
work when necessary.
In
accordance with standard EN 61508 for the evaluation of the Safety Integrity
Level" (SIL), other elements are also necessary to calculate the PFD
of a safety-related function. The safety system monitors a process and acts
when the process parameters exceed the parameter set for the safe and secure
process to take steps to ensure the safety of the process. These safety systems
are often called emergency stop/shutdown systems (ESD).
The
PFD for a loop depends on the failure rates of all components of the loop. In
order to calculate failure rates for transmitters, logic and valves, data must
be collected on all possible failure states, including states that can be
detected, states that cannot be detected by the software, etc. integrated
diagnosis, the states which lead the component to default to a safe state and
the states which lead to a dangerous state for the component as a whole. Generally,
such data is obtainable for new SIL components, but frequently for legacy
components.
Safety
Integrity Level (SIL)
|
Reliability
|
Probability of Failure on Demand (PFD)
|
Risk Reduction Factor
|
1
|
90 – 99 %
|
0.1 - 0.01
|
10 - 100
|
2
|
99 – 99.90%
|
0.01 – 0.001
|
100 - 1000
|
3
|
99.90 – 99.99%
|
0.001 – 0001
|
1000 – 10000
|
4
|
>99.99%
|
0.0001 – 0.00001
|
10000 - 100000
|
Table-1 - Targeted Safety Integrity Level
Preparation for Safety Integrity Level (SIL) determination
Preparation
requires collection of safety instruments data including complete list,
equipment specifications, machine use instructions, operator competency and
exposure of persons around it.
Again,
refer to Table-1, suppose we have a high-pressure shutdown which has a
probability of failure on demand of 0.01 or in other words 1% chance of failure
on demand, so the shutdown meets the requirements of SIL-2. safety functions
that meet this level of safety integrity level can achieve a risk
reduction factor of 100 to 1000. Depending on the specific process, other
layers of protection in place and the tolerable frequency of a consequence, an
automated function can be critical to safety and must meet a minimum level of safety
integrity.
Suppose
that the shutdown of the high-pressure system is claimed to be at least 99%
reliable or in other words that it has a risk reduction factor of at least 100
as a critical safety function, to ensure that it can respond to SIL-2. This
means that we have defined a target for the level of safety integrity as SIL-2.
We must conduct a SIL study to design, decide on the type of device such as
sensors, logic solver, valves, hardware architecture, level of redundancy, etc.
and systematically make operational decisions to achieve the level of safety
integrity. This can also be called checking the safety integrity level.
For
a better understanding, refer again to Diagram-1 of the two-phase separator
tank system.
Diagram-1: Separator vessel basic process control system and SIL study |
Identify credible accidents scenarios and exposure
In
the diagram-1 above, the separator vessel has a pressure control loop and a
level control loop with a maximum allowable operating pressure slightly above
the setpoint of the pressure safety valve at 3200 kPag. Consider the worst
credible scenario as if the PV-50 malfunctions, the separation vessel may
overpressure and may rupture and this may result in a single death.
Frequency estimation for credible accidents scenarios
Suppose
the tolerable frequency of the business is 0.01% per year. According to the
LOPA, this scenario is 100 times more likely to occur than the defined
tolerable frequency, even with the PSV in place. This cannot be acceptable.
Therefore, an additional risk reduction factor of 100 is necessary to further
reduce the likelihood of the vessel over-pressure. The expert team then
recommended adding a high-pressure shutdown as a guarantee. The high-pressure
shutdown is a safety instrumented function which consists of a sensor, a logic
controller and the end element. On the basis of the LOPA, the safety
instrumented function must meet the requirements of SIL, which reduces the risk
by 100 times.
Therefore,
we must select an adequate and reliable safety instrumented function such as a
pressure transmitter, a programmable logic controller and an end element.
Determination of Safety Integrity Level (SIL)
We
need to determine the reliability of each component, then determine the last
for the entire system. To determine the reliability of the safety instrumented
function, we must calculate the probability of failure on demand (PFD) of each
component with some equation. This equation only applies to components in low
demand operation with a 1-on-1 voting logic, which means that there is no
redundancy.
PFD = λDU
x (TI ÷ 2 + MTTR) + λDD + MTTR
Where:
PFD :
Probability of Failure on Demand
λDU
: Dangerous Undetected failure rate
TI :
Proof Test Interval
MTTR: Mean
time to report
λDD
: Dangerous Detected Failure rate
There
are other equations for different voting logics such as 1 in 2 or 2 in 3. There
are also different equations for the safety functions used continuously, which
is a high demand operation. The dangerous undetected failure rate is the
frequency of device failure without your knowing it. It is a hidden failure
rate, the dangerous detected failure rate is the frequency of a failed device
with diagnostics to alert people to a fault in the system. The proof test
interval is the frequency with which the device is tested to make sure it works;
the average repair time is the time required to repair or replace a device.
If
we take a pressure transmitter case, it has a dangerous failure rate of 60 and
hidden failures for 1 million hours of operation.
Therefore,
the dangerous failure rate not detected for the pressure transmitter is
λDU
= 6.0 x 10-7 failure/ hrs
Proof
testing depends on operations and maintenance. Consider that proof test is
carried out every 48 months to ensure the transmitter can produce the alarm
signal in a high-pressure condition.
Therefore,
Proof Test Interval (TI) = 35040 hrs (convert 48 months into hours)
Consider
that crew takes 8 hrs to repair or replace the transmitter.
MTRR = 8
hrs
Transmitter
has a dangerous detected failure rate of 15 failures per 1 million hours of
operation.
λDD
= 1.5 x 10-7 failure/ hrs
After
getting the value of all the variables, calculate the probability of failure on
demand of the pressure transmitter
PFD = λDU
x (TI ÷ 2 + MTTR) + λDD + MTTR
PFD :
Probability of Failure on Demand
λDU
: Dangerous Undetected failure rate = 6.0 x 10-7 failure/ hrs
TI :
Proof Test Interval = 35040 hrs
MTTR L
Mean time to report = 8 hrs
λDD
: Dangerous Detected Failure rate = 1.5 x 10-7 failure/ hrs
PFD = 6.0 x 10-7
x (35040 ÷ 2 +8) + 1.5 x 10-7 x 8 = 0.010518
Here 0.010518
is about 1% in any given year gives the reliability of senor.
Similarly,
reliability of other components can be determined as no redundancy in decided
safety instrumented function. Apply the same equation to all other components.
After all the calculations, list of components and their corresponding
probability of failure on demand would be available for determining the system
PFD.
Then we
need to determine the PFD of entire safety instrumented functions by summation
of each component i.e.
PFDSIF
= PFDPT + PFDin + PFDPLC + PFDpw + PFDout
+ PFDsol + PFDact + PFDvalve
Elements
|
PFD
|
Pressure
transmitter
|
0.010518
|
Input - PLC
|
0.004388
|
Main
processor - PLC
|
0.000051
|
Power supply - PLC
|
0.000002
|
Output
- PLC
|
0.002194
|
Solenoid
|
0.010254
|
Actuator
|
0.005995
|
Valve
|
0.046975
|
PFDSIF
= 0.080376
The
probability of failure on demand of the entire safety instrumented function is
0.080376
It
is important to consider that PFD is the frequency with which the system is
tested. Here we have assumed that the faults detected by the system itself by
means of integrated diagnostic software can be quickly repaired. However, these
failures which cannot be detected by the system itself will only become
apparent during a full system test. During the period between failure and test,
the system may not be available.
Before
determining the PFD, we had set a safety integrity level target
for our system and it was SIL-2. Now is the time to compare the result of our
PFD calculation with our fixed safety integrity level target, i.e. SIL-2.
The
calculated probability of failure on demand (PFDSIF = 0.080376) of
this instrumented safety function is approximately 0.08, or approximately 8%
chance of failure, or a risk reduction factor (RRF) of 12 , 44.
This
is not acceptable; our requirement was that RRF must be greater than 100.
Suppose we implement this function, then the process would still be 8 times
more dangerous than expected. Therefore, we have to find another solution to
increase the reliability of the system.
In
the event that we cannot meet the safety integrity level
requirements during the study, consider how to improve the reliability of the
instrumented safety function by focusing first on the weakest element. Here,
the final element, i.e. the valve, contributes 58% of the total failure. But
before making any other decision, we need to consider the financial
implications, the frequency of proof tests, the impact on operations, etc.
There are many ways to find a solution to this problem, but simply using a SIL
certified logic solver will not reduce the risk.
Conclusion
For
safe and reliable operation of industry processes, each layer of protection is
important and plays a different role in the prevention and mitigation part. Basic
process control systems make process control safer and more efficient
by receiving information about process parameters from sensors, and then
processing them on the system to manipulate the position of the end elements to
ensure that the system continues to operate under the desired operating
conditions. The Safety Integrity Level (SIL) is used to define
the reliability of a safety instrumented function (SIF) which is a combination
of sensors, a logic solver and final elements which detects the dangers and
puts the safe process.
The
SIL study is mainly carried out to determine the level of requirement of the safety
functions at the level of the protective layers, the need and the type of safety
integrity level associated with the safety instrumented function according
to the reliability and the criticality of the process. After calculating the
safety integrity level, it must be compared to the target SIL level according
to the company's PFD accessibility matrix. If they are not met, other elements
that further contribute to the reliability of the failure should be reviewed or
reconsidered.
Related Articles:
No comments
Please don't add links in the comments, they will be treated as spam comments