Guidelines for Safe Automation of Chemical Processes

By CCPS (Center for Chemical Process Safety)

This book provides designers and operators of chemical process facilities with a general philosophy and approach to safe automation, including independent layers of safety. An expanded edition, this book includes a revision of original concepts as well as chapters that address new topics such as use of wireless automation and Safety Instrumented Systems. This book also provides an extensive bibliography to related publications and topic-specific information.

• Language: English
• Publisher: Wiley
• Release date: Jan 6, 2017
• ISBN: 9781119352136

Book preview

1 PROCESS SAFETY AND SAFE AUTOMATION

Chemical processing is an industrial activity that involves using, storing, manufacturing, handling, or moving chemicals. Chemical processing may be accomplished in a single vessel or a group of interconnected vessels and process equipment. Process operation poses different types of risk dependent on the hazardous nature of the chemicals, the quantity of chemicals processed, and the process operating conditions.

The process equipment can be designed using inherently safer strategies to assure safe operation under foreseen process upsets, such as specifying design limits above the maximum and minimum operating parameters that exist under emergency conditions. An inherently safer process is designed to eliminate the potential for loss events with features that are inseparable from the process equipment. When process equipment is not designed to inherently withstand abnormal operation, process safety is achieved through functional safety management. Safeguards, including process control and safety systems, are specified to reduce the process risk to the risk criteria.

Consequently, safe operation of chemical processes is achieved through a process safety management program supported by the twin pillars of inherently safer design and functional safety management (Figure 1.1). Most process designs incorporate aspects of both inherently safer design and functional safety management. Fundamentally, it is the owner/operator’s responsibility to determine and document that the equipment is designed, maintained, inspected, tested, and operating in a safe manner, regardless of the means used to achieve this objective.

Figure 1.1. Process Safety Supported by Inherently Safer Design and Functional Safety Management

Inherently safer design involves making conscious choices to design and operate the process in a manner that avoids the hazard or minimizes the likelihood and consequence of the loss events. The word inherent means that the design feature is an essential constituent or characteristic of the process design; it becomes permanent and inseparable from the design. In contrast, functional safety management involves the addition of safeguards that act to achieve or maintain a safe state of the process when abnormal conditions occur. Safeguards can reduce the frequency and/or consequence of the loss event. Safeguards are specifically designed, maintained, inspected, tested, and operated to achieve the necessary risk reduction.

Process hazards can sometimes be reduced, or perhaps eliminated, during the design phase through inherently safer choices in process technology, equipment design, and operating parameters. When practicable, inherently safer design can minimize or eliminate the need for safeguards. Changes to the process design and operating plan should be considered as early as possible during the project life, since the relative cost of these changes typically escalates as the project progresses towards maturity (Figure 1.2). The particular means used to address risk is often influenced by the perceived effectiveness, availability, reliability, and sustainability of the protection relative to its lifecycle costs.

Figure 1.2. Relative Cost to Make Design Changes as a Function of Project Phase

Example: Designing a pipeline for maximum operating pressure

Consider a scenario where the maximum discharge pressure from a pump is sufficient to overpressure a pipeline. The team evaluates 2 inherently safer design choices: (1) lower the maximum discharge pressure from the pump or (2) increase the pipeline pressure rating. Lowering the maximum pump discharge pressure requires evaluation of the needed flows and pressures for the different process operating modes to ensure that the selected pump supports the intended operating plan. A different pump specification may result in a slight capital cost change for a new installation or perhaps a maintenance expense for retrofitting an existing pump. Designing the pipeline to withstand the maximum operating pressure typically requires more capital, because higher rated piping generally is more expensive due to increased wall thickness. When the higher rated piping is installed, there is only one item to maintain – the pipe wall thickness - to assure the pipeline integrity during the facility life. If the pipeline has not been built yet, the increased pressure rating is simply a specification change with increased capital costs. If the pipeline has already been built, the change of specification would require demolition and replacement of an existing asset with associated demolition and construction costs.

The concept of designing a process to be inherently safer is covered by the Center for Chemical Process Safety (CCPS) publication, Inherently Safer Chemical Processes: A Life Cycle Approach [2009b]. A report issued by CCPS [2010a] to the Department of Homeland Security stated, A technology can only be described as inherently safer when compared to a different technology, including a description of the hazard or set of hazards being considered, their location, and the potentially affected population. Inherently safer design involves the use of four strategies:

Minimize—reducing the quantity of material or energy contained in a manufacturing process or plant

Substitute—replacing the material with a less hazardous substance; the replacement of a hazardous material or process with an alternative that reduce or eliminates the hazard

Moderate—using materials under less hazardous conditions; using less hazardous conditions, a less hazardous form of a material, or facilities which minimize the impact of a release of hazardous material or energy

Simplify—designing facilities which eliminate unnecessary complexity and make operating errors less likely and are forgiving of errors that are made

Inherently safer design becomes integral to the operating plan and process design basis. The design strategies typically are incorporated into customary practices, or "the way things are done," at a site, so people come to expect certain types of design and management depending on the equipment classification. Inherently safer design involves design choices that make the process and its equipment less susceptible to human error and dangerous failure during the facility life, but the installed equipment is still subject to degradation mechanisms that over time can erode the inherently safer assumptions. For example, what was an inherently safer design for the process equipment 30 years ago could now be a degraded foundation, vessel, or piping network in need of replacement.

Once the process design is complete, the risk of process operation generally can be further reduced through the implementation safeguards. These safeguards are implemented in protection layers (Figure 1.3) that are not inherent to the process design; they are added to the process to ensure functional safety. IEC 61511-1 clauses 3.2.23 [2015] defines functional safety as part of the overall safety relating to the process and the BPCS which depends on the correct functioning of the SIS and other protection layers. Using the terminology and scope of Guidelines for Safe Automation of Chemical Processes 2nd Edition (referred to as these Guidelines), functional safety is part of the overall safety plan relating to the process and its control system, which depends on the correct functioning of the safety controls, alarms, and interlocks (SCAI) and other protection layers.

Figure 1.3. Protection Layers Used as Means of Risk Reduction

Example: Designing safety interlock to protect piping

For the overpressure example above, if inherently safer design cannot eliminate the overpressure risk, a safety interlock could be used to detect excess pressure and isolate the pressure source when abnormal conditions occur. A safety system, or specifically safety instrumented system, may require less capital than the higher pressure rating pipeline, but typically requires substantial attention and effort to ensure its integrity and reliability.

Automated systems, whether in manual or automatic mode, are complex systems where many different devices must work successfully to achieve the desired functionality and therefore require many different skill sets and planned activities to ensure that the systems work as desired when required.

The need for functional safety management is determined by analyzing how abnormal operation propagates to loss events. Protection layers can reduce risk to an acceptable level but these functional safety features can be impacted by human error during the equipment life starting with conceptual design and ending with equipment replacement. Achieving sustainable safe operation requires a safety culture (Table 1.1) that is proactively looking for problems with the process equipment, protection layers and intended process operating plan and taking action to ensure that risk is reduced as low as reasonably practicable.

TABLE 1.1. Features Associated with A Positive Safety Culture (CCPS Human Factors [2007c])

Inherently safer strategies can be applied to automated systems. One might argue that the application of these strategies to a protection layer can only make a process safer, rather than inherently safer. However, when such strategies are applied systematically across the site, the resulting design and management practices become part of "the way things are done" and result in an inherently safer process operation. The inherently safer strategies can be applied to automation systems as follows:

Minimize—reducing the use of automation features that tend to increase the failure mechanisms that result in system failure

Substitute—replacing an automation feature with an alternative that reduces or eliminates the frequency of dangerous failure

Moderate—using automation features to facilitate operating the facility under less hazardous conditions; using automation features which minimize or limit the impact of dangerous failure of the automation system on the process operation

Simplify—designing automation in a manner that eliminates unnecessary complexity, makes operating and maintenance errors less likely, and is forgiving of errors that are made

For example, use the principle of substitution to select devices that fail to the safe state on loss of any utility, such as power or instrument air, instead of devices that require energy to take action. This example illustrates what is often referred to as fail-safe design. Unfortunately, fail-safe is sometimes erroneously interpreted as inherently safe where all failures result in the safe action. As with the equipment design, it is rarely possible to design an automated system to be inherently safe. Instead, these Guidelines use the term inherently safer practices to describe a way of thinking about the design of the automated system that focuses on the elimination or reduction of the failure mechanisms that result in system failure.

Many types of systems are used to implement safeguards within the process industry. Examples of systems often identified as safeguards are illustrated in Figure 1.4. The size of each bubble represents the relative risk reduction provided by the system. The bubble location is related to the relative ease of sustaining the system’s risk reduction and reliability. Sustainability of these systems can be significantly different even when they are designed and managed to provide similar risk reduction. The process control system, safety alarm system, and SIL 1 SIS may achieve similar risk reduction from a hardware integrity standpoint, but the resilience of the SIS to systematic failure is higher due to its more rigorous design, verification, and validation processes. This makes the SIS performance more sustainable long-term. A pressure relief valve and a check valve are both mechanical devices, yet the pressure relief valve achieves much higher risk reduction with greater sustainability. Choosing protection layers that are more resilient to systematic failures is an inherently safer practice.

Figure 1.4. Protection Layers Showing Relative Risk Reduction, Reliability and Sustainability

Example: Considering manual versus automatic response

Consider the choice of an alarm versus a SIS. While the alarm appears to be an easy option, the sustainability of the layer is much more difficult due to the number of operators and worker turnover. It only takes one poorly trained operator to cause a failure of an alarm system. In contrast, the SIL 1 SIS is more predictable in its operation and thus more sustainable when it is well maintained.

These Guidelines cover the use of any automation system to assure safe operation of the process, whether implementing a safety control, alarm, or interlock. These systems take action to achieve or maintain a safe condition of the process in response to specified abnormal conditions.

1.1 OBJECTIVE

The subject of designing and managing automated systems is addressed by numerous standards and practices. In the 1990s, CCPS issued the 1st edition of Guidelines for Safe Automation of Chemical Processes [1993]. Although over two decades old, Safe Automation of Chemical Processes has remained a foundation book for safely and reliably applying automated systems to the control of chemical processes. The 1st edition was sponsored as a part of a continuing effort to improve the safety performance of the chemical processing industry through education of engineers and others who design, start-up, operate, maintain, and manage chemical processing plants. In the last 20 years, numerous standards and practices by other industrial organizations around the world have been written and updated based on the concepts and approaches established in Safe Automation of Chemical Processes.

The challenges posed by the implementation of programmable equipment in control and safety applications resulted in the instrumentation and controls community developing standards and practices throughout the world to identify and reduce the potential of hardware and software failure. The first standard ISA S84.01-1996 [ANSI/ISA 1996] accepted as an American national standard in 1997 was followed by an international standard, IEC 61511 [2003a], in 2003. These Guidelines make reference to latest version of IEC 61511, which was released as final draft international standard (FDIS) in 2015. The FDIS represents the pre-publication draft of the standard and is considered a technically complete document. However, some minor editorial changes may be noted between these Guidelines and the final standard.

The design and management aspects of electrical, electronic, and programmable systems have been addressed in many other publications from ISA, IEC, API, ASME, NFPA, etc. CCPS published Guidelines for Safe and Reliable Instrumented Protective System (CCPS IPS) [2007b] to provide guidance on the implementation of instrumented protective systems in safety, environmental, and asset protection applications. These documents focus on the hardware and software choices from a lifecycle perspective. These Guidelines follow a similar framework and describes the activities that should be performed during each lifecycle step to properly specify, install, commission, operate, and maintain the process control and safety systems.

One of the major changes over the years has been the increased awareness of the impact of human error, especially systematic ones, on functional safety. Technology evolution, the increasing complexity of equipment hardware and software integration, the wide range of implementation strategies including centralized, distributed, and hybrid systems, and the ever expanding variety of communication between and interconnectivity of control systems, business enterprise systems, and the Internet has introduced new sources of human error that must be dealt with effectively to ensure safe automation. "The way things are done" may not be good enough when practices haven’t kept up with technology.

In the instrumentation and controls community, this awareness has given birth to the safety lifecycle and functional safety management, which includes a myriad of activities, intended to identify and prevent human errors that impact system effectiveness. These activities include competency assessment, verifications, functional safety assessments, configuration management, management of change, audits, and metrics. Proper management of these systems requires a strong safety culture that applies the rigor necessary to maintain equipment integrity and reliability. Maintaining management focus and support while experiencing success is a continuing challenge.

These Guidelines provide guidance on how to develop and implement an effective functional safety plan for ensuring safe and reliable performance. It discusses the need for management rigor in defining the organizational structure, competency, and work quality expectations supporting functional safety, and the significant differences between the systems typically used in process control and safety applications. It provides guidance for the design and management of the systems that are used for normal control of chemical processes and those used to reduce the risk of loss events. Finally, these

Guidelines propose key performance indicators that demonstrate safe operation and proactively manage system reliability.

1.2 SCOPE

These Guidelines are directed not only toward those responsible for the design, installation, use, and maintenance of process control systems, but also to the broader community of management, engineers, and technical professionals who are responsible for the safe design, operation, and management of chemical processes. Over the years, process operation has become increasingly automated and the systems involved in the automation have become more diverse and complex, resulting in the potential for many unknown (or not yet experienced) system interactions and conflicts. It is more important than ever for process design and control system specialists to understand each other’s disciplines, and to work together to provide facilities where the instrumentation and control system design and process design are closely integrated.

These Guidelines provide considerations and recommendations on how to implement and improve process safety performance of new and existing systems in process control and safety applications. The complete control system is covered including the field-mounted process sensors, the logic processor, the operator interfaces, and the final elements. For the logic processor, the primary emphasis is on application of electrical, electronic, and programmable electronic systems (E/E/PES), but the principles may be applied to all types of control systems, such as pneumatic or hydraulic systems. Electrical and electronic systems are non-programmable and are available in many types of discrete control systems, such hardwired systems, electromechanical relays, motor-driven timers, and trip amplifiers. The term PES applies to all types of programmable controllers, such as single loop controllers, distributed control systems (DCSs), programmable logic controllers (PLCs), digital relays, and other microprocessor-based equipment.

1.3 LIMITATIONS

The discussion of safety issues in these Guidelines is limited to the direct or indirect application of safeguards relying on instrumentation and controls. The primary focus is on loss events leading to process safety impact, but the principles can be applied to the prevention of losses related to business interruption and property damage as well.

These Guidelines are not intended for the nuclear power industry. In the United States, the Department of Energy has recommended the use of IEC 61511 [2015] for the design of safety significant instrumented systems in nuclear facilities for processing of nuclear material or nuclear wastes.

The special safety concerns related to discrete parts manufacturing industry, materials handling industry, or packaging industry are not addressed in these Guidelines seven though they may have some applicability in the process industry. These Guidelines also do not cover the special requirements for effective fire protection systems.

These Guidelines do not provide detailed guidance for the identification of loss events or for the design of risk reduction means that do not involve automation. These Guidelines follow a typical lifecycle process to determine whether or not a safety system is needed and to provide recommendations for how to design and implement the system when it is needed.

The reader is referred to other CCPS publications for additional guidance, namely:

Guidelines for Engineering Design for Process Safety [2012b]

Guidelines for Hazard Evaluation Procedures [2008a]

Inherently Safer Chemical Processes: A Life Cycle Approach [2009b]

Guidelines for Chemical Process Quantitative Risk Analysis [2012a]

Layers of Protection Analysis: A Simplified Risk Assessment Method Analysis [2001]

Guidelines for Initiating Events and Independent Protection Layers [2014b]

Guidelines for Safe and Reliable Instrumented Protective Systems [2007b]

These Guidelines were written by a group of knowledgeable people who are leaders in the safe automation of chemical processes. More than a dozen companies and organizations that support CCPS have peer reviewed and provided feedback on these Guidelines. The resulting publication represents a spectrum of the current practices on the specification, design, implementation, operation, and maintenance of control and safety systems.

1.4 TARGET AUDIENCE

The target audience is anyone assigned responsibility for a lifecycle activity associated with the instrumentation and controls. The seven roles typically assigned responsibilities for lifecycle activities are listed below and in Table 1.2, which also includes a high level summary of the essential knowledge gained from reviewing these Guidelines.

Management—personnel responsible for establishing policies related to safe and reliable operation and for oversight of the management system.

Process Safety—personnel responsible for process safety management.

Process Specialists—personnel responsible for the process design, automation, implementation, verification, and validation. This includes research and development, process engineering, and process control.

Instrumentation and Electrical (I&E)— personnel responsible for instrumentation and control design and implementation.

Operations—personnel responsible for the operation of the process.

Maintenance—personnel responsible for inspecting, testing, and maintaining process control and safety system equipment.

Manufacturers—personnel who work for an entity that develops, markets, and sells a product for process control and safety system use.

In any given organization, individuals or departments may support the listed roles. User personnel, specialty consultants, engineering contractors, or other suitably competent parties on project teams may support these roles when implementing new or modified systems. At some sites, one person may be responsible for the activities listed for multiple roles. The functional safety management system specifies the individuals or departments responsible for various lifecycle activities.

TABLE 1.2. Target Audience and Essential Knowledge

1.5 INCIDENTS THAT DEFINE SAFE AUTOMATION

The 1st edition of Guidelines for Safe Automation of Chemical Processes was published in 1993. In the decade leading up to its publication, the process industry suffered significant loss events that brought worldwide attention to process safety management.

Since 1993, additional loss events have occurred that brought renewed effort in defining the requirements for safe automation on a global scale. Numerous standards and practices, which are referenced in these Guidelines, have been published to address different aspects of instrumentation and controls from basic electrical safety through performance-based standards for alarm management, SCAI and SIS.

To emphasize the importance of safe automation, case studies of previous incidents (Table 1.3) have been placed throughout these Guidelines. There are typically many lessons to be learned from these incidents, and some of these incidents have become synonymous with certain safety issues, e.g., Texas City 2005 related to siting of temporary and permanent structures. These Guidelines do not make any attempt to replicate these previous lessons learned, but instead focuses on the contribution of inadequate design, installation, testing, maintenance, and operation of the process control and safety systems.

The case studies have more than high cost and significant impact in common. The attributed causes are similar. Each process had been subjected to multiple assessments of the likelihood and consequence of significant events. The assessments involved different methods, were conducted by different individuals, and were often supported by independent consultants. The hazards were known and accepted, as "the way things are done," with the pervasive belief being that the event was highly unlikely to occur. There was little acknowledgement or planning for event escalation, so when the event began to unfold, personnel who had the greatest opportunity to stop the incident were overwhelmed.

In contrast to the common single cause-consequence paradigm, multiple causes and latent conditions were usually present in these case studies, although a primary root cause was identified for each specific accident. In most cases, the accident was not a sudden failure occurrence, but an evolving set of conditions that lined up in a dangerous manner: instrumented systems relied upon for control and monitoring did not work properly, and operators misinterpreted or ignored available data. Plant personnel often suspected abnormal operation, but investigation and correction were delayed.

TABLE 1.3. Incidents That Define Safe Automation

Case 1

Location: Sunray, Texas

Process: Propane Deasphalting Unit (PDA)

Date: February 16, 2007

Impact: 4 injured; total refinery evacuation; 2 month refinery shutdown; 1 year reduced capacity

Process Flow Diagram and Control Station Detail:

Summary:

Before the accident, a leaking, but closed, valve allowed water to accumulate in a low point of a control station that had been out of service for 15 years. Cold weather caused freezing, likely fracturing an elbow in the control station. When warmer weather melted the ice, pressurized propane was released. Plant workers heard a noise and saw vapor blowing from the elbow. The vapor cloud travelled to the boiler house and ignited, causing a flash back to the leak source. The jet fire spread rapidly and caused widespread equipment and structural failures.

Key Automation Learning Point:

Valves should not be relied upon for long-term isolation. The differential pressure across the valve will continue to apply stress on the valve seat, which will lead to a failure eventually, especially when the valve is not being routinely inspected, tested, and wearable parts rebuilt or replaced. Decommissioning of instrument installations should be reasonably prompt to avoid leaving extraneous piping for pressure, process contaminants or byproducts to accumulate. [ISA 2012e]

Instrumentation and Controls Gaps:

PHA failure to identify the hazard: control station design with dead leg collects entrained water

Failure to conduct an MOC review when use of the control valve was discontinued but not isolated from the process

Failure to heat trace the control valve station

Lack of remotely operable shut-off valves as recommended by insurers and required in company standards

Incorrect closure of 1996 PHA recommendation to install remotely operable shut-off valves as completed when these were never installed

Sources:

CSB. 2008. Investigation report - LPG fire at Valero – Mckee refiner. Report 2007-05-I-TX. Washington, D.C.: U.S. Chemical Safety Board.

Unsurprisingly, there was a strong belief that the control and safety systems were capable of preventing extensive harm. However, this belief was unfounded because the alarm, shutdown, and emergency isolation systems proved to be inadequate when the event unfolded.

In every event, competent people with knowledge of the process, equipment, process operation, and operating history did not acknowledge that the conditions for failure could be (or were) present. Is this a case of confirmation bias, where the team only looks deep enough to confirm the belief that everything is ok as is? A lack of understanding of how abnormal operation occurs or a refusal to accept that harm is possible inherently limits the capability of responsible personnel to correctly assess and manage risk. Process safety risk is not addressed by a big list of poorly managed safeguards or a list of nothing; it is addressed by the right list of rigorously designed and managed safeguards [Summers 2008, 2009].

1.6 OVERVIEW OF THE CONTENTS

Each of the five chapters following this introduction addresses an aspect of the automation work process. While some elements of sound process control and automation are presented as a starting point, primary emphasis is on specific issues that impact safety, rather than general operability and reliability of the process unit. These Guidelines discuss choices that affect the operability, maintainability, and reliability of the instrumented systems in process control and safety applications.

There are many good references addressing considerations in the selection of instrumentation and their application to the control of processes. References are listed at the end of each chapter. The reader is encouraged to use additional sources in applying sound engineering practices to the application of instrumented systems.

1.6.1 Chapter 2—The Role of Automation in Process Safety

The process industry is in transition due to worldwide competition, increasing governmental regulations, and customer demands for greater traceability and connectivity. These changing conditions require the use of more automation and less dependence on humans for routine operation. Rapid technological changes in control systems are also introducing additional challenges and opportunities. Change management, effective deployment of system upgrades, and new equipment impacts the safety and reliability of automation.

Process control and safety systems play important roles in reducing the frequency of loss events, so considerations related to selection, design, and implementation are briefly covered in Chapter 2, with detailed guidance provided in Chapters 3 through 5. The long-term performance of automation systems depends on the quality and rigor of the management systems. Robust management systems reduce the likelihood of human errors, particularly systematic ones, leading to process control or safety system failure. Administrative controls are addressed in detail in Chapter 6.

A functional safety lifecycle is used to depict the different activities and work processes necessary to properly specify and implement process control and safety systems. The lifecycle emphasizes the need for conducting hazard analysis, performing risk assessments, and identifying the various means used to reduce the risk of loss events.

The concepts of the protection layer and an independent protection layer (IPL) are introduced. Guidance is presented for identifying and evaluating whether protection layers qualify as IPLs using a set of specific criteria. Once the protection layers are defined, the required performance is determined based on risk criteria. The need for each company to develop specific criteria in this area is emphasized, since these design decisions involve judgments of risk acceptability.

Readers are cautioned to satisfy their own company’s practices or other application criteria when identifying and classifying systems, as well as complying with good engineering practices.

1.6.2 Chapter 3—Automation Specification

The chapter addresses the importance of understanding the overall functional requirements for the control and safety systems and how faults (or failures) of system devices contribute to a system failing to operate when required. It also covers the various techniques that can be utilized to minimize the impact of these failures on the overall safety of the process.

Proper application of control systems improves safety of chemical processes by reducing the frequency of abnormal operation and demands on the safety layers. The use of modern technology offers additional enhancements if properly applied. Chapter 3 offers guidance on accomplishing this for the process control system and safety controls, alarms, and interlocks. Guidance is provided to determine the appropriate separation of process control and safety systems in terms of hardware, software, personnel, and function. Safe and secure integration of these systems is paramount to achieving desired functionality and operability.

1.6.3 Chapter 4—Design and Implementation of the Process Control System

Chapter 4 gives guidance in the application of control system technology, field instrumentation (process sensors and final elements), operator/control system interface considerations, and process controllers.

Safety considerations in applying single-loop controllers (pneumatic, analog, discrete, and programmable) and multi-loop control systems (DCS and PLC) are discussed. The application of varying types of process sensors and final elements (e.g., control valves) is also presented. Emphasis is on the safety aspects rather than on general application and selection practices, since these can be found in other texts and references.

Operator interface considerations are covered from the viewpoint of information overload or adequacy of information available to the operator. Work processes and considerations are presented for selecting and supporting various types of hardware used for process control.

Information is also provided relating to safety concerns in power supply, grounding and distribution systems, installation of specific components, communication considerations between systems, and the use of advanced control techniques.

1.6.4 Chapter 5—Design and Implementation of Safety Controls, Alarms, and Interlocks (SCAI)

Chapter 5 addresses the specific issues related to safety controls, alarms, and interlocks (SCAI) that may be required to ensure safe operation and to meet company risk criteria. The potential for systematic failure is addressed with rigorous design work processes that ensure thorough analysis and documentation of the system requirements. Examples are given of inherently safer practices, which can be applied to SCAI. A method of selecting the most appropriate hardware for a given system is presented, along with criteria to follow in the system design. Special requirements for the application program are also discussed.

Communication considerations that may be required to maintain integrity, reliability, and security are covered. The concepts of separation, redundancy, and diversity are presented with discussions of their impact on the overall system integrity. Methods for integrating the reliability and availability requirements to obtain acceptable system performance are discussed.

1.6.5 Chapter 6—Administrative Controls and Monitoring

This chapter addresses both the need for and the types of administrative controls and actions that may be required to maintain any control system in a safe operating condition for the long term. It describes the content of procedures related to documentation, maintenance, operation, security, testing, bypassing, and other areas that apply to instrumented systems.

Special emphasis is given to the management of changes to the system design and functional logic. Suggestions are presented for minimum levels of administrative control procedures. The use of engineered systems versus administrative controls is addressed. There is an emphasis on the need for written procedures rather than verbal instructions, ensuring the consistency of work execution and the ability to audit.

The use of simulation techniques is briefly discussed in this chapter. Also covered is a discussion of the types of personnel, competencies, and skills required to support the lifecycle. Finally, the need for independent verifications and assessment of deliverables to avoid systematic failure across the automation system lifecycle is emphasized.

1.6.6 Other Information

In addition to the information already described, these Guidelines contain a glossary, a list of acronyms and abbreviations, and references at the end of each chapter. An index is included for quick reference to specific topics within the book.

Appendices are included with information on several subjects that expand upon the material in a specific chapter. These provide additional reference materials for the user in applying the principles outlined in these Guidelines.

1.7 KEY DIFFERENCES

In the years since the original publication of Safe Automation of Chemical Processes [CCPS 1993], numerous CCPS guidelines, international standards and application practices have been published. Each publication has addressed the fundamental requirements of functional safety lifecycle from management system concepts to specific applications of instrumentation and controls. Some terminology has changed such as the use of safety instrumented system rather than safety interlock system. Yet most of these changes are barely perceptible from a technical perspective.

More importantly, there is a stronger emphasis on the organizational discipline and safety culture necessary to support safe and reliable instrumented systems. Functional safety involves the systematic implementation of tasks and activities to ensure equipment is properly designed, installed, and working in accordance with its specifications and remains fit for purpose until it is removed from service. When process safety is achieved through functional safety, the organization accepts the burden of assuring that the process is designed, maintained, inspected, tested, and operated in a safe manner.

REFERENCES

ANSI/ISA. 1996 (Replaced). Application of Safety Instrumented Systems for the Process Industries, S84.01-1996. Research Triangle Park: ISA.

CCPS. 1993. Guidelines for Safe Automation of Chemical Processes. New York: AIChE.

CCPS. 2001. Layers of Protection Analysis: Simplified Process Risk Assessment. New York: AIChE.

CCPS. 2007b. Guidelines for Safe and Reliable Instrumented Protective Systems. New York: AIChE.

CCPS. 2007c. Human Factors Methods for Improving Performance in the Process Industries. New York: AIChE.

CCPS. 2008a. Guidelines for Hazard Evaluation Procedures, 3rd Edition. New York: AIChE.

CCPS. 2009b. Inherently Safer Chemical Processes: A Life Cycle Approach. New York: AIChE.

CCPS. 2010a. Final Report: Definition for Inherently Safer Technology in Production, Transportation, Storage, and Use. New York: AIChE.

CCPS. 2012a. Guidelines for Chemical Process Quantitative Risk Analysis, 2nd Edition. New York: AIChE.

CCPS. 2012b. Guidelines for Engineering Design for Process Safety, 2nd Edition. New York: AIChE.

CCPS. 2014b. Guidelines for Initiating Events and Independent Protection Layers in Layers of Protection Analysis. New York: AIChE.

IEC. 2003a (Replaced). Functional safety: Safety instrumented systems for the process industry sector - Part 1-3, IEC 61511. Geneva: IEC.

IEC. 2015. Functional safety: Safety instrumented systems for the process industry sector - Part 1-3, IEC 61511. Geneva: IEC.

ISA. 2012e. Mechanical Integrity of Safety Instrumented Systems (SIS), TR84.00.03-2012. Research Triangle Park: ISA.

Summers, Angela E. 2008. Safe Automation Through Process Engineering, Chemical Engineering Progress, 104 (12), pp. 41-47, December.

Summers, Angela E. 2009. Safety Management is a Virtue Process Safety Progress, 28 (3), pp. 210-13, September. Hoboken: AICHE.

2 THE ROLE OF AUTOMATION IN PROCESS SAFETY

2.1 PROCESS OPERATIONS

Industry practices are constantly evolving to meet new market demands. Business competition from the worldwide manufacturing community, increasing government regulation of the workplace, and customers who demand consistent production and ever-increasing purities cannot be ignored. Changes are occurring in operating methods to reduce costs and variability in the production process, to enhance reliability and operability, and to improve safety performance.

The complexities of today’s processes combined with constantly changing market demands make comprehensive up-front analysis and risk management a business necessity. Risk management must be fully integrated into the operating objectives for a particular process to ensure that its operating plan is in alignment with safe operation (Figure 2.1). Actual operating and maintenance data is needed to evaluate system performance and to initiate change when needed.

Industry uses a mixture of prescriptive and performance-based practices to ensure that the process is designed for process safety [CCPS 2012b, CCPS 2007a]. These practices become incorporated into a site’s safety culture and "the way things are done" through the implementation of internal policies, practices, and procedures. Experienced and trained personnel use their knowledge, backed with documented practices and standardized templates, to design systems that maximize human, equipment, and process performance.

Figure 2.1. Feed Forward and Feed Back Work Processes for Quality Assurance [CCPS 2007b]

Moving forward, industry will be increasingly challenged to balance inherently safer design and functionally safe design. One means to achieve safe operation is to create inherently safer processes, where the process is designed and maintained to eliminate or minimize risk. The CCPS book, Inherently Safer Chemical Processes: A Life Cycle Approach [2009b], discusses various means to reduce process risk through facility siting, process chemistry, unit operations, control system design, operating plan, inventories, etc. Consideration for inherently safer design should be fully embedded in new projects and in the cyclic process hazards analysis as a means to address identified risk gaps [Broadribb and Curry 2010]. Protection layers should only be applied after first considering and ruling out inherently safer options [Broadribb and Curry 2010]. Although the opportunities for inherently safer design diminish over the process life, there are often ways that risk can be minimized through better design (Figure 2.2).

The highest priority for reducing the risk as low as reasonably practicable (ALARP) is to employ the inherently safer strategies in the process design (Figure 2.3). For example, equipment segregation is a proven strategy for minimizing common cause and reducing the potential for failure escalation that impacts multiple systems.

It is often impractical to design the process to be inherently safe for all possible loss events. Once the process design is complete, functional safety is achieved using safeguards, such as engineered systems and administrative controls. Events with significant severity outcomes may require more independent safeguards than events posing less harm.

Figure 2.2. Opportunities for Inherent Safety Diminish Over Time

Lower priority is placed on implementation of engineered systems and administrative controls (Figure 2.3), since the performance of these risk reduction measures are highly dependent on the rigor of the functional safety management plan. In contrast, a process designed to be inherently safer will remain so as long as the inherently safer feature is sustained. However, engineered systems, particularly those relying on automation, are critical to achieving ALARP for many loss events in the process industry. For example, safety alarms are an important feature in giving the operator an opportunity to return the process to safe and normal operating state.

Administrative controls, while the least priority from a risk reduction strategy standpoint, are necessary to ensure that engineered systems are functional; operators know how the system works and how they interact with it; maintenance knows how to keep all of the equipment in its as good as new condition; and management has metrics to measure performance.

The inherently safer strategies of minimize, substitute, moderate, and simplify can be applied when designing process control and safety systems. A properly designed process control system, typically monitored by trained and alert operators, is the first line of defense, beyond sound process design, in preventing loss events.

Engineered systems that act upon control system failure include many types of systems, such as relief systems, de-inventory systems, safety alarms and safety instrumented systems. Taking action at the earliest step in the propagation of a loss event minimizes the impact of abnormal operation (Figure 2.4). Reliable safeguards act when and as required to achieve or maintain a safe state.

Figure 2.3. Priority of Inherently Safer Design and Protection Layers in Risk Management (Broadribb 2010)

As discussed in Chapter 1, inherently safer practices can create safeguards that have less potential for dangerous failure, whether the failure occurs due to safeguard design, to a support system disruption or to human error For example, the inherently safer strategy of simplify can be applied to automation systems by designing the process control system to be separate and independent from the safety systems. As another example using the strategy of substitute, equipment can be selected that has a lower frequency of dangerous failure. Refer to 3.4 for more examples of the inherently safer strategies applied to automation.

Inherently safer practices can significantly influence the automation equipment selection, fault tolerance, response to detected equipment failure, and response to detected support system failure, such as communications and utilities (e.g., pneumatic, hydraulic, or electrical supplies).

Figure 2.4. Anatomy of a Loss Event [CCPS 2008a]

Inherently safer practices can be applied to sustain the risk reduction capability of the safety system even when there is a device failure by designing the system to be fault tolerant (i.e., install redundant devices). Some inherently safer practices also bring a higher potential for spurious, or unnecessary, activation of the safety systems. If spurious operation causes intolerable losses, the functional specification should state a target spurious trip rate so that the necessary design features are implemented.

Finally, inherently safer strategies apply to the human factor design as well. Operator interfaces, maintenance facilities, cybersecurity configuration, bypass means, and access security provisions should consider how to minimize human errors when executing procedures. For example, it is an inherently safer practice to provide the operator with redundant indication of safety variables using simple graphical displays. Another example is that it is an inherently safer practice to display safety alarms on a separate alarm interface that is designed specifically for safety alarms.

2.1.1 Technological Advances in Instrumentation

Controllers were once distributed in the field within the process unit. The operator executed control tasks manually using pneumatic systems installed in production-critical areas. In the 1980s, distributed control systems became available that moved the logic processing from individual local controllers into a centralized system with proprietary controllers and associated I/O modules. The inclusion of so many functions in one controller increases the potential that common cause and systematic failure will impact the safe operation of multiple pieces of equipment, a unit, or an entire facility [Summers 2011a].

Fortunately, the need for change in control technology has been coupled with significant technical advances in instrumentation and control equipment. Programmable-electronic (PE) sensors and controllers plus precision-throttling control valves now make it more practical to implement complex process control strategies. Powerful control algorithms can be executed by modern systems. Process measurements are recorded, monitored for alarm conditions, and made available for displays, while product quality information is collected and archived by data storage (or historian) units.

Today, smart instruments, local valve controllers, digital fieldbus networks, and other new technologies are moving control back into the field—closer to the process and field operations personnel.

Case 2

Location: Mexico City, Mexico

Process: LPG Terminal

Date: November 19, 1984

Impact: Explosion and fire; over 500 fatalities; over 7000 injuries; 200,000 evacuated

Photos of Site:

Summary:

A pipe failed in a liquid petroleum gas (LPG) terminal, possibly due to pipeline overpressure as a result of overfilling a downstream vessel or a similar cause. A significant drop in equipment operating pressure was detected by the control room operator and by the pipeline pumping station operator. Neither operator identified that the pressure drop was due to a pipeline rupture. The release of LPG continued for about 5-10 minutes when the gas cloud, estimated at 200 m x 150 m x 2 m high, drifted to a flare stack. It ignited, causing a violent ground shock. A number of ground fires occurred. Someone pressed the emergency shutdown button after most of the facility was engulfed.

About 15 minutes after the initial release, the first BLEVE occurred. For the next hour and a half there was a series of BLEVEs as the LPG vessels violently exploded. LPG rained down and surfaces covered in the liquid were set alight.

Key Automation Learning Point:

Emergency response plans should consider probable fire locations and how emergency isolation will be safely accomplished during fire event. A gas detection system managed under rigorous safety practices [ISA 2010] should strongly be considered to assist operators in recognizing loss of containment. Given the practical limits of reliable operator response [CCPS 2014b] and the rapid development of a sizable vapor cloud in this case, automated safeguards upon detected release might be advised.

Instrumentation and Controls Gaps:

Inadequate physical separation of vessels contributed to significant event escalation

30-40% of safety devices, e.g. fire water spray systems, were inoperative or bypassed

Multiple header pressure gauges malfunctioned

Operators unable to recognize cause of system pressure drop

Lack of gas detection and emergency isolation system

Fire made local isolation valves inaccessible

No emergency notification to community

Sources:

HSE (Health and Safety Executive). Control of Major Accident Hazards (COMAH) Guidance Case studies--PEMEX LPG Terminal, Mexico City 1984. Web content last accessed 02-02-2015 (Web link http://www.hse.gov.uk/comah/sragtech/casepemex84.htm).

Olson B.F., and Jose L. de la Fuente. 1985. Report on San Juan Ixhautepec, Mexico LPG Accident. Olson Engineering Company.

This typically lowers the installation cost, while providing centralized engineering tools and configuration features similar to older centralized systems. Careful examination of prior use evidence and the analysis of the frequency of failure modes determine whether new technologies are appropriate for control of processes posing major hazards or for safety applications involving safety controls, alarms, and interlocks.

The advantages of modern safety systems are similar to those realized with modern process control. A separate safety system provides independent operation and safe shutdown in the event of failure of the control system, whether it is distributed or centralized. As the safety systems associated with different unit operations are segregated into independent controllers, the risk of common cause and systematic failure propagation is significantly decreased. Functions can be separated to the degree that each can be operated, inspected, maintained, and tested independently, so the performance of each function impacts only the equipment it is designed specifically to protect. As an inherently safer practice, greater distribution results in a system that is less complex, easier to implement and maintain, and significantly more cost-effective [Summers 2011a].

2.1.2 Changing Roles for Plant Operators

The plant operator is responsible for the hour-to-hour operation of the manufacturing facility. This typically requires continuous monitoring of process variables and frequently the repetitive adjustment of a large number of valves. Although automatic controllers are provided to improve production and safety, each controller comes with an auto/manual switch, and many control loops operate normally or intermittently in manual mode. This may be due to control loop commissioning, tuning, or other issues. While in manual mode, the operator is responsible for controlling the process condition, as any change in the state of the final element, such as the control valve, requires operator action.

Some operators touch the chemical process. They take process samples, perform simple analytical techniques, and monitor process conditions by visual inspection of tank levels, fluid color, line temperatures, etc. Based on the process conditions, the operator starts/stops pumps and compressors, opens/closes valves, etc. The operator appears to have a high degree of situational awareness, because of proximity to the equipment. However, the operator is not actually aware of the process condition and cannot take action on the process without instrumentation and controls. Operators are also located in control rooms (example configuration given in Figure 2.5) that are external to the processing area and are equipped with operator interfaces, which are designed to provide the operator with data that would have otherwise been obtained when working directly with the equipment.

Modern control rooms include video displays showing simple graphics of process equipment and process conditions at the operator’s workstation. These operator interfaces influence the operator’s understanding of what is happening inside process equipment and provide information to the operator when changes to the operating conditions are necessary [ISO 2010b, ANSI/HFES 2007]. As control rooms move farther from the process, the need to ensure situational awareness has become an essential characteristic of safe automation [ISA n.d., ANSI/ISA 2009b, EEMUA 2013, IEC 2014c, ISA 2015c].

Figure 2.5. Control Room

Risk-based facility siting practices are moving the operator farther from the process equipment. This form of segregation is inherently safer from a human impact perspective and is strongly encouraged in risk-based facility siting practices [API 2009, CCPS 2012c]. While reducing the risk of human impact during loss events, it does result in less familiarity with the installed equipment and the location of process control and safety system equipment.

The modern operator interface is expected to provide situational awareness while displaying a steady stream of information that supports production management, product quality assurance, and safety management. New operator interfaces intentionally use limited color [ISA n.d.] and rely on simple graphics and charts to indicate the process status. To enhance abnormal situation recognition, the operator is notified through an alarm system when the process operation is outside of defined normal operating limits. A well-designed and thoughtfully planned operator interface increases the likelihood that the operator responds as necessary in a timely manner to abnormal operation and alarms [ANSI/ISA 2009b, EEMUA 2013, IEC 2014c, U.S. NRC 2002]. To ensure maximum attention, high integrity, and low common cause failure, a safety interface is typically provided for safety alarms, especially where manual shutdown is specified [ANSI/ISA 2009b, EEMUA 2013, IEC 2014c, IEC 2015, ISA 2015c].

Facilities involving multiple process units to produce a product may have one or more control rooms where operators monitor segments of the facility. The control room operators remain in communication with outside workers by radio and occasional direct contact. Some processes require that operators work both in the control room and in the manufacturing area, so response time can vary from nearly immediate when a control room operator takes action to minutes when the operator must go into the field to execute assigned tasks. In some cases, multiple operators may need to work together to complete a task, or one operator may temporarily take responsibility for monitoring a specific process, while the assigned operator takes a break.

The operator is often the first line of defense when processing equipment fails to perform. Typical operating activities include restarting or swapping pumps, evaluating the consequence of equipment malfunctions, and adjusting operating conditions when the process conditions are deviating from the operating plan. The operator remains the primary monitor of the process operation of a facility, but with increasingly remote control rooms the operator is doing more and more tasks using process automation. For the operator, situational awareness is being aware of what is happening in the process and understanding how information, events, and one’s own actions impact the process operation, both immediately and in the near future. Situational awareness is a greater challenge as operators move further away from the equipment, so human factors should be strongly considered during design, specification and procedure development (Table 2.1). Most operators are entirely reliant on their operator interface to provide situational awareness and to combat confirmation bias, which is the tendency to search for, interpret, or recall information in a way that confirms one’s beliefs or hypotheses.

TABLE 2.1. Human Factors Guidelines for Remote Operations

2.1.3 Changing Issues in Safe Process Control

Excessive reliance on the operator for process control tasks has resulted in loss events due to human error. Several of the case studies presented in these Guidelines involve human error during control, monitoring, recovery, or shutdown actions. Increasing process automation, including alarm systems and automatic control actions, reduces the potential that operator errors initiate loss events; however, faults can still occur in the control systems. The complexity of modern programmable controllers increases the likelihood that systematic failures cause dangerous system failure leading to loss events.

The challenge is to design integrated control and safety systems with strong consideration for human factors, so that the system performance can be sustained for the system life. Human factors affect all aspects of process safety management (Chapter 1) and a particular aspect can be judged as positive or negative in terms of contribution to potential human error (Table 2.2). These factors also contribute significantly to systematic failures, since a negative attribute is often reflected in site-wide practices.

Operations personnel need to understand the fundamentals of how the process reacts to both normal and abnormal situations, despite the use of advanced and increasingly more remote automation systems. They also need to be able to rapidly respond as required during event propagation to recover the process, to prevent loss of containment, or to support emergency response. Making effective use of control system technology while guarding against potential sources of systematic failure, whether due to hardware, software or human error, is critical to safe operation. Increased plant automation is placing higher demands on maintenance each year. System connectivity has brought business benefits, but if the process control network is not properly secured cybersecurity risks can be high. This situation can become substantially worse if the safety system is not isolated from the network and the cyber-attack affects both systems.

2.2 PLANT AUTOMATION

Most process designs employ control systems to achieve consistent product quality, to minimize the manual labor of the production staff, to reduce human error in doing repetitive tasks, to improve equipment availability and production efficiency, and to enhance operational safety [Summers 2008]. Control systems in a modern chemical manufacturing facility can be separated into two groups: those systems that perform process control actions and those that perform process safety actions. Typically, process control and safety applications make use of similar control technologies.

TABLE 2.2. Example Positive and Negative Human Factors (CCPS 2008a)