By definition, integrated safety instrumented systems (SIS) have the potential to reduce risks. But recent advancement is also enabling the use of more sophisticated instruments and tools that can benefit the process. For these reasons, integrated control and safety systems (ICSS) are receiving recognition across the chemical process industries (CPI).
“There have been developments from a technology point of view that allow the integration of process control and safety systems, yet keep them separate enough so that they don’t compromise safety, which was considered an issue in the past,” says Kristian Olsson, Safety Center manager with ABB (Norwalk, Conn.). “Keeping the systems separate enables the same risk reduction as would standalone systems, while the integration provides many benefits for the process.”
Among the benefits of more integration between process control and SIS for chemical processors is the flexibility it provides. “Especially among our batch customers we see a lot of interest in these integrated systems because if they are running different types of products with different recipes using a batch automation system to manage it all, they need a flexible, safety instrumented system that is able to adjust trip points based on the hazards related to the different chemicals they are using,” says Mike Boudreaux, safety instrumented systems brand manager, with Emerson Process Control (Austin, Tex.).
Or, if a processor has different hazard scenarios based on what step they are in a process, an ICSS allows them the flexibility to more aptly handle those hazards.
Integrated, yet separate
While this type of system is obviously designed to keep the process from going out of control while maintaining flexibility, there are many different ways to provide the integration and several different levels of integration. In order for the integrated control and safety systems to reduce risks rather than increase them, experts stress the importance of implementing a system that is “integrated, yet separate.”
Several standards, among them IEC 61508 and OSHA-endorsed ISA S84.01, require that the control system shall be separate and independent from the safety related systems. This means that the control and safety system should not share common hardware and configuration tools, for example, to eliminate common cause failures. The systems are integrated, though, when it comes to operator human interface or the sharing of non-safety related information, according to Erik de Groot, global manager for safety systems with Honeywell Process Solutions (Morristown, N.J.).
The simplest way to achieve integration is via an interfaced approach, which would include a Brand X control system and a Brand Y safety system that work well together. In this situation, the two systems share information via a gateway or third-party connection.
On the plus side, today’s interfaced approach is better at data sharing than the interfaced systems of the past, allowing the systems to provide more information to operators, which provides the opportunity to diagnose, troubleshoot and prevent risky situations. For processors who are looking for a system that has compatibility, but aren’t looking for a new control system, the interfaced approach is a good option. However, potential users need to keep in mind that while an interfaced approach can share important process information, it is somewhat limited in the amount of information and level of detail it can provide.
For companies in need of more information or that are ready to replace their control systems, automation companies can provide process control systems with integrated, yet independent, safety instrumented systems. “The best of these systems are integrated but separate, which means they are born from the same cloth so they play well together, but are still considered separate and independent systems,” says Charles Fialkowski, national process safety manager with Siemens Energy & Automation (Spring House, Pa.). “This type of system doesn’t have any issues as far as bringing the information together in a common format and there’s no gateway or third-party device. Everything is done seamlessly.”
It is important not to confuse integrated systems with what is often referred to as “common” systems. The main differentiator between integrated and common systems is that in common systems the same components are used for process control and safety whereas with integrated, but independent systems, a complete physical separation of the safety instrumented system and the process control system is maintained.
However, the way the separation is maintained in an integrated system varies from vendor to vendor. For instance, Emerson Process Control’s offering, Delta V SIS, uses completely different hardware and software to do the logic solving than is used in the process control system I/O (input/putput) and controllers. The Delta V SIS has its own safety communication network, meaning it doesn’t share the control network communications. It has completely different hardware with a completely different design from the process controllers, as well as a different operating system. Despite the physical separation, operations, engineering and maintenance can use shared components, provided there are no concerns for functional safety.
ABB’s High Integrity safety system, which integrates with its System 800xA for process control, is integrated but separate thanks to “embedded diversity,” according to Olsson. Here, independence in the performance of the safety system and the process control system is achieved by implementing diversity in the design of the controllers. This means measurements have been taken in design, implementation and testing within the hardware and software architecture of the controllers to ensure that the failure modes of the safety system are completely different than the potential failure modes of the process control system. “This is important because if a failure in the process control system causes a plant upset, we can be certain the safety system will take the proper measurements to bring the process back to a safe state,” explains Olsson.
Honeywell handles the integrated but independent challenge in another way. The company provides its Safety Manager safety system as part of the overall Experion Process Knowledge System. Safety Manager integrates seamlessly in the HMI (human-machine interface) and allows peer-to-peer communication with the Experion C300 process controller, although the safety system is completely independent from the control system. In the system architecture, the customer has the option to select the level of integration as it applies to the safety related communication between safety systems. They can choose to make use of the same infrastructure as the Experion system or they can isolate the safety-related communication over a redundant, independent safety communication network. “In either case, the safety integrity level is guaranteed,” notes de Groot.
Pros and cons of integration
Benefits of integrated systems such as these are many. For example, many of the tools used for tracking, history, and documentation and reporting of information can be used by both the process control and safety systems. “This gives end users benefits in their every day work in terms of maintenance, engineering and record keeping,” notes Olsson. “Record keeping and documentation are especially helpful in the chemical processing industry where an audit trail is important. They can record when a certain setpoint or operation was made or changed in the system and by whom. Then if they need to track an incident or quality issue, they can find the information they need to do this.”
Asset management and predictive maintenance tools also can be brought from the process control world into the safety realm to improve availability because users can ensure that equipment is maintained in an effort to prevent problems before there is a process upset or impact on production.
While the benefits are plentiful, there are also a few risks. “When it comes to interoperable and integrated systems there are details that need to be examined like cyber security, which is the ability of the safety system to continue to function even if there is a cyber or network attack,” says Joe Scalia, controls systems architect and acting director of the safety business with Invensys Plc. (London, England).
He notes previous instances where a processing facility has had a so-called worm or a disgruntled former employee directly attack the system. “Unfortunately the safety systems didn’t have adequate security and were bypassed or turned off,” Scalia says. “Think about the amount of risk for chemical processors where most of what they use is toxic or could cause an explosion.”
To get around this, Scalia stresses the importance of process control and safety systems being able to share data through integration or interoperability, but that the safety system must have its own link. “It polices that link and has its own capabilities. If something happens to the communications network, the communications function of the safety system is completely separated from the safety system’s ability to function.”
Invensys’ Triconex system has this capability.
Tools of the trade
Security risks aside, the increased use of an ICSS is enabling the use of more sophisticated tools, such as simulations and partial stroke testing. For example, Invensys has an offering where immersive virtual-reality training can be coupled with the simulators from the process control system that works toward simulating a safe process. This allows operators to move through an environment and know what the hazards are and what their responses should be without endangering themselves.
Similarly, Emerson offers offline simulation tools for the process control system that can be integrated with the safety instrumented system to provide a complete offline simulation environment for operator training and also for testing the system to see how they interact together.
If a plant owner wants to bring operators in for training on different abnormal situations that might occur in the process, it can be done offline. This simulation will provide operators with exact experience via operator graphics and interactions so they can see what happens and learn how to handle an emergency shutdown situation or an abnormal situation. “The whole experience for the operator is exactly what they would experience online if they were actually running the chemical process,” says Boudreaux. “There are a lot of benefits to this, the biggest being that if they are familiar with abnormal scenarios and know how they’ve reacted during the simulations, they can think more clearly and respond more swiftly and appropriately during a realtime situation.”
Simulations can also be used for testing changes that were made to the safety instrumented system. For instance, if an engineer wants to change a trip point or the logic in the safety system module, they can first make that change in an offline environment and run a full functional test. It will operate just as it would in a physical logic solver. “That saves some engineering costs, and because it provides the ability to test every scenario offline, tests can be done much more rigorously,” explains Boudreaux.
Integration is also permitting the use of intelligent device communication with partial stroke testing. In the past, there were multiple valves on the safety system to serve as back up in the event of failure of the valve. Typically these valves had to be taken offline for testing periodically. More recently, according to Art Pietrzyk, critical process control and safety segment manager with Rockwell Automation (Milwaukee, Wis.), there’s a trend toward using safety-certified instrumentation and safety-certified valves and algorithms that work with the valves to perform partial stroke valve testing. “They put positional and sensing devices on the valve and move it to a partial opening to make sure it’s still responding and that the safety integrity of the valves is in order,” says Pietrzyk.
Generally this type of testing helps extend proof test intervals to ensure a valve’s safety integrity is where it should be. Users of the technology do not have to do proof tests as often if partial stroke testing is performed. Partial stroke testing also provides information and data about valves and process behaviors, as well as allowing predictive maintenance, if needed.
When the safety and process benefits are spelled out and coupled with the ability to use more sophisticated, process- and safety-enhancing tools, integrated safety and control makes sense, especially in an economy when processes are running for longer periods of time between turnarounds. “It is important that the process and safety systems controlling the compressors, turbines and other critical equipment are available to generate money and ensure that the plant continues to run in a safe manner,” says Scalia. “The bonus is that users are getting additional functionalities, such as communicating with intelligent devices so they can more effectively maintain and optimize their operations.” n
Joy LePree