Advanced safety-instrumented system features minimize complexity, downtime and costs
Chemical process plants must be vigilant when it comes to preventing accidents that have the potential to harm people, assets and the environment. While safety instrumented systems (SIS) reduce risks, they have historically been complex, costly and detrimental to plant uptime. Fortunately, today’s SIS solutions address these challenges by enabling higher levels of safety and compliance, while also reducing costs and complexity.
“Chemical processors rely on SIS to manage and mitigate risks inherent in handling materials and operating processes. A SIS detects abnormal conditions and takes action to prevent hazardous events,” explains Dave Denison, vice president of technology for Emerson’s process systems and solutions business (St. Louis, Mo.; emerson.com). “By reducing the likelihood and severity of incidents, a SIS safeguards plant personnel, surrounding communities and the environment, while enabling facilities to comply with regulations and industry standards. These systems also minimize equipment damage by initiating shutdowns or adjustments, and they function as an independent layer of protection beyond basic process controls, increasing overall plant safety and reliability.”
Common SIS challenges
Legacy SIS deployments frequently triggered unnecessary shutdowns, generated false alarms and operated independently from control systems, making them costly to design, install and maintain. In contrast, modern SIS solutions enhance both safety and process availability through advanced features that tackle SIS challenges from initial design through lifecycle management.
To design a SIS that balances safety, availability and cost effectiveness, processors should first determine SIS requirements by following a structured methodology and safety lifecycle based on industry standards, like IEC 61511 and ISA S84. The process begins with a hazard and risk assessment using a systematic analysis like a hazard operability study (HAZOP) or a layers of protection analysis (LOPA). Based on this assessment, processors specify the safety instrumented functions (SIFs) needed to mitigate identified risks, such as emergency shutdown or pressure relief, and then assign a safety integrity level (SIL 1–4) to each, based on the severity and likelihood of the hazard.
Processors then design the SIS architecture, devices and logic to meet the required SIL, using redundancy, diagnostics and proven components as needed to enhance reliability. Throughout this process, comprehensive documentation records all assumptions, calculations and design decisions, while establishing procedures for ongoing testing and maintenance. “This disciplined approach ensures that the SIS is tailored to the plant’s specific risks and meets both safety and regulatory requirements,” explains Emerson’s Denison.
However, the process can be challenging, he says. Design complexity requires accurate risk assessment, appropriate SIL assignment and system architecture development that meets safety requirements. Integration challenges involve coordinating SIS with the base process control system (BPCS), alarm management and other safety layers without introducing common cause failures.
Installation and commissioning present significant risks due to complex wiring requirements, critical device placement and configuration management, where errors can undermine system integrity, Denison continues. Verification and validation demand thorough testing of logic, devices and communications, including often-overlooked restart and black-start conditions. Documentation and compliance require meeting standards like IEC 61511/61508, maintaining traceability and preparing for audits, with continuous maintenance including evaluation of modifications.
Lifecycle management challenges include ongoing maintenance schedules, proof-testing protocols and change-management preserving safety integrity.
Overcoming complexity
“SIS providers address these challenges through innovative solutions and comprehensive support,” Denison explains. “They offer integrated engineering tools to streamline design, simulation, testing, commissioning and documentation, while reducing complexity and human errors. Pre-certified hardware and SIL-certified function blocks minimize proven-in-use reliance while ensuring proper voting degradation implementation.
“Modular, configurable systems reduce installation errors and accelerate commissioning, with modern distributed architectures enabling installation and commissioning of individual components without impacting previously installed systems, eliminating the need for total downloads that could introduce spurious trips in traditional centralized systems,” he continues. “Advanced diagnostic capabilities, remote monitoring systems and predictive maintenance technologies enhance system reliability and reduce unplanned downtime.”
Further, Denison says, comprehensive training programs, ongoing technical support and standardized procedures for lifecycle management ensure operators and maintenance personnel can effectively manage SIS throughout their operational life. Additionally, digital twin technology and simulation tools enable design validation and provide realistic operator training environments.
“Through these approaches, SIS providers transform complex safety implementations into manageable, reliable, cost-effective solutions, while maintaining the highest safety standards and improving operational efficiency,” says Denison.
One way SIS providers are overcoming complexity is by introducing systems that are modular and configurable and that can support either independent or integrated-but-separate architectures.
“Some application requirements state how a SIS must operate,” says Kris Dornan, commercial marketing manager, process, controllers and IO, with Rockwell Automation (Milwaukee, Wis.; rockwellautomation.com). “Some situations require that the SIS is completely different from the BPCS in terms of processors, editing tools and annunciation so there is no chance of confusing control of base versus safety system.
“However, if the requirements do not demand that scenario, integrated SIS allows for the same hardware used by the BPCS for total-cost-of-ownership benefits and information generated by the safety system can be viewed from the BPCS,” he says.
“Often, an integrated SIS and BPCS are cheaper in hardware upfront, but more expensive in the engineering and continued maintenance over the lifecycle of the system. Users must prove that the BPCS will not impact the SIS above an acceptable threshold and lead to the very failure that the SIS trying to mitigate,” says Brian Widman, product manager, controllers, Rockwell Automation. “Many applications, especially those with extreme catastrophic failure scenarios, dictate that the BPCS and SIS must be independent. Smaller systems with less extreme failures can more easily justify integrating the BPCS with the SIS, but the safe assumption is to keep them separate.”
To support either scenario, says Widman, Rockwell Automation developed its Logix SIS (Figure 1). Unlike traditional safety systems that operate in isolation, Logix SIS seamlessly integrates with Rockwell’s Integrated Architecture, leveraging a common platform for both safety and process control. This simplification reduces the need for separate engineering and maintenance staff, minimizing complexity and accelerating project timelines. With familiar Logix programming tools and a streamlined configuration process, users can easily design, implement and maintain safety systems.
FIGURE 1. Rockwell Automation’s Logix SIS seamlessly integrates with Rockwell’s Integrated Architecture, leveraging a common platform for both safety and process control
The modular design allows processors to expand or modify the system as needed, by leveraging existing Rockwell hardware and software, the engineering process is streamlined, helping to reduce the total cost of ownership, explains Dornan.
Honeywell (Charlotte, N.C.; www.honeywell.com) also offers a solution to design, installation and commissioning complexity. “Nowadays, scalable, modular safety solutions can fulfill the wide variation of safety applications. By using modern technologies like Universal Safety IO, cloud engineering and smart, automated commissioning tools, project execution and complexity can be significantly reduced,” says Johan School, safety solutions portfolio manager at Honeywell. “Using these technologies also results in higher quality and less human errors, which benefits the overall lifecycle cost.”
Honeywell’s Safety Manager SC is a modular, multi-fault tolerant safety system that supports Emergency Shutdown/SIS applications in the process control industry. Certified by TUV Rheinland for use in safety applications up to SIL 3, Safety Manager SC uses a Universal IO structure that allows flexibility when designing systems. It provides an “out-of-the-box” safety platform that can be configured to meet SIL-2 and SIL-3 applications ranging from small packaged systems to large, distributed architectures.
The modular design allows configuration in a variety of ways, while the Universal Safety IO enables maximum architectural flexibility and lower cost of ownership. Universal IO allows each channel to be configured individually to a different IO type. And, using offline virtualization and cloud engineering, Safety Manager SC separates physical from functional design by allowing parallel workflows and standardized designs. A large capital project can realize up to 30% capital cost savings in automation infrastructure projects and up to a 25% improvement in schedule.
Reducing SIS-related downtime
Other significant SIS challenges include alarm management, process downtime related to spurious trips and proof testing, and verification requirements. Fortunately, new, advanced technologies are designed to maximize uptime.
“Common problems include alarm-management issues, nuisance trips and false alarms,” says Thomas Bartsch, portfolio sales development manager, process safety, with Siemens AG (Munich, Germany; siemens.com). “Alarm floods overwhelm operators during plant upsets, while poor prioritization leads to unclear alarm meaning. Nuisance trips occur when the SIS activates unnecessarily due to faulty sensors, power faults or communication issues, causing production losses. False alarms from faulty instrumentation or incorrect configuration can lead to legitimate alarms being disregarded.
“SIS providers like Siemens overcome these problems through advanced alarm management systems following industry standards like ISA 18.2, emphasizing alarm rationalization and prioritization. The alarm management system is realized in the BPCS system of Siemens PCS 7 and PCS neo,” he says.
SIMATIC PCS neo is Siemens’ distributed control system, which enables cloud-based engineering and real-time collaboration and offers advanced functions for safety, diagnostics and alarm management. SIMATIC PCS neo safety is the fail-safe version of the system, which integrates safety functions directly into the standard engineering environment, offering increased safety through integrated engineering, faster implementation via unified platforms and comprehensive documentation. Additionally, it includes fail-safe controllers with a fail-safe application, bus systems and I/O peripherals as well as, in an extended sense, fail-safe instrumentation, says Bartsch.
“Siemens SIMATIC SIS solutions incorporate sophisticated algorithms that differentiate between genuine deviations and instrument faults, reducing false alarms and unnecessary trips,” he explains. “Processors can balance safety and availability by implementing risk-based approaches that optimize safety integrity levels, using redundant architectures and employing this type of advanced alarm management system.”
Emerson’s Denison expands on the point: “Alarm flooding occurs when excessive alarms during upsets overwhelm operators, causing missed critical events, particularly in interfaced solutions where SIS and BPCS create alarm duplication. Nuisance trips cause operational disruptions through false shutdowns from poorly configured sensors, inadequate logic programming or overly conservative setpoints that reduce uptime.”
“However, SIS providers are addressing these problems through comprehensive technological and procedural improvements. They implement alarm-management strategies, including prioritization, suppression and rationalization programs, that reduce alarm flooding while maintaining critical safety visibility,” he continues. “And, advanced diagnostics and smart sensors minimize nuisance trips by distinguishing actual process deviations from spurious signals, improving reliability and reducing production interruptions,” says Denison. “SIS platforms with smart field devices and integrated diagnostics, such as Emerson’s DeltaV SIS with Electronic Marshalling, deliver real-time health monitoring, predictive maintenance and reduced nuisance trips to increase reliability and uptime by detecting issues before failure occurs” (Figure 2).
FIGURE 2. Emerson’s DeltaV SIS with Electronic Marshalling delivers real-time health monitoring, predictive maintenance and reduced nuisance trips to increase reliability and uptime by detecting issues early
Downtime related to proof testing is another key challenge. A SIS requires regular testing to ensure it is functional and that the facility complies with safety standards. However, proof testing often requires the entire system under protection to be shut down. Lost production and instrument removal and reinstallation result in additional operational expenses.
“Physical removal and inspection of instruments creates significant downtime and can result in systematic failures from overhandling of the instruments,” says Keith Riley, level and pressure marketing manager, with Endress+Hauser (Greenwood, Ind.; us.endress.com). “The more you handle an instrument, the more risk there is. To overcome that, we’ve developed a way to make instruments more informative without interrupting the control system.”
Endress+Hauser’s Heartbeat Technology provides self-diagnostic capabilities embedded in the sensors, enabling chemical processors to ensure safety while minimizing downtime and expenses with automated onboard testing and diagnostics, verification and monitoring (Figure 3). Heartbeat Technology-powered devices provide detailed instrument and process data that enable the detection of trends and, by extension, predictive maintenance interventions, allowing users to optimize their interventions and extend proof test intervals without compromising safety.
FIGURE 3. A typical overfill prevention system requires high-high level detection in a SIS, isolated from the primary tank control system. Using Endress+Hauser’s Heartbeat Technology-equipped instruments in the SIS further ensures safety and minimizes downtime
Heartbeat verification can be initiated at any time, on-site or remotely, with no process interruption. Further, clear, detailed verification reports make it simple to confirm and document sensor health. Reliable diagnostic information and on-demand verification capability provide earlier detection, while extending intervals for every comprehensive SIL proof test required.
Heartbeat Technology provides an optimal balance of user needs, adds Thomas Fritz, global process safety consultant with Endress+Hauser. “The diagnostics increase reliability and confidence in the measurements to help achieve high availability. Verification optimizes testing efforts while maintaining compliance and monitoring provides the insight needed to optimize processes and predict maintenance needs.”
Optimizing SIS performance
Regular assessment of the SIS to ensure that it is functioning as well as it was when it was first designed is key to optimizing performance, says Jimmy Miller, process safety business leader with Yokogawa (Tokyo, Japan; www.yokogawa.com). “You can buy the best SIS in the world, but if you don’t maintain it in the way it should be maintained, it’s not doing your facility any good. However, most processors don’t have the time to pull and look at their design assumptions and operational data and make the necessary adjustments,” he says. “But a tool that can provide real-time risk assessment and real-time validation of your assumptions is empowering. It’s like a check-engine light.”
Yokogawa’s Exaquantum Safety Function Monitoring (SFM) software tool manages and oversees the operational safety performance throughout the lifecycle of the safety system so processors know it will perform as expected if called upon (Figure 4).
FIGURE 4. Yokogawa’s Exaquantum Safety Function Monitoring (SFM) software tool manages and oversees the operational safety performance throughout the lifecycle of the safety system
“This is important because portions of the safety loop can degrade over time, which can affect the performance levels of safety equipment and hardware and expose the plant to increased levels of risk,” says Miller. “Plant personnel must ensure that operational risks are not neglected and provide evidence that SIS are maintained within acceptable limits throughout the lifecycle.
“SFM looks at the performance of the safety system today and compares it to design criteria, PHAs, LOPAs and safety specifications, and provides a real-time snapshot of how safe you are today,” he continues.
Yokogawa’s software not only monitors performance data from the safety system during operations to confirm that it meets the original safety design targets, but also monitors the expiration dates of proof tests on SIFs and final elements.
Proof-test credits can be claimed based on actual demand on the SIS during operation to minimize disruption if an actual demand meets the necessary criteria for a SIF. SFM’s reports also provide access to safety data records in a single location and evidence of the ongoing performance is documented to satisfy regulatory requirements.
Joy LePree