LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestras Condiciones de uso y nuestra Política de privacidad para más información.
LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestra Política de privacidad y nuestras Condiciones de uso para más información.
Safety Instrumented Systems design tips for Instrumentation and
Modern chemical and hydrocarbon processing plants, oil & gas production
facilities, power plants and other similar process plants all have some
instrumentation and automation that ensures safety. These are known as
Safety Instrumented Systems (SIS for short). These systems also are
known by various other names such as Emergency Shutdown Systems
(ESD for short), Safety Shutdown Systems, High Integrity Pressure
Protection Systems (HIPPS) and so on. But all of them belong to the class
of systems that are referred to as SIS.
Designing a Safety Instrumented System
No, here we are not talking about designing the next breakthrough in a
great logic solver (also commonly referred to as a "Safety PLC"). We are
addressing the situation in which many Instrumentation and Control
engineers find themselves in, when assigned a job to design the SIS for a
process plant. Here, the entire process involves finding out what kind of
systems and devices to use in the application that the client or user
wants. These design tips should make the task somewhat easier.
Note: If you would want to understand the whole process completely in
depth, I would suggest downloading the Safety Instrumented System e-
learning course from this site. It covers all aspects of Safety Instrumented
systems including the entire process starting from hazard assessment to
partial stroke testing of safety shutdown valves and everything in
between, including concepts such as SIL, HIPPS and all the other jargon
that leaves many people intimidated and confused.
Design Tip 1
Keep the big picture in mind. An SIS is a Risk Reduction measure,
not an end in itself.
Any large processing plant has a certain degree of inherent risk that is
associated with operating it. There is nothing alarming about it. The
principle applies to any voluntary human activity, like say driving a car.
Driving a car has some risk and to counter this risk, one takes some
safety measures (wear seat belts, have air bags, keep tire pressure OK,
etc). Similarly one reduces the risk of running a processing plant by
employing safety measures, one of which is by having an SIS. Thus an
SIS is not the only risk reduction measure.
Secondly the goal of any safety measure (including an SIS) is to reduce
the inherent risk of a process to an acceptable level. Keep this principle in
mind before jumping straightaway into SIL calculations, quad redundant
PLCs, etc. Will this system reduce risk to an acceptable level? Is this the
only way to reduce the risk? Will it work? are some of the questions that
you should ask.
Design Tip 2
Quantify the inherent risk and the acceptable risk.
Make sure that you know what is the inherent risk of your process (either
by calculations, or historical records, or other data). This may be
expressed in a variety of ways including FAR (Fatal Accident Rate),
Undesired Events per year, reportable accidents per year, worker injuries
per year and so on. Now also make sure, that you know what is the
acceptable level of risk in the same units. This information can be sourced
from your corporate safety department, or risk management team.
Now use the equation
Risk Reduction = Inherent Risk-Acceptable Risk
to give you a measure that will define the amount of risk reduction that
your system has to be able to do.
Design Tip 3
Get reliability data regarding your process equipment,
instruments and systems before you start the design.
There is no sense in working with assumed or other vague figures. If at a
later date the basic data was found to be erroneous, the entire exercise of
calculating target SILs, verifications, etc will be pointless. Data can be
sourced from manufacturers, third party database providers or your own
historical data. Take the worst case figures out of the three sources, for
Design Tip 4
Keep an eye on Common Cause Failures (CCFs).
It may sound simple and ridiculous, but sometimes we fail to foresee
common cause failures, even in large projects that have several hundred
engineers working on it. For example, is your BPCS and SIS powered from
the same UPS? The same utility feeder? Could it become a CCF? Does
your SIS card and BPCS card share a common backplane? What if the
backplane fails-say due to ingress of moisture or rodents? Could it
become a CCF? Ask these questions at the design stage itself to save
yourself tears later.
For an interesting case study on how CCFs can lay low a very expensive
and technologically sophisticated program like the International Space
Station, here is an interesting link. A single CCF knocked off all redundant
computers in the International Space Station, endangering the lives of the
Design Tip 5
Keep an eye on the SIS components, especially sensors and final
Ensure that your SIS loops do not use substandard components like
cheap terminal strips, poor quality lugs, undersized signal wire and such
things. Don't laugh, but these are real causes of failure of million dollar
safety shutdown systems and HIPPs and all those sophisticated systems.
Don't be penny wise and pound foolish.
Are you aware that out of all documented failures of SIS loops, only 8%
were related to the logic solvers (Safety PLCs) and fully 92% were failures
related to sensors and final control elements. Contrast this with the
amount of debate, discussion and time that is spent on designing the logic
solver part of the SIS (heated discussions on whether we need triple
redundant safety PLCs or quad redundant safety PLCs or something even
The reality is that very few people focus attention to the non glamorous
part of the SIS loop-the transmitter and the automated valves. Very likely
they are the same types that are used in the "normal" loops. Is this a
correct practice? Should not you be having a higher benchmark for these?
Especially since their performance will ultimately decide the reliability of
the SIS loop? Also be careful with your terminal strips. A poor quality
termination can cause nuisance trips worth millions of dollars-have a
better benchmark for these passive components in your SIS loops.
If you follow the tips above you can have definitely have a much better
SIS in your plant.