When Should You Bypass

7/30/2019 When Should You Bypass

http://slidepdf.com/reader/full/when-should-you-bypass 1/5

Register / Log In

Contact

When Should You Bypass Your Safe ty Sys tem?

H o w Ca n I t B e C o n s i d er e d " G o o d En g i n e e r i n g P r a c t i c e " To B y p a s s Yo u r S I S D u r i n g C r i t i c a l Ti m e s Wi t h Yo u rProcess? See Diagram s.Luis M. Garcia G., CFSE

08/15/2011

Although most facilities embrace ANSI/ISA 84.00.01-2004 (IEC 61511) and the safety life c ycle (SLC) as the way to comply with regulatoryrequirements (e.g., OSHA 1910.119), there are specific instances when most operations deviate from the s tandard. These are during start-ups, shutdowns, and process transitions. Processes with adequately designed safety instrumented functions (SIF) that are validated to well-developed safety requirement specifications (SRS) are commonly—although momentarily—idled, and instead are practically replaced by ateam of operators, managers, and specialized personnel. Bypassing, inhibiting, or masking is a common practice during these plantconditions. In these cases, the safety instrumented system (SIS) is temporarily replaced by humans in calculated and intensely watched

conditions.

Why does this happen, and is it a good idea? What are the underlying assumptions that lead to this practice?

Pe rmi s s i ve s equen c in g and I SA 84

There has been widespread adoption of functional safety concepts in process industries as a way to deal with process risks and to control s afeoperation. In particular, the S-84.00.01 - 2004 (IEC 61511 Mod.) standard has become recognized as a fundamental definition of how toimplement concepts of a SLC and design of SISs for process industries. However, implementations have been constrained to steady-stateprotection functions and rarely applied to sequencing, either during start-up, shutdown, or dynamic transitions. Sequencing has almost alwaysbeen left to a manual procedure and operator’s discretion.

Start-ups, shutdowns, and transitions have always been considered the most dangerous period for operations in process plants. If that is thecase, what is the reasoning behind the suspension of safety systems during those periods, and is that reasoning justified? Moreover, doimprovements in technology offer new ways to address some of the assumptions about permissive sequencing?

Armed with a full set of steady-state operating conditions and a list of process constraints, the SIS is designed to offer a layer of protectionabove the basic process control system (BPCS) and the operations team. While designed to protect the process at steady-state conditions,getting to the steady state typically i nvolves a permissive sequence. Bypassing, inhibiting, or masking i s a common practice during these plantconditions; in these cases the SI S is temporarily suspended.

In order to understand the reasons behind such a l imiting practice on the use of safety systems, we must first understand what is involved inthe implementation of a permissive sequence. Permissive sequences have three general characteristics:

A time dependency that must be considered•Changing variable thresholds or limits, and•Interlocks that vary or may need to be inhibited or overridden.•

As su mpt ion s fo r su sp en s io n

There are five key assumptions that are used t o explain and justify suspending SIFs during process transitions:

Processes start-ups and transitions are infrequent and of short duration c ompared to steady-state operation. Therefore, SIFs can besuspended and start-up carried out manually with a written procedure under the supervision of a st art-up manager.

1.

There is a lack of similarity between different processes. This makes prescriptive standards impossible and best practices difficult.Therefore, it seems acceptable to manage them manually under tailored conditions.

2.

There is a lack of similarity between a process-transition operation and steady-state operation. Safety systems are therefore designedto operate under steady-state conditions where the majority of the operating time occurs. S IS designers would have to create anentirely new and conflicting SIS to manage process transitions.

3.

The process transition operation is more affected by operational subjectivity and procedures than steady-state operation, whichsuggests a question: how long an interlock should be bypassed? Therefore, automating process transitions requires strong plantoperations input in the development process.

4.

Because the transition is sequential and dynamic, timing of process steps and interlock changes are critical. These are difficult tovalidate and verify without both detailed operational knowledge and adequate (proper) simulation routines.

5.

Ch a l l e ng in g a s su m pt ion s

While these assumptions may seem valid at first glance and are certainly expedient, let’s make a closer examination of each, point by point, inlight of fundamental process safety concepts proves otherwise.

1. Process transitions are infrequent and of s hort duration. — Process transitions represent the most volatile time for the process. Variablescan change significantly, and the basic process control system (BPCS) may not be capable or tuned to handle such process movements. Thisis a dangerous time to leave it all in the operators’ hands because of the amount of other things they are required to monitor and execute.The complexity of a transition process (timing, changing thresholds) requires the operators’ full attention. Asking them to provide anadditional safety protection layer on top of that focus will increase the level of risk and can be dangerous.

Human factors are recognized as severe limitations to the dependability of risk-reduction factors. A layer of protection must be dependableand auditable. Neither of these characteristics would seem to apply to a bypass situation. During process transitions, variables are changingrapidly and protection thresholds are also subject to change. It is not the time to depend on a less reliable protection layer.

2. There is a lack of similarity between different processes. — While the lack of similarity between processes does increase the difficulty of using SISs, it does not remove the responsibility for ensuring the safe operation of the process at all times. If it is difficult to automate, whywould we expect that the operator is going to f ind it easier to make the right decisions during a complicated transition? In fact, t he very lack

of similarity between processes is a reason t o work out the transition in advance and to make sure the safety sys tems remain in effect.

At the same time, there are similarities in the control strategies for different processes and we will show that there are ways to deal with themin a consistent manner.

3. There is a lack of similarity between process-transition operation and steady-state operation. — While in many processes, the majority of time is spent at steady s tate, the more dangerous times are during transitions when variables are changing rapidly and the process is i n

Fe aVib

for so

Sigflexibvalue

Opdebu

Cuidenti

Addesigconv

Stumark

Elefacilit

60inver

Po Doyo u

Clic

CE USA CE China CE Europe CE Russia CE Poland CE Czech

SEARCH Archives Enter keywords

Sponsored by:

Channels New Products Media Library Connect Industry News Events and Awards Newsletters Blogs

GO

Page 1 of 5When should you bypass your safety system? | Control Engineering

29/03/2012



conditions that the BPCS was not designed to handle. For example, controller tuning may not be adequate for loops during the t ransitionalperiod. What we are really challenging is the practice of letting the operator do it, because it is diff icult to create a SIS that would handletransitions. Exceptions to this are those applications where strict prescriptive standards are applied, such as NFPA 85 and 86.

If we do our job correctly, the time spent on writing and properly training operators in a seldom-used start-up procedure could be better spenton properly designing the SIS to handle transition routines. A properly engineered SIS should consistently outperform a stressed group of operators. We will show later that by using advances in programming technology, it is possible to s implify the design and validation.

4. The process-transition operation is more affected by operational subjectivity and procedures than steady-state operation. — Again, we areallowing “difficult” as an excuse to give up on safety. In reality, the same level of operational input is required to write the procedures neededfor a transition routine as to write an automated SIS. There are two real difficulties for getting proper input from operations.

First is the sequence of project steps. It is difficult to get operational input at the software design phase, but less difficult at the procedurewriting stage. To do it right, operations must be involved throughout the project.

Second is the lack of communication tools between the operations group and the software design group. It is not easy to translate the needsof process operations into usable SIS c ode.

5. Because the transition is s equential and dynamic, timing of process steps and i nterlock changes are critical. — The dynamic behavior of aprocess is the very reason that it should be automated. It requires a robust simulation routine with the participation of process and operationspersonnel. However, the idea that we leave such a routine to a written procedure reduces the dependability of an independent protectionlayer. Since simulation is very dif ficult with a manual procedure, automation with proper simulation tools is the better answer.

Sequence r equ i r em en t s

Two things are required to define and automate permissive sequences adequately:

● Thorough knowledge of the process and its operation, and● A set of tools to handle dynamic safety logic.

In the design of SISs, operations management traditionally gets involved in the early stages for the process hazard analysis (PHA) and againduring design review to ensure the operational capability of the final design. Operations people are then given the completed unit to start up.Therefore, the bulk of the design data is based on process information that traditionally has been at steady-state conditions. To automatesafety functions during critical process transitions, operations must supply significant input along with basic process data during the softwaredesign stage.

It is difficult to get the attention of operations people on an ongoing basis. In addition, the operations group and the software design team

come from different backgrounds and use different terminology, making it more diff icult to communicate the needs of the software designteam effectively. Anyone who has gone through a design review with operations, sifting through stacks of ladder logic diagrams, willunderstand the challenge.

However, if process safeguards are to remain intact during process transitions, it is essential to understand the process that operations willfollow, and understand what is practical to expect i n the real world. If the safeguards are not implemented in a “reasonable” manner, it islikely that they may be bypassed during actual operation.

Therefore, one of the first steps is to find a common language of communication between the operational and engineering personnel.

A traditional way of looking at process shutdown logic has been with a cause-and-effect diagram. The cause-and-effects matrix was originallyderived from Safe Charts in API RP 14C f or offshore platforms and is commonly used in the process safety industry f or documenting safetyrequirements. In a cause-and-effects diagram, a set of process deviations, or causes, is listed in rows down the left side and a set of processresponses, or effects, is listed in columns across the top. The intersection c ell in the matrix defines the relationship between the cause and theeffect.

The cause-and-effect diagram has become very popular among process safety professionals because it is an easy method to bridgecommunication gaps in the SIS design team. The diagram is an easy way for those familiar with the process and operations to understand thelogic being implemented in the safety system. Once the cause-and-effect relationships have been examined and agreed to, they can betranslated into the safety system program.

A major limitation of cause-and-effect diagrams has been their low ability to handle the type of dynamic safety logic seen during a processtransition. Permissive sequencing is difficult to portray in a static matrix. Given that the matrix was originally designed to relate c auses toeffects with simple intersections, design teams f ound they needed more options when defining these intersections, not only to make possibledynamic logic but to generate comprehensive validation reports.

Too l s f o r dyna m i c l og i c

There are three major characteristics a configuration tool must have in order to be able to handle changing logic. These are:

1. Overrides, including:

Control overrides as function of process v ariable (causes), and•

Set up permissive timing (see time dependency).•2. Variable thresholds, including:

Control relationships between process variables (cause) and process reactions (effects).•

3. Time dependency, including:


29/03/2012



Definition of steps•Limit of overrides, and•Control of step length (delay, prolong).•

Tim e d e pendency

In a cause-and-effect environment, the time relationship between the cause and the corresponding effect can take four forms (see graphic).To understand a time-dependent step, let’s consider the purge of a furnace. If the flow rate is constant, then the way to assure completepurge is waiting until a suffi cient volume of air sweeps through the furnace’s hearth. In this case, the process v ariable is time, and a delaypost trip will not allow the next step until after the configured duration of the process has elapsed.

Therefore, one should consider four types of time dependency:

No time function—The effect occurs as soon as the cause is active1.Pre-trip delay or ON delay—The effect occurs a t imed duration after the cause is active2.Post-trip delay or OFF delay—The effect is act ive for a timed duration after the cause i s cleared, and3.Timed cause—The cause is active for a timed duration after it is triggered regardless of status.4.

Va r i a b l e t h r e sho ld

Purge in a burner management system (BMS) application is a good example of variable threshold.

Purge must be performed at a predetermined air flow rate, which is usually much higher than the one required for optimum combustion.Therefore, after purging is completed, the air flow rate must be lowered before lighting the pilot or the burners, without aborting thesequence. This defines and illustrates the relationship between different triggering points for the s ame variable (cause) and selectivelydefining their relationship with the process reaction (effect). This is done using normal or “N” intersections, and resettable-override or “R” intersections as appropriate. More on this topic later.

Con t r o l ove r r i de s

Dynamic logic requires that an effect i s able to be overridden independently of some causes. For example, in a f urnace, we want to trip thefurnace when we lose flame so our static matrix shows a flame cause and a fuel valve set (double block-and-bleed) effect. However, on start-up, we need to be able to open (override) the fuel valve s et to ignite the burner. In addition, we have to be able to not allow an overridebased on other causes such as pilot flame.

Intersections of the type “resettable-override” allow for a process reaction to take place (or effects) despite process variable (or causes).

These overrides are time constrained and can only be applied if there is no active process variable (cause), with a normal “N” intersection

related this particular effect, allowing for sequence conditioning.

This is, for example, the case of the set of double block-and-bleed valves that define the SIF of a burner. If there is a loss of f lame, sensorswon’t detect flame (variable or cause), and then the set of valves will block the gas. To light the burner, the action of the flame sensors mustbe temporally overridden, and this is done with the “R” i ntersection. On the other hand, the override cannot be allowed if there is no flame inthe pilot, and therefore the intersection of the c ause “pilot flame” should be of the normal type. In some instances, the sequence mightinvolve turning the pilot flame off after the main burner is on, and thi s could add complexity to the process. In such case, a new c ause thatreflects flame in the pilot while pilot valves are open should be created with a normal intersection to the main burner set of valves with adelay post trip to allow transition.

Finally, the duration of an override is another critical point to take into c onsideration. An override cannot last indefinitely. In the case of purge,for example, the time in which the next step (light the pilot) should be allowed after purge is completed should be assessed during theengineering phase.

A dyn a mic cause - and -e f f e c t ma t r i x

We can conclude then that for a cause-and-effect matrix to be an efficient configuring and documenting tool that allows for validation andverification of a SIS’s logic during steady-state operation, during process transitions, and following S84 standards, it would have the followingcharacteristics:

1. Indicate active causes and effects independently of intersections. For example, coloring columns and rows: red = activ e, white = inactive,green = reset, etc.

2. Allow the possibility of configuring (delaying and prolonging) when causes become active, as explained in time dependency.

3. Allow the possibility of defining different types of functions on how causes relate to effects (intersections), including independence tooverride, latch, or complex voting cause architectures.

N: Normal—effect will stay active while cause is activeS: Stored—cause will trigger effect until reset, regardless of inactivity of cause (latched)V: With override—allows deactivation of effect regardless of cause, andR: Resettable override—same as V but with latch.

4. Capability to time-limited overrides, and feedback effect actions to causes.

5. Capability to simulate logic dynamically off-line to verify and validate configuration reporting.

App l i c a t i on example

To illustrate the point, let’s c onsider a very simple example: In this petrochemical process, a hydrocarbon gas needs to be dried by passing itthrough a reactor packed with absorbent granules. An exothermic reaction takes place in the drier, allowing us to use temperature to evaluateits performance.

If the temperature goes below certain level, 110 °F in this case, it is an indication that the granules are saturated and have lost their capacityto remove moisture. Because of thermal inertia, a 20-sec delay must be allowed before the temperature is recognized as being too low.

On the other hand, humidity is extremely harmful for the process downstream, and the SIF that protects the process has been ruled to be SIL3 in a level of protection analysis (LOPA) followed by a gap analysis.

The diagram shows how a traditional static cause-and-effect static matrix would look for this application. If four out of six temperatures gobelow 110 °F, the unit will be taken to its safe c ondition, that is: V110, V210, V130, and V230 will block, preventing the hydrocarbon fromflowing downstream, while V120 and V220 will allow any leakage to recirculate. The “S” intersections indicate that the effect will be latched.


29/03/2012



Let’s now consider the start-up sequence procedure as outlined in the operational manual:

Step 1: Bypass all temperature sensors.

Step 2: Manually open V110, V130, V230, and V220, and keep V210 and V120 c losed.

Step 3: From the BPCS, increase flow at a rate of 5 GPM (gallons per minute) every two minutes until reaching a stable flow of 30 GPM.

Step 4: Once each sensor has been at a stable temperature above 110 °F for at least 20 seconds, remove bypasses on sensors, one at a time.This should happen within the fi rst 10 minutes of operation or system should be shut down as packaging of granules is shown to be defective.

Step 5: Ten seconds later, open V210 and close V220.

This is a complex operation that places a lot of pressure on the operators’ ability, and it has to happen at the same time they are makingdecisions on alarms, process value, voting between process values, v ariables stability assessment, operational bypasses management, andthe most difficult of all decisions, aborting if the reactor does not behave as expected.

Let’s now consider an automatic start-up of this process, using a cause-and-effect matrix with all five characteristics discussed above.

Note that all the information is included in the dynamic matrix diagram.

Causes have a post-trip delay of 20 sec, allowing for the stability claimed on the operation manual.•All intersections are of the type “R”, for which all effects will be latched when triggered.•There is an override-reset tag (PB_START) that could be connected to a push button and/or a switch with a key, which should benormally closed to allow diagnostics.

•

The maximum time the override is allowed before aborting the process is 10 minutes, complying with what is required by the operationmanual. Therefore, the reactor should be stable in 10 minutes or the system will shut down and the process will have to be restarted.

•

If this program is implemented as indicated by the above dynamic matrix, the start-up sequence would be reduced to two si mple steps:

Step 1: Push PB_START.

Step 2: From the BPCS, increase flow at a rate of 5 GPM every two minutes until reaching a stable flow of 30 GPM. This ramp could be doneautomatically in the BPCS if the safety system protection was i n place. The process will be protected at all times by the SIS, regardless of theoperator’s actions.

Con cl u s ions and r ecommen da t i on s

The concepts discussed here are not all that complicated and can be reduced for the most part to s everal simple thoughts:

1. Planning start-up procedures for critical applications can be done with just a little more engineering effort at the beginning of the SLC,when things can be easily changed.

2. Unfortunately, for many critical applications, no prescriptive standards exist that clearly define the proper sequence. Yet there are specialapplications, such as BMS, that clearly show how to do i t. All one needs to do is adopt a similar methodology based on controlled forcedoverrides limited by fully active SIFs.

3. The benefits of allowing your SIS to stay in control 100% of the time, particularly during c ritical start-up and shutdown sequences, shouldbe obvious.


29/03/2012



4. Performance-based safety standards (e.g., S84) limit drastically the amount of s afety credit given to humans since it is very difficult toinclude human state-of-mind factors into the equations. Thus recommendations are to minimize human participation.

5. Nowadays, there are easy-to-use safety-rated programs (e.g., Safety Matrix) that help make all this happen, without complicated codingand following the verification and validation requirements of the s tandards.

After all, if it can be written in the manual of operations, it can definitely be programmed in a SIS.

Luis M. Garcia G., CFSE, is business developer for the Americas for Siemens Energy and Autom ation, Houst on, TX.

For more information, visit:

www.iec.ch www.isa.org

www.sea.siemens.com

Add i t i ona l r e ad ing

IEC 61508, Functional Safety of Electrical/Electronic/Programmable Safety-Related Systems, Part 1-7, Geneva: International ElectrotechnicalCommission, 1998.

IEC 61511, Functional Safety: Safety I nstrumented Systems for the Process Industry Sector, Parts 1-3, Geneva: International ElectrotechnicalCommission, 2003.

ANSI/ISA S84.00.01-2004, Application of Safety Instrumented Systems for the Process Industries, The International Soci ety of Automation,Research Triangle Park, NC, 2004.

Goble, W. M., Evaluating Systems Safety and Reliability—Techniques and Applications, Research Triangle Park, NC, ISA 1997.

Goble, W. M., Control Systems Safety Evaluation and Reliability, Research Triangle Park, NC, ISA 1998.

Functional Safety Engineering I and II—Exida LLC 2001 – 2004.

Related News:

Counterfeit safety certifications discovered - 02.03.2011 12:02

Packaged burner controls lower costs, improve safety - 17.02.2011 12:08

How to Integrate Safety - 21.08.2010 18:48

<- Back to: Home

CFEMedia.com | Subscribe to Magazine | Advertise | Contact Us | AbChannels | New Products | Media Library | Connect | Industry News | Events and Awards

Control Engineering | Plant EngineeringAll content copyright © 2010-20

I n t e g r a t o r G u id eVisit the System Integrators page to view past winners of Control Engineering 's SystemIntegrator of the Year Award and learn how to enter the competition. You will also find moreinformation on system integrators and Control System Integrators Association.

Search the online Automation Integrator Guide by entering keywords in either of the fieldsbelow. The advanced search allows the selection of multiple c riteria to narrow the search results.Integrators wishing to apply for their own listing can click Create New Listing.

Company name search:

Search by name

Basic word search:

Search

Integrator Guide


Documents

When Should You Bypass