Emerson Process Experts

The ControlGlobal.com site has a great article on process safety, Leading the Way to Process Safety. Author Peter Montagna describes the importance of leadership:

With strong leadership, a process safety program can achieve many goals. It can satisfy shareholders and company management with improved productivity and profitability; satisfy the community with fewer incidents; and satisfy employees with a healthy and safe working environment.

I ran this by Emerson's Chuck Miller whom you may recall from earlier posts on process safety. He's been preaching the critical importance of competency in functional safety management.

When I forwarded the RSS feed of the ControlGlobal.com story his way and asked his thoughts, Chuck as usual had some good ones. He wholeheartedly agrees that leadership is an important component:

…safety culture and competency … that is culture creation has to be a driven from the top down. The leadership must set the standards and evaluate the process of the program. Management relates to the implementation of the process.

Chuck adds that there is a distinction between management and leadership. He writes:

However, many do not separate management and leadership, but instead combine the two. I place this as the leading metric of success or failure of the process. Changing culture in a work environment requires that you have the right people in place. They are hard to find but they are out there. To be effective it takes someone from the outside (of the work group) with the right credentials to drive the mission—no relationships or baggage to complicate the change agent with compromises.

Peter expressed a point in the article, "Then the process safety specialist leader has to form a team and help it create a compelling vision…" Chuck took a different view. He writes:

I put this responsibility on leadership (visa vie our Functional Safety Management Board) whose visionary commitment sets the goal and strategies to get there. For me it takes leadership PLUS a commitment from all levels of the organization—these implementers are the safety specialists and they drive the commitment.

For your process safety efforts, what are your experiences?

Tags: functional safety | process safety | safety leadership | safety competency |

April 25, 2008 in Safety | Comments (0)

My spy utility, WatchThatPage, alerted me to another good article, this time on the Fisher control valves and regulators area of the Emerson website. The article, Getting ready for the nuclear renaissance, from the April issue of Valve World magazine, features Bill Fitzgerald, director of the Fisher Valves nuclear business unit.

As more and more people around the world climb the economic ladder, the global demand for energy continues to grow. A nuclear power renaissance is underway, according to Bill driven by:

…issues like global warming and a desire for energy independence... It can never be the only solution, but it is a logical part of the solution.

Bill describes his team tracking forty U.S. projects. He estimates two-thirds of these will actually be built. The first ones may come on-line as soon as 2015. Bill describes the large engineering firms as well as the U.S. Nuclear Regulatory Commission (NRC) staffing up anticipating the work required to completely design, build and commission the first wave of these plants over the next seven years. This expected growth is by no means limited to the U.S.

As part of this process, the engineering firms' procurement people need to identify and begin to purchase the long-lead items like reactor vessels, which may take three years from order to delivery. Control valves also fall into this long-lead item category. As Bill explains:

…control valves have long lead times because the ASME has just issued new qualification requirements. So to use a valve in a given safety related application will probably require 18 months of qualification testing. We also have to factor in ever-tighter seismic requirements. Then materials procurement, machining, assembly and testing will probably take an additional 9-18 months, depending on valve type. So, we believe that if we get an order today for a nuclear grade valve it could take as long as three years to actually deliver it to the end user.

And Bill notes that these valves are used in safety critical areas. Not having them will delay the startup of the plant. Based upon this expected global increase in nuclear power plants, Emerson and other automation suppliers are increasing their capabilities to meet this demand.

Technology has changed greatly since these types of plants were built in the U.S. a generation ago. Bill describes digital technologies like Foundation fieldbus, which can be used in the balance of plant applications to provide better control and diagnostic information. Devices like digital valve controllers have completed Electric Power Research Institute (EPRI)-certification for use in this demanding application.

As energy producers seek ways to meet the increasing global energy demand, these preparatory activities are critical to meet challenging project schedules.

Update: I was just pointed to a great Béla Lipták article, The Third Industrial Revolution by a member of our DeltaV Twitter community. Béla describes the post fossil fuel world based on solar power and the role of process automation. It's well worth your read and I look forward to his book due out in August.

Tags: nuclear power | control valve | safety valve | digital valve controller | valve regulator | Foundation fieldbus | NRC | ASME | EPRI |

April 16, 2008 in Foundation Fieldbus, in Plant Equipment, in Power, in Regulatory Compliance, in Safety | Comments (0)

In the world of process safety, technology continues to advance to assist process manufacturers in their IEC 61511 safety compliance efforts. I saw a recent press release on enhancements to the Fisher DVC6000 digital valve controller. The news was:

…enhancements include manual reset, a stored safety demand event log, pass / fail status after a partial stroke test, and third party certification to SIL3, SIF loop.

I asked Riyaz Ali, whom you may recall from earlier posts, to simplify what this all means for me. The stored safety demand event log he likened to an airplane black box recorder. If a process upset condition triggers a safety demand on a valve controlled by the DVC6000 SIS (operated by 4-20mA input signal), it in turn automatically triggers an event log to capture the data into non-volatile memory locally in the digital valve controller.

This log keeps pre- and post-event data of the operating conditions surrounding the safety demand event. Examples of the type of data stored away in this event log include: travel, travel setpoint, output pressure with time in seconds, graphical representation of data points and date and time stamp of the trigger event for regulatory compliance.

Riyaz also described for me the partial stoke testing reporting. It now will provide pass/fail status and a signature curve of the valve stem movement. These partial stroke tests periodically diagnose the SIS valve to help ensure its availability. Also, a specially designed built-in relay provides protection against spurious trips which improves overall process availability. Other information provided back to the AMS ValveLink software includes diagnostics on stick slip, shaft integrity and maximum and minimum torque values.

For the DVC6000 SIS, the Fisher team achieved third-party certification for compliance to the IEC 61508 international safety standard for use in a SIL 3 safety instrumented function. This means that process manufacturers can use the DVC6000 SIS as part of the safety instrumented function in the SIL 3 loops they identify as part of their risk assessment and risk mitigation strategy.

Having all these digital valve controllers keeping logs of what's going on especially around upset conditions can greatly assist root cause investigations and help avoid future abnormal situations. And the diagnostics coming from the partial stroke tests can help process manufacturers avoid these abnormal conditions in the first place.

Tags: process safety | IEC 61511 | IEC 61508 | digital valve controller | safety instrumented system | safety instrumented function | partial stroke test |

March 26, 2008 in Abnormal Situation Prevention, in Safety | Comments (0)

Emerson's Chuck Miller is one passionately guy when it comes to process safety and the international safety standards, IEC 61508 and IEC 61511. He is on a mission to put the focus of functional safety management where he believes it belongs—on the competency of safety professionals involved in the safety lifecycle.

Chuck noted a panel discussion he sat in on at last fall's ISA Expo in Houston. The panel discussed various approaches to process manufacturing risk mitigation. These included combining control and safety in the same control system platform, the standalone safety instrumented system (SIS) approach, and the separate-yet-integrated safety system approach.

An end user on the panel discussed the common platform approach. He emphasized that his company's internal policies and procedures for risk assessment, implementation, operations and maintenance were well understood and consistently applied. These factors drove the decision to implement systems in this manner.

A safety instrumented system supplier discussed the standalone SIS approach and one of Chuck's colleagues discussed the separate yet integrated approach that is represented by safety instrumented systems like DeltaV SIS. Using several advanced technology examples including advancements in diagnostic coverage; common programming environments and global databases the presenter illustrated how such technologies, when appropriately applied, provided measurable savings throughout the safety lifecycle without compromising the SIS's ability to conform to international safety standards, such as IEC 61511.

Chuck's revelation was that the real issue is not so much the philosophy, the approach, the architecture, or even the platform selected. What really drives a successful SIS implementation is competency. Each of the presenters was passionate about their approach being the best solution because their individual competency was based on that particular philosophy and approach.

His bottom line—functional safety management must be implemented around the requirements of a technology and supported by competent safety professionals that always ensure that the SIS solution is defined, designed, installed, operated and maintained in a way that meets its defined functional safety requirements throughout its lifecycle.

As this group of panelists demonstrated in their exchanges with the audience—there are several philosophies, architectures and platforms to mitigate process manufacturers' safety risks. It takes competent safety professionals to work with these throughout the safety lifecycle.

Tags: functional safety | process safety | IEC 61508 | IEC 61511 | ISA Expo | safety instrumented system | SIS |

January 29, 2008 in Project Services, in Safety | Comments (0)

A colleague recently pointed me to a Manufacturing Business Technology article, Red alert: Increase in process automation heightens need for safety-related systems. The article points to a recent Frost & Sullivan study which predicts the market for safety-related systems used by process manufacturers will more than double from 2006.

Quoting from the account of this research report:

It says users will welcome systems that address the underlying challenge of minimizing the trade off between process uptime and process safety. In addition, users will favor vendors that have significant technical experience in installing complex integrated safety solutions that monitor safety and non-safety functions while reducing the costly channels of diversified communication.

Over the past several years of blogging, I've discussed safety instrumented systems and the associated global standards, IEC 61508 and IEC 61511 on numerous occasions. Newer architectures like Emerson's smart SIS incorporate digital communications so that the complete safety instrumented function (SIF) can be continuously diagnosed to help the function perform when it should and not when it shouldn't.

Rather than being prescriptive and instructing process manufacturers what to do, the safety standards are performance-based. IEC 61511 allows you to investigate the alternative solutions for the right safety instrumented function for the safety integrity level (SIL). This means that more engineering work may be required to investigate these alternatives to find the best solution.

I think this where the "technical experience" part of the quote from above comes in. Emerson's Len Laskowski said it best in an earlier post:

This is great news for the engineering community because they get to do the engineering. However the bad news is they must do the engineering.

As process manufacturers address their risk-mitigation strategies and comply with the IEC 61511 standard, they will continue to work closely with those that can provide the technical expertise required throughout the safety lifecycle, from front end engineering and design to ongoing system maintenance.

Tags: IEC 61511 | IEC 61508 | SIS | safety instrumented system | FEED | front end engineering design |

January 7, 2008 in Project Services, in Regulatory Compliance, in Safety | Comments (0)

Successfully executing a project with safety instrumented systems requires trained and competent project team members. They must be versed in the safety lifecycle as required by international safety standards—primarily IEC 61508 and IEC 61511 (ISA 84.01 in the U.S.) for the process industries.

To address this safety expertise requirement, TÜV and exida along with the support of other global safety experts created the Certified Functional Safety Expert (CFSE) concept. Its mission is:

…to ensure that personnel performing SIS lifecycle activities are competent as required by the IEC 61508, 61511, and 62061 [machinery safety] standards.

Currently there are two levels of certification, CFSE and CFSP (Certified Functional Safety Professional). The difference is mainly in practicing experience—ten years for CFSEs versus two years for CFSPs. The CFSE.ORG website describes the difference:

The CFSE is the higher level certification and is aimed at professionals who actively lead, coordinate and review the more complex and demanding activities in the Safety Lifecycle in leadership positions including SIL selection and SIL verification.

The CFSP is targeted at professionals who need a thorough understanding of the Safety Lifecycle activities at the execution level without necessarily leading, coordinating or reviewing the more complex and demanding activities.

CFSE.ORG reports that there are currently over 200 CFSEs and CFSPs in practice worldwide. The certification process is not easy. Those trying to take the test are warned:

…the certificate exams are extremely rigorous and often demand significant preparation in order to achieve the 80% passing grade for both exams. With this in mind, the Governance Board strongly recommends that all candidates develop an in-depth study plan to properly prepare for the examinations. The topics covered in the different exams and sample Process Applications Exam questions provided in the Specialties and General Information pull-down menus may be helpful in developing an effective study plan.

In view of the comprehensive nature of the exams, the Governance Board recommends that candidates put in at least 40 self study hours as part of their preparation for the CFSE/CFSP exams.

I bring all this up because I received a note from one of my colleagues in Calgary in our Hydrocarbon and Energy industry center. The news is that they have three newly minted CFSEs—David Goerzen, Prasad Goteti, and Ajmal Siddiq. Congratulations on your achievement!

I went out to the CFSE.ORG site and did a search on the 15 pages of CFSEs/CFSPs. As of today, November 27, 2007, I counted 38 Emerson CFSEs and 8 CFSPs. This is more than 20% of all the certified safety professionals in the world. The percentage is higher if you exclude the machinery safety professionals.

The organizational roles of these safety professionals run the gamut including projects, support, technology, sales and marketing. These organizations work with process manufacturers at various stages of the safety lifecycle to help meet their risk reduction goals.

Tags: IEC 61511 | IEC 61508 | CFSE | CFSP | functional safety | safety instrumented system | safety lifecycle | ISA-84 | S84 |

November 27, 2007 in Project Services, in Safety, in Support Services | Comments (0)

Emerson's Marshall Meier was a very busy person at this year's Emerson Exchange. In addition to his Web 2.0 in the Plant presentation that I wrote about in an earlier post, he presented on the subject of Foundation fieldbus (FF) technologies emerging in safety instrumented systems (SIS). Key points made in the presentation were that the Foundation fieldbus specification has been enhanced to support SIS, that the Fieldbus Foundation is currently running a demonstration project to validate the FF-SIS specification, and that this specification will begin to emerge in future SIS sensors, final control elements and logic solvers.

The purpose of Marshall's presentation was to give a look into the technology and process for how this standards effort is unfolding. It was not to say that this technology is ready to apply in your operations.

He first posed the question, "Why use Foundation fieldbus in SIS?" The answer is that Foundation fieldbus provides more computational horsepower and each value has a status associated with it. Conventional 4-20mA analog signals do not provide this goodness indication of data. More advanced diagnostics are also available to be used as part of the safety instrumented function. An example is Rosemount sensors that detect plugged impulse line conditions. Another benefit is with FF-SIS devices, users wouldn't need to have 4-20mA SIS devices in an otherwise FF installation.

The additional safety-related function blocks specified in phase one of the preliminary specification include analog input and discrete output. Discrete input and analog output blocks are not yet defined in this early specification. Function blocks that can only run in a logic solver include analog comparators and logic blocks. Note that the same device description standard as the process-level FF function blocks will be applicable to FF-SIS blocks.

The Fieldbus Foundation last year announced a demonstration project working with process manufacturers and identified four sites with various suppliers' safety logic solvers, sensors, and final control elements. These tests are meant to validate the specifications for FF-SIS. These participating companies include Chevron, Shell, BP, and Saudi Aramco.

The FF-SIS specifications will advance in phases. Beyond the function blocks mentioned earlier, phase two will include additional blocks and the potential to have SIS and non-SIS devices on the same segment.

Tags: Foundation fieldbus | SIS | safety instrumented system | function blocks | Fieldbus Foundation | sensor | logic solver | final control element |

October 11, 2007 in Foundation Fieldbus, in Safety | Comments (0)

At last week's ISA Expo 2007, Emerson's Gary Law received the Douglas H. Annin award. This award is award is in recognition of Gary's outstanding technical achievements in the design, development and application of automatic control systems. The ISA describes this award:

The Douglas H. Annin Award recognizes an outstanding achievement in the design, application, or development of the components in an automatic control system from the input measurement through the final control element. The award is in honor of Douglas H. Annin, a pioneer in modern-day control valve actuation and control valve body design.

I've known Gary for many years in our work advancing the DeltaV system. He is now a technologist with the DeltaV architecture team. He is responsible for the system architecture, and future developments of DeltaV system and PlantWeb architecture.

Gary was instrumental in the design and introduction of the DeltaV SIS (safety instrumented system.) He was a part of eight different patents for this development and holds more than a dozen overall through his career. This Douglas H. Annin award was recognition for this innovation. Specifically:

For design and development of a safety instrumented system logic solver that is built into a basic process control system input/output card.

DeltaV SIS was the first SIS to take advantage of smart instruments (sensors and final control elements) used in safety applications communicating via the HART communications protocol. The diagnostics from these instruments can be used to monitor continuously the health of each safety instrumented function (sensor + logic solver + final control element.)

In earlier posts, I've discussed some of these innovations and their application. These include performing partial stroke tests automatically within the safety instrumented function, separation between control and safety systems, and the ability to do complex safety shutdown sequences.

Scalability is another key aspect that was brought to safety instrumented systems with the design of DeltaV SIS. Logic solvers are added in small increments (16 I/O channels) for process manufacturers' SIL 1-3 safety instrumented functions. The hardware, software, and communications running in the logic solvers are different from the DeltaV automation system, but the configuration software is the same. This design provides the separation proscribed by the IEC 61508 global safety standard.

Much of the innovations in the DeltaV hardware and its interactions with the configuration software are thanks to Gary's efforts. You can see some of his enthusiasm in the digital bus videos created several years ago.

Congratulations to Gary for this recognition of his work to advance the state of technology in our world of process automation.

Tags: IEC 61508 | ISA | safety instrumented system | SIS | logic solver | sensor | final control element | HART Communications |

October 10, 2007 in Safety, in Technologies | Comments (0)

Emerson's Mike Schmidt, a principal safety consultant in the Refining and Chemical industry center, presented Beyond 2oo3: Multi-sensor Architecture in SIF Design at the Emerson Exchange. You may recall Mike from an earlier post.

Mike discussed several cases and applications where more than three sensors are used in safety shutdown applications. Redundancy was his first example where more than one sensor is being used for the exact same purpose. An example is separate temperature sensors installed on the inlets to multiple reactors, perhaps because of fears of common cause failure. In fact, all three of these sensors measure the same thing. The inlet temperature is coming from the same header, so it is the same for all three new sensors.

Separate hazards are those serving unrelated purposes or are at independent points in the process. There is no redundancy here. The only possible architecture for the sensors is to have three separate instances of one-out-of-one (1oo1) voting.

Mike built the case of three tanks with three inlet temperatures sensors coming off a common header and said it could be argued that the three could be considered redundant. However, three sensors on the tank outlets could not be considered redundant since they are monitoring for separate hazards.

When evaluating fault tolerances, it is important to consider the number of success paths. Parallel paths provide redundancy where serial paths with multiple elements have single points of failure. If you have three identical temperature sensors in parallel, it is like having a path with three in parallel in series with common cause failure. Using different types of sensors greatly reduces this common cause failure to provide much lower probabilities of failure on demand (PFD_AVG).

Mike discussed the case of a packed-bed reactor. These may be instrumented with ten or more temperature sensors to provide a temperature profile. The safety trip will be based on an abnormal profile. With advanced logic solvers, it is possible to perform the calculations necessary to reduce several measurements to profile parameters that can be used to trip a safety instrumented function (SIF). The profile is 1oo1 voting, but a rule might be that 8 out of 10 temperature sensors must be working to be considered a valid profile, so the PFD_AVG is based on 8oo10 fault tolerance.

A separate issue to consider from a safety mitigation standpoint is multiple sensors for localized problems, like hot spots or leaks. Considering packed bed reactor hot spots, it sounds right to say we do not want to trip the reactor based on a single temperature sensor fault. Although this may sound right, Mike explored the math behind determining the PFD_AVG. The example here is for an array of sensors installed to detect a hot spot within the packed bed, but it could just as easily be an array of analyzers around the outside of a piece of equipment installed to detect a leak of flammable or toxic gases.

He discussed the concept of the temperature sensors located next to the failed one. The sensors are primary for their respective zones and secondary for their neighboring zones. The key is to set up a separate safety instrumented function for each zone, which contains the primary sensor and the neighboring secondary sensors. This allow the reactor not be treated as a single SIF where any one sensor failure can trip it.

The math works out that no matter how many transmitters, and surrounding zones, the PFD_AVG calculations are based on primary and one secondary, even in the case of multiple secondary zones. The voting is one out the number of surrounding zones plus the one primary zone, and the PFD_AVG is always based on 1oo2 fault tolerance. No credit is taken for any of the additional secondary sensors in the PFD_AVG calculations.

Mike summarizes these concepts by saying the number of sensors required for a SIF can be optimized to achieve the necessary coverage and the required redundancy. Using more than three sensors for redundancy does not really help. It may be necessary for coverage based on the geometry of the vessel, but not for increased redundancy.

Tags: safety shutdown | process safety | redundancy | fault tolerance | common cause failure | safety instrumented function | SIF | logic solver | sensor |

September 26, 2007 in Emerson Exchange, in Project Services, in Safety | Comments (0)

Earlier I mentioned Emerson's Dean Taggart's work with complex sequences in safety instrumented systems, based on an ongoing oil sands gasification project. John Kingston, from Emerson local business partner Spartan Controls, is presenting on this topic along with Emerson's Chuck Miller at the upcoming ISA Expo 2007.

I received a copy of the submitted paper that, among other things, explores the separation between basic process control systems (BPCS) and safety instrumented systems (SIS). Historically, the SIS was a separate entity, but with technological advances, this has begun to change. The authors note that the IEC 61508 international safety standard does not provide a definition of separation. It does mention physical separation as a highly effective technique. Given that the standard is much more performance-based than prescriptive-based, they note that there are few statements defining separation.

The paper refers to a few specific clauses in 61508-1 such as 7.5.2.4, where when the control system places a demand on one of the safety-related systems, then it "…shall be separate and independent" from the safety-related systems. In order to satisfy this clause the control system must be proven sufficiently independent from the SIS. Certification agencies like the various TÜV organizations and other third-party testing labs help provide this proof for SIS suppliers per the IEC 61508 performance standards.

61508-1 Clause 7.6.2.7 addresses common cause failures by requiring functional diversity, technology diversity, diverse parts, services, and support, and that the BPCS and SIS not share common operational, maintenance, or test procedures, and that they be physically separated. Safety instrumented systems like DeltaV SIS address these in the authors' words:

Those factors [governing independence] include diversity, which essentially means that the BPCS and SIS should have different components, operating systems, chip sets, central processing units, etc. When looking at sharing parts, services, and support systems, once must ensure that the BPCS and SIS have different power sources, and that a safety network dedicated to safety related communications is used. They should not share test procedures, which means that if you are testing either the BPCS or the SIS, that those tests should be able to be run completely independently of each other. Finally, physical separation applies to how the architecture of the system is laid out, and how cabinetry is designed; in essence, this is where one would look at separating DCS cabinets from SIS cabinets, and perhaps maintaining the SIS from a different workstation than the one used for the BPCS.

A final clause that is discussed, 61508-2 Clause 7.4.2.3 explores how non-safety functions implemented in an SIS need to be treated as safety-related unless it can be shown it is sufficiently independent (that the failure of any non-safety-related functions does not cause a dangerous failure of the safety-related functions.) This implies that control and safety functions can exist within the same system as long as sufficient care is taken in design and throughout the IEC 61511 safety lifecycle.

The authors summarize the implications of separation well:

Essentially, everything all boils down to good engineering designs and practices. One must consider the standards carefully, and understand the implications before going down a certain path. One cannot simply look at a system and know if it satisfies these requirements, because almost every system has a different level of independence. One must look at the specific details of a system to verify that it satisfies the requirements.

Dean summed up how these applied to the asphaltene gasification project:

The complexity of the process led to a need for integration as well as separation. Integration brings the benefits of integrated development and operating environments, less training cost, simpler architectures, faster and more reliable communications, reduced integration time, better handling of status information, and improved fault handling. The safety requirements of gasification focus on preventing damage to the burner, reactor, and syngas cooler, as well as operator safety. The process itself leads to the need for an intricate startup, as well as multiple methods of shutting down the process depending on the current state. An integrated but separate solution can provide several advantages while still providing the required amount of separation.

Tags: IEC 61511 | IEC 61508 | safety instrumented system | SIS | BPCS | asphaltene | gasification |

August 24, 2007 in Gasification, in Oil & Gas, in Safety, in Technologies | Comments (0)

Recently the DeltaV News RSS feed announced a video case study for Australia's Arrow Energy at their Tipton Gas plant.

I discovered that Bob Gale, an AIChE fellow and Sr. Technical/Safety Consultant in Emerson's Refining and Chemical industry center was involved in this project. You may recall Bob from an earlier post about achieving IEC 61511 compliance.

Like more and more projects, a global team from Emerson was assembled to execute this project. Bob's role was to do the safety integrity level (SIL) verifications for the project. Bob noted that a part of the IEC 61511 Safety Life Cycle for DeltaV SIS projects is to have an Emerson Certified SIS Consultant verify that the safety instrumented functions (SIF), as they were designed, meet the safety integrity level that is specified in the project.

Bob's task was to ensure them that each SIF provided the risk reduction that was required to make things safe. One example he described was determining that this plant needed to divide one large SIF that encompassed the fire detection equipment on all the compressors into a single SIF for each compressor. This change allowed each of the smaller SIFs to provide the necessary risk reduction required. Each SIF is designed to shutdown the compressor in the event of a fire.

By working methodically through all of process equipment that required risk reduction, Bob played a key role for the project team in the plant's IEC 61511 safety lifecycle efforts.

Tags: safety instrumented system | safety instrumented function | IEC 61511 | SIL | safety integrity level | safety lifecycle |

August 9, 2007 in Project Services, in Safety | Comments (0)

I was catching up on my RSS feeds over our middle of the week U.S. Independence Day holiday. My RSS search feed on the IEC 61511 global safety standard (ISA 84.01 in the U.S.) turned up this press release on a DVD set released by the Safety Users Group. They describe the purpose of this production:

In the style of a documentary, this unique DVD will provide you with expert points of view, as well as specific concepts, definitions, experiences, examples, analysis and results from 11 world-renowned professionals in the safety industry. These experts are designers, manufacturing leaders, engineering companies, integrators, standards members, professors, legal council and TÜV certified Functional Safety experts.

Emerson's Thomas Steiner is one of the safety experts interviewed. He is one of a large number of Emerson certified functional safety experts (CFSE) and certified functional safety professionals (CFSP). The mission of this certification process as stated on the CFSE.org site:

The CFSE (Certified Functional Safety Expert) concept was originally developed by TÜV and exida with the support of other international safety experts to ensure that personnel performing SIS lifecycle activities are competent as required by the IEC 61508, 61511, and 62061 standards.

Thomas discusses some of the basic terminology from the standards such as safe failure fractions (SFF), safety requirement specifications (SRS), and safety integrity levels (SIL) in a very understandable way. He describes how it applies to process manufacturers in applying this standard. You can see his entire interview (16:54) on the EasyDeltaV.com web site.

Overall, there is quite a bit of safety expertise provided by the 11 participants on this two-DVD set. The cost is $115 (USD) and you can get a preview by viewing this trailer of the type of information presented.

If your responsibilities include the IEC 61511 safety lifecycle and you need a good primer or refresher from knowledgeable safety experts, consider this DVD set as one of your learning resources.

Tags: IEC 61511 | S84.01 | CFSE | CFSP | safety failure fraction | safety integrity level | safety requirement specification |

July 5, 2007 in Education, in Safety | Comments (0)

For complex processes like gasification units in the Oil Sands region of Northern Alberta, Canada, how do you handle the integration of complex sequences which involve both the safety instrumented system (SIS) and control system (BPCS--basic process control system in safety-speak)?

This was the subject of a recent paper given by Dean Taggart, a professional engineer and certified functional safety expert (CFSE) in Emerson's Calgary-based Hydrocarbon and Energy Industry Center. Dean gave this paper along with members from Spartan Controls and the oil and gas producer, OPTI Canada.

The team gave the paper, Integration of Complex Sequences using DeltaV (presentation), at the 2007 AIChE Spring National meeting. Dean and the team quite comprehensively covered the areas of process and safety requirements and their technical concerns, and applying an implementation framework to this project.

With this post, I'll zero in on the decisions of what should be within the span of the SIS and BPCS. As the team states, it's clear what initially goes into the SIS:

Normally the process is designed in a Front End Engineering Design (FEED) phase, where vessels, pumps, piping, and instrumentation are proposed. The process goes through a HAZOP process, with the intent of identifying hazards. As these are considered, either through a PHA, LOPA, or Risk Analysis, SIL targets are determined and requirements for SIS are established [hyperlinks added to help with acronyms].

For complex processes, the SIS may be involved in the startup or stopping sequences, like in the burner management system on a gasification reactor. Normally the process of burner management involves closing off the feeds and the burner goes off. But for a gasification reactor, under high pressure and temperature, the vessel must evacuate the asphaltene quickly or it will harden and plug up the feed lines. A shutdown sequence is required to depressurize and cool down in a non-damaging way.

The choice the project team faced was either to perform all of the startup and shutdown sequences in the SIS or split them between the SIS and BPCS. The issue with splitting the sequence is increased configuration complexity, data mapping, communications diagnostics and handshaking logic required. And some common methods for this communication like MODBUS/serial communications and OPC, the communications throughput has to be carefully designed and tested. A bigger concerned stated in the paper:

In order to work properly, the BPCS and SIS would have to have "parallel" sequences which would need to be synchronized very tightly with each other. In the event that communications was lost during a startup or shutdown, each would have to execute separate and parallel actions. Since the actions may need to be modified based on process conditions, this adds even more complexity.

For this project, the team used the DeltaV system and DeltaV SIS and ran the sequence in the DeltaV SIS. The paper describes a simpler approach:

Under normal circumstances, the SIS runs the sequence, can override the BPCS when required, and can examine the health of the BPCS. The BPCS only performs process control, listens to the SIS for overrides, and can examine the health of the SIS. If communications is lost, the SIS can take the appropriate action (perhaps abort a startup, execute a shutdown, or may do nothing at all if in normal operation). In this case, the BPCS may continue to execute process control on some loops, and for others they may automatically be set to override or manual mode. The flexibility is there, and there is little concern over loss of communication.

If you have a project with hazardous areas with control system and SIS requirements, this paper is an excellent resource for an approach to think through the design process.

Tags: IEC 61511 | safety instrumented system | SIS | HAZOP | PHA | LOPA | SIL | basic process control system | BPCS | complex sequence | oil sands | gasification | AIChE |

May 21, 2007 in Oil & Gas, in Project Services, in Safety | Comments (0)

People from across the world come up this blog and get some great questions from time to time. The most recent example is questions about safety instrumented systems (SIS) and the IEC 61511 standards. I thought I'd run them by two experienced Emerson safety experts, Len Laskowski in the Refining and Chemical industry center and Stephane Boily in the Hydrocarbon and Energy industry center.

As safety professionals incorporate these performance-based international safety standards, I thought sharing their answers with you might help your safety planning efforts. Len answers the four questions and Stephane adds his thoughts looking at the SIS installation components.

What are the standards that define the best rules for installation of field equipment of a SIF/SIS, on site?

IEC 61511 or ISA-S84-2003 (which is really the same thing, plus a grandfather clause) are intended for application in the process industry. They do the best job of defining what one needs to be concerned with for field instruments. The guidance may be considered somewhat minimal but the critical safety issues are there. Whatever would make a good installation for the basic process control system (BPCS) is a good installation for the SIS also. However, some different issues need to be recognized. First, the instruments need to be reliable. One measurement, referred to as "proven in use" means reliability data must be available for safety integrity level (SIL) calculations. If not then SIL-rated instruments are an option. Next one must consider fault tolerance requirements for the Safety Instrumented Function (SIF). This is a function of the SIL level for each SIF in the SIS. There will of course always be the need to make sure the instruments are calibrated routinely and tested per the proof test requirement. If this is online then the engineer needs to make sure that those facilities plus the ability to do maintenance is designed into the project. Typically sensors need their own root valve and final control elements may need bypasses or means for partial stroke testing.

The routing of the individual cables of transmitter that is in a 2oo3 voting system--the same route, different routes?

Some reliability engineers would want to try to convince you that a different route is required. While everyone would like a diverse routing from a common mode point of view, (a fire, dropped crane load, chemical spill could destroy all the cables in the same tray, etc.) it is many times impractical to route differently. One deciding factor is availability. If high availability is require diverse routine is a good idea, but again not mandatory. Some companies may have internal standards on this subject. The other factor is whether or not the SIS fails safe. If a loss of a cable, causes the System to have a spurious safe trip the system is safe, but you have to deal with the cost of the spurious trip. If the SIF is energized-to-trip, one needs to look at separate routing. Also, end of line monitoring etc.

Can I install the three field devices in battery or in different places to avoid, common failure, e.g., vibration, risk of fire?

Field instruments are designed for the outdoor industrial environment. Utilize them correctly for their application. If it is a bad installation for the BPCS it is bad for the SIS also. While many SIS logic solvers have been industrially hardened to operate in a broad range of environmental conditions with numerous successful applications, it just stands to reason that putting them in environmentally controlled areas will improve potential reliability plus the ability to do maintenance.

Yes one must always be careful with respect to common mode. Common mode can wiped out the reliability gains of redundancy. That is why it is required to do SIL Calculations to verify that the common mode effect is not so strong that it renders the SIF ineffective.

Must I use the normal practices of engineering or do rules or recommendation exist for the installation of field equipment for the SIF/SIS?

One has to ask whose normal practices?? If we mean industry best normal practices the answer is yes again but one needs to follow the entire IEC-61511 Life Cycle to determine what that really means for each project. What is an acceptable solution for one plant may not work for another. The questions you ask really points out that to safely design a plant, the project needs to execute the IEC61511 Safety Life Cycle. Hazards are identified early in the project and solutions are designed around those hazards. The questions you asked should all be covered in the Safety Requirements Specification (SRS). There are 27 questions that cover the topics you have asked and more, much more. Inexperienced engineers may not be aware of this list of questions that define an IEC61511 SRS. This is why you should work with experienced organizations. A study done by the Health and Safety Executive in the UK has shown that the majority of problems with SIS systems today are actually specified into the project. (Or shall we say not specified into the project, one does not know what one does not know.) Failure to execute the life cycle activities early and properly can have serious safety, schedule and cost implications on a project.

Stephane adds these thoughts on the installation components:

Sensor-To reduce common mode each sensor should have a separate process connection. There have been some good arguments made with regards to using different technologies in order to reduce common mode but one must look at practicality vs. benefits and risk reduction. Also, although the use of diverse technologies can reduce common cause it will not eliminate it completely.

Transmitters-For sensors integrated (or separate) with the transmitter, the geographical locations of the voted transmitters should be away from each other to the extent possible (so that in the event of a fire--all transmitters are not affected--as an example!)

Junction Boxes-Separate JBs for each transmitter / 2 core cable is preferred.

Multicore Cables-If separate JBs not possible, run each transmitter pair in separate multicore cables to the control room.

Cable Trays-Run the multicore cables in separate trays which have separate routes to the control room when practical. Availability would be the determining factor.

Safety Logic Solver-Each transmitter signal could be connected to separate SLS, on separate carriers. This would slightly compromise on the PFD value however and could also make the SIF configuration more complicated, but reduces common cause. SLS installed in two different cabinets in different control rooms would be even better! However common sense needs to be used and practicality. Same logic could be used for the output signals.

The extent to which one would go in segregating will depend on ALARP - As low as reasonably practicable (here 'low' refers to the risks involved). The Risk Reduction Factor (RRF) of the SIF and how much of the risk is the engineer / company ready to absorb, will dictate the decision. The common cause calculator (based on such segregation) is given in IEC 61508-6, Table D.5.

Tags: IEC 61511 | IEC 61508 | ISA-84 | S84 | safety instrumented system | SIS | SIL | safety integrity level | SIF | safety instrumented function | ALARP |

May 9, 2007 in Project Services, in Safety | Comments (0)

I caught up with Riyaz Ali who is in our organization managing Emerson's Fisher brand of valves and regulators. You may recall Riyaz from some earlier posts on safety valve local control panels, partial-stroke test in safety applications, and testing safety solenoid valves.

Riyaz has been hearing more and more questions from process manufacturers, consultants, integrators, and other automation professionals about the adoption of the IEC 61508 and IEC 61511 international safety standards. These questions tend to get very specific about the safety integrity levels (SIL) for the components within the Safety Instrumented Function (safety loop.) Today all components of the safety instrumented function (SIF) including the logic solver, sensor, and final control element may have microprocessors that can perform self-diagnostics and communicate these diagnostics digitally to the logic solver.

Riyaz wanted to help clarify some questions on SIL ratings and field devices. If a process manufacturer hears that that field device is "SIL 3-rated" in accordance with IEC 61508, this is not the case. Field devices alone are not capable of a particular SIL rating.

These devices may be suitable for use in a SIL 3-rated safety instrumented function. In other words, this SIL rating applies to the entire loop and not the individual components within the loop.

The second key point Riyaz made with me is that a single microprocessor-based device (categorized as Type B in the IEC 61508 part 2, table 3) cannot have suitability for use in a SIL 3 safety instrumented function without additional hardware fault tolerance per these IEC standards.

Obviously, there is quite a bit to these safety standards and their application, and I hope some of these blog posts on the topic of safety help you in your adoption of these standards in your facilities.

Tags: IEC 61508 | IEC 61511 | safety instrumented function | safety integrity level | SIL |

April 27, 2007 in Safety | Comments (5)

You have to admire the way a team of engineers when presented with a challenge, come up with a better, less costly approach. Such is the case with a local control panel for a safety valve that Emerson Fisher division's Riyaz Ali showed me. You may recall Riyaz from earlier posts on the topic of safety.

The challenge is that safety shutdown valves with conventional local control panels have typically required ten input/output connections between the safety system's logic solver, local control panel, solenoid and digital valve controller as the picture indicates. These panels get hard wired signals from the safety instrumented system's logic solver for light indication of valve Open, Close, and Ready to Reset. Also, if the logic solver needs to open the valve after "Ready to Reset" light indicator, "Valve Open" signal needs to be sent to local controller for field technician to open the valve on separate pair of wire. It will also require an additional I/O for shutting the valve from local controller in case of an emergency.

Now, many plants keep metrics on what it costs to install each I/O point, but a ballpark figure of $2,000 USD per I/O point is typical.

The approach Riyaz describes is based on the Fisher LCP100 local control panel which requires 5 I/O. This means roughly $10,000 savings per installed smart local control panel. If your facility is a refinery, petrochemical, or chemical plant, this could add up, based on your number of safety valves with local control panels. This panel digitally communicates directly with Emerson's Fisher DVC6000 digital valve controller to eliminate the need for separate wiring for Valve Open and Close indication, Ready to Reset indication, and pushbuttons for manual Valve Open and Close. These digital communications also provide diagnostics to reduce the ongoing costs of maintenance typical with hard-wired solutions.

Riyaz also points out the digital valve controller can provide on-line diagnostics and partial-stroke testing to assist the process manufacturer in checking the safety instrumented function which includes these shutdown valves.

As with most digital communications, the long term benefits in diagnostic coverage with this integrated approach are usually greater than the initial benefits in installation cost savings.

Tags: safety instrumented systems | SIS | shutdown valve | local control panel | safety instrumented function | IEC 61511 |

February 7, 2007 in Safety | Comments (0) | Trackback (0)

Before the holidays, Dave Harrold wrote a post, A Wee Bit More About Safety Instrumented Systems, in his Dave @ AFAB Group blog. He describes his work with Dr. Angela Summers, founder/president of SIS-Tech Solutions on a guidelines book for the global IEC 61511 safety standards. Dave also referenced an SIS-related Q&A article Angela wrote for Flow Control magazine.

I forwarded the post and Flow Control article link to Riyaz Ali, whom you may recall from an earlier post. Riyaz wanted to add to the conversation and make three specific points in reference to the Flow Control article.

On the question regarding the use of digital valve positioners to perform partial testing and its relationship to the proof test interval, Riyaz agrees that the proof test is far more than a partial stroke test. The proof test can be performed on a final control element either on-line when a bypass valve exists or offline when the process is shutdown, such as during a plant turnaround. Many process manufacturers do not have large bypass valves and seek to extend the interval between plant turnarounds as long as possible. The on-line partial stroke testing provided by digital valve positioners can help extend the time between proof tests. They do not replace these tests. Riyaz points to a Control Engineering magazine article authored by Dr. Summers, Partial Stroke Testing of Safety Block Valves, in which she points out:

Also affecting the SIL is diagnostic coverage and testing intervals of partial-stroke testing to supplement full-stroke testing to reduce a block valve's PFD.

Being a mechanical item, testing of SIS "Final Control Element" offers challenges but at the same time represents a significant failure contributor to SIF loop. Partial stroke test by digital valve positioners not only allows "audit documentation" but also allows diagnostics health of valve, a key feature to improve reliability of SIF loop.

Riyaz did take exception to a statement in the article about throttling valves:

Positioner failures are the leading cause of control failure, so the positioner should not be used to actuate the valve in an SIS application when preventing events associated with a loss of control. Instead, a solenoid-operated valve should be used to independently close the control valve.

He notes that control valves are better geometrically designed with proper actuator and valve plug connection to reduce hysteresis, dead motion, sticktion, backlash etc., compare to shut down valves those are typically keyed shaft and mainly used for On and Off function. The main concern for shut down valves is stuck condition. If initial inertia force is broken during normal exercise of valve either through partial stroke test or by modulating through DCS signal, it is very likely that valve will be available during a safety demand, when required to bring the process to safe state.

His final point is on the question regarding smart positioners for partial stroke testing of smart valves. Positioners operated by air have been used in process control industries for years to improve performance of control loop. It is becoming rarer to come across a process loop not without positioners, especially where the application improved process variability. Based on its usage and benefits in process control, process manufacturers have started using them for Safety Instrumented Systems also. Riyaz agrees with Dr. Summers comment that positioners have smaller orifice but any thing larger than 8"-12" size valve, even otherwise a Quick Exhaust Valve or similar mechanical device will be used, if fast stroking speed is desired. Len Laskowski adds that the driving factor is process safety time. Many times larger valves do not need to close in one or two seconds, and in fact require a more controlled closure to avoid negative effects on process and utility equipment. It all hinges on the process safety time for each application.

Positioners by design are to bleed very small air to keep the air flowing as well keep pressure higher than atmospheric so as avoid any external atmospheric corrosive gas getting inside the housing. Also during partial stroke test positioners exhaust and fill the air, which makes its mechanical parts moving and avoid any build up.

Digital valve positioners allows partial stroke testing, while process is running and provides date and time stamp of test with capability to store and compare test results. Also, being a microprocessor based, these positioners allow remote testing and retrieval of data remotely. The main advantage is predictive maintenance by providing valve degradation analysis, which is important to critical valves in safety related systems. If by any chance valve is stuck, digital valve positioners are capable of providing alerts to operators to fix the problem.

Tags: IEC 61511 | digital valve positioner | proof test | partial stroke test |

January 2, 2007 in Abnormal Situation Prevention, in Safety | Comments (0) | Trackback (1)

In an earlier post I discussed the critical role the final control element plays in a safety loop or safety instrumented function (SIF) in safety parlance. This equipment mostly stays in one position until called upon to move should an emergency situation arise. Digital valve controllers like the Fieldvue DVC6000 SIS provide partial stroking of the valve to process manufacturers design their safety instrumented functions to reduce the Probability of Failure on Demand (PFD).

Even with the advancement of intelligence in digital valve controllers to do this partial stroke testing, a problem remained in testing the solenoid valves used in the safety instrumented function. These solenoid valves are installed to quickly bleed the air supply to the valve actuator that is holding the SIS valve open or closed. The only real way to test this solenoid valve has been to trip it causing the safety function to occur. These spurious trips can be quite strenuous on the plant piping and process equipment.

Riyaz Ali, a development manager in Emerson's Fisher division showed me the latest advancements to the DVC6000 SIS to test the solenoid without causing safety valve movement. What the technology team found through extensive research and development is that the solenoid valve can be pulsed for a split second by smart SIS logic solvers like the DeltaV SIS system.

This time window of the pulse is long enough for the solenoid valve to vent which provides verification that it is functional. But the time window is short enough so that the actuator does not bleed off enough pressure to make the SIS valve move. Diagnostics in the DVC6000 SIS can sense and capture the data for the momentary pressure blip across the solenoid valve during the test. It also records pressures, travel information, and other diagnostic information.

Beyond solenoid testing, Riyaz mentioned the DVC6000 SIS is capable of collecting data during a trip event, much like an airline's "black box" flight recorder. This data collection can be triggered upon a change in actuator pressure, valve travel, input current, pressure differential, travel deviation, travel cutoff, or an externally defined trigger event. This data can be helpful when reviewing the causes of a safety trip as well as having the data available for regulatory reporting.

One final point Riyaz emphasized is the DVC6000 SIS spurious trip protection which provides maximum output pressure to the solenoid at minimum input signal in a case where the 4-20mA signal between the smart logic solver and digital valve controller is lost or severed.

Together, these technologies give process manufacturers an end-to-end way of checking the safety instrumented functions including the solenoid valves, to assist their design, implementation, and ongoing testing phases of the IEC 61511 safety lifecycle.

Tags: safety instrumented system | SIS | solenoid | IEC 61511 | valve | actuator |

December 1, 2006 in Safety | Comments (0) | Trackback (1)

Recently Control magazine editor-in-chief, Walt Boyes covered a presentation by TÜV-Rhineland's Heinz Gall, in a post entitled, Heinz Gall on Functional Safety--from the department of "no whining". Heinz' key point in this presentation was:

You must have safety management, and qualified personnel are a must!

I ran Walt's post by Len Laskowski a certified functional safety expert (CFSE) in our Refining and Chemical Industry Center whom you might recall from an earlier IEC 61511 post.

Len agrees with Heinz' assessment. He believes the problem most engineers have with the new standard such as IEC 61511 is that it is a performance standard. This is great news for the engineering community because they get to do the engineering. However the bad news is they must do the engineering. Len recalled the days when most process manufacturers were putting together their standards on safety instrumented systems, that these standards were very prescriptive.

This made it easier from an engineering point of view but sometimes could not cover all cases. By contrast, IEC 61511 being a performance standard allows you to investigate the alternative solutions for the right safety instrumented function (SIF) for the safety integrity level (SIL).

Len stresses that this can be a very powerful tool if applied properly and there is enough time in the project schedule to do this analysis. What typically happens is that project schedules do not put in enough time or qualified resources dedicated to this activity. As with most project activities, it is much better to do this earlier in the project than later. Len's team has been called into projects towards the end and has uncovered problems on some of the high SIL level SIFs. This has caused a scramble to find the appropriate rated instruments required.

Len advises for your IEC 61511 safety projects to plan for more engineering time in the feasibility and front end engineering design (FEED). The older prescriptive methods allowed this work to be done later in the detailed design phase. As Len puts it:

Recognizing the need for more front end work will go a long way in reducing project frustrations.

Update: I fixed a typo and would like to extend a welcome to the readers of Gary Mintchell's Feed Forward blog (subscribe here).

Tags: IEC 61511 | functional safety | safety integrity level | safety instrumented function | front end engineering design |

November 28, 2006 in Safety | Comments (0) | Trackback (0)

OK, you've done all the engineering, installation and commissioning and have field electrical and electronic equipment that is certified for the hazardous location in which it operates. In North America, this equipment has been tested and approved to appropriate codes and standards by OSHA-accredited NRTLs (Nationally Recognized Testing Laboratories) like FM Approvals, UL, CSA, and MetLabs to name a few. Other countries may have similar requirements through entities such as PTB of Germany, LCIE of France, KEMA of the Netherlands, and UC (formerly UCIEE) of Brazil.

So what about the certification if the equipment has been salvaged from a plant that has been shut down, and then refurbished, reconditioned, or remanufactured and resold? Or what about equipment that is resold as “new surplus” or after installed equipment has been repaired?

Bob Baker, a Safety Consultant to Emerson Process Management presented with FM Approvals' Cheryl A. Gagliardi at the recent Mary Kay O'Connor Process Safety Center 2006 International Symposium. Their presentation, Maintaining Certification Compliance of Equipment Used in Hazardous (Classified) Locations, discusses what happens (or should happen) should a device be changed in some way, even unknowingly.

When ownership transfer occurs, as in the case of equipment that has been resold as new surplus or after being salvaged, refurbished, remanufactured, or reconditioned, there typically is no historical awareness of whether or not a device has ever been “changed” in any manner by the prior owner, resulting in potential non-compliance. Such a “change” could have been as simple as touching up the threads of an explosion-proof device’s galled terminal box housing or cover, or it could be the use of non-OEM parts, the accidental scratching of a flame path surface or damage to a flame arrestor, etc. These same types of issues could also occur during the repair of a device even though it may never leave an original owner’s site.

The FM Approval mark is a statement of conformity that a product is in compliance with defined standards at the time the product leaves the manufacturing and/or repair facilities audited and approved by FM Approvals. Once the equipment is placed into use, continued compliance with the applicable codes and standards becomes the responsibility of the process manufacturer, i.e. the end user.

FM Approvals listed its definition of repair as “work performed to the unit that would bring it back to its original condition approved by FM Approvals, with repair including refurbished, remanufactured, reconditioned, salvaged, and new surplus.” FM Approvals also presented that process manufacturers have several choices when making repairs on equipment with hazardous area approval certifications including:

• Returning the equipment to an original equipment manufacturer (OEM) or any of its repair facilities that are approved and audited by FM Approvals. The OEM has the design control and knowledge of the FM Approvals certification requirements to return the equipment to its originally certified condition
• Having the equipment repaired by a third party facility that is approved and audited by FM Approvals in accordance with its repair standard 3606:1998 – Repair Service for Process Control Equipment Used in Hazardous (Classified) Locations
• Performing the repair in-house if the process manufacturer’s repair facility is similarly approved and audited by FM Approvals to its repair standard 3606.

FM Approvals recommended that its certification marks be removed from non-compliant equipment resulting when the repair work is done by a facility which is not audited and approved by FM Approvals. Since the burden is on the process manufacturer that the equipment is approved for the hazardous location in which it operates, the process manufacturer should insist that either:

• The repair (all types as noted above) be done by a facility that is audited and approved by FM Approvals to recertify the equipment (and prove it, by submitting FM Approvals documentation to the end user, that is specific to the brand and model)
• Have the FM Approvals certification mark removed if the facility is not an FM Approved repair facility.

Removing the certification mark or the entire nameplate should help eliminate confusion about a device’s NRTL approval status, and reduce the chance of inadvertent installation into a hazardous location that requires an NRTL approved device.

Bob recommends that process manufacturers develop corporate policies and guidance directing inspection, engineering, maintenance, and procurement to ensure the installation of compliant devices for their intended hazardous locations. He also recommends that stringent supplier qualifications be established to prevent introduction or re-introduction of non-compliant equipment, and that identification and abatement processes be developed for potentially non-compliant equipment already installed.

In summary, it is important that industry understand whether the purchase of products for use in hazardous locations, as defined by the National Electric Code and OSHA, can give rise to product safety and regulatory compliance issues.

Ms Gagliardi and Mr. Baker will again be presenting this topic on Thursday, January 25, 2007 at the Texas A&M Instrumentation Symposium (Jan 23-25).

Tags: hazardous area | equipment certification | FM Approvals | certification mark | process safety |

November 15, 2006 in Regulatory Compliance, in Safety | Comments (0) | Trackback (0)

I used to be one of those who thought of the logic solver piece of a safety loop as being the "safety system." In reality it’s the sensors, logic solvers, and final control elements which make up the safety loop, or safety instrumented function (SIF) in safety-speak.

Tom Jeansonne, a regional sales manager in Emerson’s Valve Automation division, presents a paper at next week’s Emerson Exchange entitled Safety Instrumented Systems, The Role Of The Final Control Element. Tom sets the tone for the importance of the final control element in the safety loop. It exists for the purpose of taking the process to a "safe" state when predetermined conditions are violated.

The final control element or actuated valve typically remains energized for long periods of time in a fixed position. According to Offshore Reliability Data (OREDA), when failures do occur in the safety loop, it happens in the final control element 50-60% of the time. The key is to reduce the Probability of Failure on Demand (PFD) to meet the appropriate safety integrity level (SIL). The standards IEC 61511 and ANSI/ISA S84 defined this risk-based approach to safety.

Tom describes a way to reduce PFD for final control elements through partial stroke testing. As the name implies, the actuator and valve are periodically operated a partial amount to help ensure the valve will perform on demand. This testing process also increases the diagnostic coverage on the final control element while allowing the normal process operations to continue. In turn this can extend the time between scheduled plant shutdowns reducing operating costs and increasing efficiency while maintaining SIL ratings.

With digital controllers like the Fisher Fieldvue DVC6000 and smart logic solvers like the DeltaV SIS system, these partial stroke tests can be automatically performed and data compared and retained. These tests can identify issues like broken valve stems, torque degradation, stick slip, friction degradation, and pneumatic path leakages. Any anomalies can be sent to the operations and maintenance staff as valve stuck alerts, travel/pressure/deviation alerts, and supply pressure alerts. These diagnostics help identify any issues before the final control element is requested by the logic solver to take the process to a safe state.

Tom sums up his presentation with how the Valve Automation group has packaged the DVC6000 with several different types of Bettis, FieldQ, Hytork, and El-O-Matic actuators, and solenoids into a SIL-PAC TÜV and Exida-certified final control element solution.

Tags: safety instrumented system | SIS | SIF | PFD | safety | IEC 61511 | S84 | logic solver | final control element |

September 27, 2006 in Safety | Comments (0) | Trackback (1)

As the international safety standard IEC 61511 (ISA S84.02 in the U.S.) has provided process manufacturers a risk-based approach to safety in their plants.

Many organizations including Emerson are providing training and project execution services to assist these manufacturers in better understanding and complying with this standard. I’ve mentioned some of the training courses in an earlier safety engineering training post.

Obviously it takes people experienced in process safety to develop this training and execute safety projects. I had the opportunity to catch up with Bob Gale, a certified SIS Consultant and SIS lead in our Refining and Chemical industry organization. He has over 30 years of process automation experience, 20 of these in process safety, and is nationally recognized for his work in the development of the American Institute of Chemical Engineer’s (AIChE) chemical process safety practice guidelines.

Bob was also instrumental in helping the Refining and Chemical become part of Emerson’s global effort to achieve TÜV-certification in Functional Safety Management Systems in accordance with IEC 61511 for management and control of safety instrumented systems (SIS) applications.

Bob recently served as an SIS Consultant for a DeltaV SIS system used in an ultra low sulfur diesel plant application. In this capacity, he and the Emerson SIS project experts work with the manufacturer to verify the appropriate SIL levels and risk mitigation strategies of the safety instrumented system along with assis