Using Smart Field Devices to Improve Safety System Performance

Using Smart Field Devices to Improve Safety System Performance

This is an excerpt from the January/February 2014 issue of InTech magazine by Guillermo Pacanins, P.E., a certified TÜV Rheinland functional safety expert. To read the full article, please see the link at the bottom of this post.
JF-2014-system int-interchange_blog

Smart instrument installed in the field.

Any process plant that handles products, feedstock, or fuels that are the least bit hazardous (flammable, toxic, or otherwise environmentally dangerous) has safety concerns. Operating in compliance with regulations and standards is a way of life for oil, gas, petrochemical, biofuel, and many commodity chemical producers. But beyond compliance, companies want and need to protect their people, equipment, and the surrounding environment.

Applicable standards include ANSI/ISA-84.00.01-2004 Parts 1-3 (IEC 61511 Mod) and IEC 61508, along with facility-recognized best procedures and practices. Compliance with these standards ensures that the plant is not simply within the letter of the law; it helps the plant operate with minimal potential for incidents and injuries.

Undertaking this effort begins with plant hazard and operability studies and the layer of protection analysis (LOPA) methodology. Some situations may call for a quantitative risk analysis, as provided by the Center for Chemical Process Safety and indicated by ANSI/ISA-84.00.01-2004 Part 3, Appendix F.

Performing a LOPA helps identify which identified hazards require safety instrumented functions (SIFs) and the required probability of failure on demand for each to lower the risk to a tolerable level. Performing a LOPA is a main step toward ensuring that requirements under ANSI/ISA-84.00.01-2004 Parts 1-3 (IEC 61511 Mod) are met.

Once the safety instrumented system (SIS) is designed and implemented according to the safety requirement specification, its operation must be maintained and monitored to ensure integrity of the SIF, and to ensure ongoing compliance with standards. Any changes to the hardware, such as new equipment, new field devices, different products, or different specified operations and processes must be taken into account using a management of change procedure. Any malfunctions or other process issues must also be accounted for, typically by proof testing and monitoring the SIS along with its associated field devices, such as sensors, instruments, valves, and logic solvers

Real-time safety monitoring software improves the integrity of process safety systems and ensures compliance and safe operation. Companies can enhance the results generated by the software with the information supplied by SISs, plant automation systems, and their associated smart field devices. All these systems and their associated components must be maintained, a task that can be eased by using smart field devices.

Safety systems need maintenance too

In a process plant that runs well, the safety system can fade into the background, because it has a low daily demand rate. Nonetheless, field devices connected to an SIS still need maintenance. Many plant accidents have been caused by a neglected safety system field device not working properly when called upon in an emergency.

The reality of thinly staffed process plants is that the operations and maintenance professionals charged with this time-consuming and complex task also have to watch over the other plant assets that support regular production. They are responsible for availability, productivity, and so on. Since the SIS does not affect these areas under normal circumstances, it can become a secondary concern, or slide even further down the list of priorities.

To make matters worse, field devices that are part of the SIS do not always employ the latest technologies. They often do not have the capability to provide information to the main plant automation system, an asset management platform, a computerized maintenance management, or other related systems. There may be no alternative to sending an individual to a given field device and inspecting it where it is installed, a task that is often postponed.

All SISs depend on field devices for their information, many of which are discrete (on/off), plain 4-20 mA analog, 24 VDC, or some other analog signal type. Each device provides its primary variable and nothing more. This does not have to be the case, because smart field devices can produce extensive diagnostic and other information.

Many field sensors, instruments, and valve actuator positioners installed in the past 10 or even 15 years have some diagnostic capability built in. In other cases, dumb field devices can be upgraded to smart ones, either through retrofit or replacement. In either case, an SIS that is capable of gathering more diagnostic information from each field device greatly improves the quality of data available from these systems, and ultimately makes life easier for the process automation professionals responsible for the SIS.

However, even if all needed data is available, users must still make sense of the information. Volumes of raw diagnostic data must be transformed into useful information that guides maintenance efforts and promotes correct operation of the SIS and other related systems. This is not an easy task, as the relatively small number of plants that operate effective asset management programs indicates. Still, there is a way to improve safety system operation without unduly burdening plant personnel, and it starts with smart field devices.

To read the full article on improving safety system performance, click here.

About the Author
Guillermo PacaninsGuillermo Pacanins, P.E., holds a B.Sc. in electrical engineering. He is a certified TÜV Rheinland functional safety expert and has more than 27 years of experience with process controls and functional safety in process industries. He serves as a system designer, workshop presenter, and trainer for ACM Facility Safety, where he holds the title of safety lifecycle leader/educator.

Connect with Guillermo:


Understanding Safety Life Cycles

Understanding Safety Life Cycles

This is an excerpt from the January/February 2013 InTech by Kristen Barbour. To read the full article, please see the link at the bottom of this post.

The international standard IEC/EN 61508 has been widely accepted as the basis for the specification, design, and operation of safety instrumented systems (SIS). In general, IEC/EN 61508 uses a formulation based on risk assessment: An assessment of the risk is undertaken and, on the basis of this assessment, the necessary safety integrity level (SIL) is determined for components and systems with safety functions. SIL-evaluated components and systems are intended to reduce the risk associated with a device to a justifiable level or “tolerable risk.”Cartoon Man with Orange Cone

When considering safety in the process industry, there are several relevant national, industry, and company safety standards used when determining and applying safety within a process plant.

  • IEC/EN 61508 (product manufacturer)
  • IEC/EN 61511 (user)
  • ISA-84.01 (USA) (user)

These standards need to be implemented by the process owners and operators with the relevant health, energy, waste, machinery, and other directives. These standards, which include terms and concepts that are well-known to specialists in the safety industry, may be unfamiliar to the general user in the process industries.

Essentially, the standards give the framework and direction for the application of the overall safety life cycle (SLC), covering all aspects of safety, including conception, design, implementation, installation, commissioning, validation, maintenance, and decommissioning.

The standard IEC/EN 61508 deals specifically with functional safety relating to electrical, electronic, and programmable electronic safety-related systems (E/E/PES). Manufacturers of process instrumentation interface equipment develop and validate devices following the demands of IEC/EN 61508 and provide the relevant information to enable the use of these devices by others within their SIS.

To implement their strategies within these overall safety requirements, plant operators and designers of safety systems follow the directives of IEC/EN 61511, utilizing equipment developed and validated according to IEC/EN 61508 to achieve their defined SIS.

Within the SLC, the various phases or steps may involve different personnel, groups, or even companies to carry out the specific tasks. For example, the steps can be grouped together and the various responsibilities understood as identified below.

Analytical measures

The first five steps can be considered as an analytical group of activities and would be carried out by the plant owner/end user, probably working together with expert consultants:

  • Concept
  • Overall scope definition
  • Hazard and risk analysis
  • Overall safety requirements
  • Safety requirements allocation

The outputs of these definitions and requirements are considered the inputs to the next stages of activity.

Implementation measures

The implementation group comprises the next eight steps and would be conducted by the end user together with chosen contractors and equipment suppliers.

  1. Operation and maintenance planning
  2. Validation planning
  3. Installation and commissioning planning
  4. Safety-related systems: E/E/PES implementation
  5. Safety-related systems: other technology implementation
  6. External risk reduction facilities implementation
  7. Overall installation and commissioning
  8. Overall safety validation

It must be noted that while each of these steps has a simple title, the work involved in carrying out the tasks can be complex and time-consuming.

Process operation

The third group is essentially one of operating the process with its safeguards and involves the final three steps. These steps are normally carried out by the plant end user and contractors:

  • Overall operation and maintenance
  • Overall modification and retrofit
  • De-commissioning

Within the overall SLC, we are particularly interested in considering Step 4 of the implementation phase in greater detail. This step deals with the aspects of any electrical/electronic/programmable electronic systems.

Two groups, or types, of subsystems are considered within the functional safety standards:

  • The equipment under control (EUC) carries out the required manufacturing or process activity
  • The control and protection systems implement the safety functions necessary to ensure that the EUC is suitably safe

Fundamentally, the goal here is the achievement or maintenance of a safe state for the EUC. You can think of the “control system” causing a desired EUC operation and the “protection system” responding to an undesired EUC operation.

To read the full article on safety life cycles, click here.

About the Author
Kristen Barbour2
Kristen Barbour, product marketing manager for Pepperl+Fuchs of Twinsburg, Ohio, has worked in the technology field for 14 years, specializing in industrial automation. She holds a bachelor’s degree in education from the University of Toledo. Contact Kristen at:

Are users reaping the benefits of partial stroke valve testing?

This guest post is authored by Paul Gruhn, global process safety consultant with Rockwell Automation, ISA author and a recognized authority on ISA 84.

Achieving Safety Integrity Level (SIL) 2 with non-redundant field devices is possible, but not always easy. The key is diagnostics. There are a variety of sensors that are certified for use in SIL 2, and there are many logic solvers certified for use in SIL 2 and 3. Red ValvesThe difficulty is usually with the valves: The primary concern with most valves is that they may be stuck. The way to detect such problems is by partially stroking the valve, and there are more than a dozen vendors with different solutions.

The Benefit

There are two potential benefits of partial stroking of valves:

  1. Achieving SIL 2 with a single valve with partial stroking is much less expensive – and takes less space – than installing two standard valves.
  2. Achieving SIL 1 with extended test intervals (greater than one year) is possible.

The Methods

Methods for partial stroking can be classified as either manual or automatic. Manual methods usually involve a mechanical device that limits valve travel to approximately 10-15 percent. These devices are often called jammers and are usually used on quarter-turn valves. The potential drawback of these devices is that the partial stroking will probably not be done at intervals frequent enough to reap a benefit. Modeling shows that partial stroking needs to be done at intervals of less than three months to provide any real improvement in performance. Automated methods may either be manually initiated (e.g., from the control system operator interface), or initiated by the control or safety system without any operator intervention. This will allow the frequency of tests to be often enough to provide an actual benefit (e.g., typically between weekly and monthly).

The Problems

However, there are a variety of problems that are simply not being publicized (for fairly obvious reasons). In some cases the solution was installed, but operations had no faith in the system due to fears that the valve might close completely and stop production. In other cases, the diagnostics reported false alarms, the user lost confidence, and the system was turned off. In still others, the system generated more information than people could interpret and the system was turned off.

If partial stroking was designed and installed, it was for one of the two reasons listed above. Yet if the functionality is never or no longer used, the safety functions will not meet the required performance. This represents a serious shortcoming.

My review of discussions at various industry forums (symposia and online) suggests that vendors can quickly identify the benefits of their systems, yet users seem hesitant to report any truly positive results. Perhaps it’s simply that users don’t want to admit what might be viewed as a technical advantage to their competitors.

What’s Your Experience?

Have you found partial stroking to be effective? Is the partial stroking being performed frequently enough (more often than quarterly)? What did you need to do to make sure the design was accepted by others within your organization?

Paul Gruhn

About the Author
Paul Gruhn is a global process safety consultant at Rockwell Automation in Houston, Tex. Paul is an ISA Fellow, a member of the ISA 84 and 101 standards committees, a developer and instructor of ISA courses on safety systems, and the primary author of the ISA textbook Safety Instrumented Systems: Design, Analysis, and Justification. Paul is developer of the first commercial safety system modeling software. He earned a bachelor’s degree in mechanical engineering from the Illinois Institute of Technology and is a licensed professional engineer in Texas.

Alarm Floods and Their Connection to Plant Incidents

This is an abstract that will be presented at ISA Automation Week 2012 in Orlando, Florida. Click HERE for information on ISA Automation Week 2012.

This session is in the Safety/Environmental Performance TrackSafety Systems: Solving Today’s Toughest Applications

Presented By:

Mr. Dustin Beebe, ProSys Read Bio
Mr. Steve Ferrer, ProSys Read Bio
Mr. Darwin Logerot, ProSys Read Bio


Investigations of many catastrophic plant events have shown alarm flooding to have been significant distractions for the operators just prior to the incident. This connection was discovered and published over 12 years ago. Recent investigations performed by U.S. Chemical Safety and Hazard Investigative Board (CSB) have noticed a similar connection of alarm floods to incidents. In fact, many of the more recent findings by CSB include alarm management as one of the key issues in the investigative reports.

Even after several years of trying, many plants still struggle with controlling alarm floods. Many also have problems generating consistent and accurate alarm metric reports for the entire plant. Now that the ISA 18.2 Alarm Performance Metrics are published and likely considered “generally accepted good engineering practices,” we should make haste to demonstrate where each of our plants fall (particularly the PSM plants) versus these metrics before the regulating authority moves in this area. If we are not able to prove we meet the metrics (particularly for alarm flooding) under all operating conditions, we should remediate.

Static rationalization can reduce your average number of alarms, but without controlling the alarm floods, there is no help for the operator when he needs it the most. For most, we must begin the process by recognizing that alarm floods occur most of all during a change of process state.

The means of controlling alarm floods has been available to us for many years. Unfortunately, only a select few have implemented the solution and are achieving the desired results today. These plants have achieved equal to or better than ISA 18.2 since before it was published.

This session will cover the justification for true alarm management from the safety and economic perspective with several practical steps that everyone should take if they are not currently meeting the ISA 18.2 specifications during all operating conditions.

Design of Emergency Steam Load Shedding System Using Dynamic Simulation

This is an abstract that will be presented at ISA Automation Week 2012 in Orlando, Florida. Click HERE for information on ISA Automation Week 2012.

This session is in the Safety/Environmental Performance TrackSafety Systems: Solving Today’s Toughest Applications

Presented By:

Mr. Abhilash Nair, Invensys Operations Management Read Bio
Mr. Obaid M Al-Swailmy, Saudi Kayan Petrochemical Company Read Bio
Mr. Anil Kewalramani, Saudi Kayan Petrochemical Company Read Bio
Mr. Tariq Khan, Invensys Operations Management Read Bio


Saudi Kayan Petrochemical Company (SK), an affiliate of Saudi Basic Industries Corp. (SABIC) is implementing an automated Emergency Steam Load Shedding System (ESLSS) in their integrated petrochemical facility at Al-Jubail, Saudi Arabia. The facility is expected to have an annual production capacity exceeding 4 million metric tons of petrochemical and specialty chemical products. The goal of the ESLSS is to establish plant wide steam system capability by maintaining all plants in the complex in safe operating conditions and providing stability to different Steam header pressure levels following unplanned events in the complex’s steam system like loss of major steam producers. The normal regulatory controls in the process are generally not adequate to handle such major upsets and could potentially lead to undesirable end results. The ESLSS is a program with a set of control logics over and above the regulatory process controls that will initiate feed forward control signals in the event of certain upsets.

Understanding the behavior of the steam system following such upsets is critical to developing a strategy to control it. The steam system is typically a large network of piping with multiple pressure levels running throughout the complex with various regulatory control points scattered across. The response of such a large and integrated system to process upsets is a very complex flow, mass and energy balance problem which is compounded by the dynamics of regulatory process controls interacting with the process.

Dynamic simulation is the best available tool to evaluate such systems; their response to process upsets including the effect of regulatory process control and process design limitations, if any. This sort of understanding of the process response enables engineers to design and test appropriate control strategies to mitigate the undesirable effects of an upset which may include loss of the entire steam system, trip of critical units and equipment leading to excessive flaring and loss of production.

Invensys, an industry leader in Dynamic Process Simulation, was approached to help perform a dynamic simulation study of the facility’s steam system. Invensys developed the dynamic simulation model for the integrated petrochemical complex’s Steam system using their proprietary dynamic simulation modeling product – Dynsim. The model was then used to study various upset scenarios on the complex’s steam system to evaluate the system response and then to identify, test and recommend suitable mitigating operating and control strategies.

Implementation of the ESLSS is expected to benefit Saudi Kayan significantly in enforcing safe and reliable operation of the facility and in minimizing operating/capital losses during plant steam upset conditions. One of the deliverables from the study was a detailed report analyzing the transient behavior of the system and enlisting mitigating actions to be taken for different steam crisis scenarios. Control System & Instrumentation Engineers subsequently used the recommendations from the study to implement the ESLSS logics in the actual control system. The ESLSS designed through the dynamic simulation study is hence expected to immensely enhance the Safety, Reliability and Flexibility of Operation of the Saudi Kayan plants.

Improve Reliability with Essential Asset Monitoring

Improve Reliability with Essential Asset Monitoring

This is an excerpt from the May/June 2012 issue of InTech magazine and written by Nikki Bishop of Emerson.
Automation IT INT-MJ12

Improvements in plant reliability reduce risk of catastrophic events, lower maintenance cost.

Selecting the right asset monitoring strategy is a balancing act between implementation cost and expected reliability. Reactive maintenance represents the most costly and least reliable maintenance program. For example, some essential assets may have a spare as part of a reactive maintenance program. A common practice is to run equipment to failure and then switch to the spare when needed. But it may not be possible to bring the spare online in time to avoid process disturbances or a shutdown. Even with the spare asset online, maintenance personnel are faced with repairing the failed asset. For equipment without a spare, shutdowns are necessary to repair failed assets. On average, repair cost for a failed asset is typically 50 percent higher than if the problem had been addressed prior to failure.

Alternatively, some sites employ a preventive maintenance program that calls for schedule-based asset servicing, whether maintenance is necessary or not. While this approach may offer greater reliability than a run-to-failure method, it has its own drawbacks. Valuable time and resources are wasted servicing assets that may not require repair. The personnel busy unnecessarily servicing assets could easily be doing other productive work instead. And if the assets being serviced do not have a spare, the process is unnecessarily disrupted, costing valuable production time.

Benefits of essential asset monitoring

Downtime of essential assets causes process slowdowns or shutdowns, which lead to lost production and, ultimately, decreased profit. An automated monitoring program reduces unplanned shutdowns or slowdowns, providing the highest reliability and lowest maintenance costs. Wireless technology, coupled with pre-engineered integrated solutions, breaks through cost barriers to provide an easy and cost-effective means of essential asset monitoring.

Online monitoring of essential assets:

  • detects abnormal operation or imminent failure
  • provides online information to predict and plan maintenance for normal wear and tear of assets
  • provides operators with direct feedback when the process conditons are harmful to plant equipment
  • delivers diagnostics, as well as equipment and process health alerts
  • enables timely corrective actions to keep a facility online

Click here to read the full article at InTech magazine.

Pin It on Pinterest