SmartPlant Instrumentation and ANSI/ISA-84.00.01 …spi-ltuf.org/20140211/4 ANSI-ISA-84-2004.pdfFunctional SIS Standards ISA S84 committee adopted the IEC 61511-1 Mod standard in 2004
SmartPlant Instrumentation and ANSI/ISA-84.00.01-2004 SIS Fluor’s SmartPlant Implementation Initiative
By: John Dressel
Engineering Automation Practices
♦ Fluor uses SmartPlant Instrumentation (SPI) to automate the Engineering, Procurement and Construction activities as applied to Petrochemical Projects
♦ The deliverables from SPI are also used by Owner Operators for Operations and Maintenance of the Plant Control Systems and Instrument Networks
Presenter
Presentation Notes
Most engineering companies have been using Computer Aided Engineering tools to document the Design, Engineering, Procurement and Construction of Petrochemical facilities for several years. Recently the data captured by the Computer Aided Engineering tools during Engineering is being delivered to the Owner Operators as tools for the life cycle operation and maintenance of the plants
Computer Automated Engineering
♦ SPI is well suited to document the Basic Process Control Systems (BPCS) but are also used to document other Instrument networks such as Safety Instrumented Systems (SIS)
♦ When developing SIS using SPI must assure compliance with certain U.S. and International Practices, Standards and Certifications
Presenter
Presentation Notes
As a result, the Computer Aided Engineering tools are being used to contain and maintain data associated with the BPCS and all of the operational and safety systems within a plant. This is especially true for Plant Process and Control Systems including safety and shutdown systems. When developing or maintaining safety system data, certain international standards and certifications apply.
Functional Safety Standards
♦ U.S. Companies must adhere to OSHA 1910.119 for Process Safety Management (PSM)
♦ ISA S84 committee created the ISAISA 84.01-1996 standard to supplement PSM for Instrumentation ♦ Lacking an International standard for Safety – The International Electrotechnical Commission (IEC) developed IEC 61511 in 1998 defining Safety Instrumented Systems
Presenter
Presentation Notes
In the United States, many companies must adhere to OSHA 1910.119, Process Safety Management (PSM) for Highly Hazardous Chemicals. The ISA SP84 committee created the ISA 84.01-1996 standard to supplement PSM in the areas related to the implementation of instrumentation and controls necessary for safe operation. Rather than repeating PSM mandates, the standard references OSHA 1910 for some key PSM program elements. Specifically, ISA 84.01-1996 does not cover safety management, hazard analysis, pre-start-up safety review, or training. Many other countries do not have a regulation similar to OSHA 1910. Therefore, IEC 61511 includes specific requirements in the areas of safety management, hazard analysis, pre-start-up safety review, and training.
Functional SIS Standards
♦ ISA S84 committee adopted the IEC 61511-1 Mod standard in 2004 creating ANSI/ISA-84.00.01-2004
♦ This ISA standard was more comprehensive and covered the complete management of SIS – These standards called for
Safety Instrumented Systems to be designed to automatically respond to potentially dangerous process conditions and take preprogrammed action to mitigate or avoid a dangerous condition
Presenter
Presentation Notes
In 1998 the International Electrotechnical Commission (IEC) developed IEC 61511 - "Functional safety instrumented systems for the process industry sector". Six years later, the ISA S84 committee adopted the IEC 61511 standard for use in the United States and created the ANSI/ISA 84.00.01-2004 or ISA 84.01/IEC 61511. These standards called for Safety Instrumented Systems to be designed to automatically respond to potentially dangerous process conditions and take preprogrammed action to mitigate or avoid a dangerous condition.
Functional SIS Standards
– Provides a framework for establishing Safety Integrity Levels (SIL) and hardware fault tolerances
– Defines the preparation of information and procedures concerning software needed by the user for the operation and maintenance of the SIS
– The safety-related portion of the Plant Control Systems configuration must remain in place for the lifecycle of the plant including decommissioning
Presenter
Presentation Notes
In addition, the safety-related portion of the Plant Control Systems configuration must remain in place for the lifecycle of the plant and should be separated from the non-safety-related portion of the configuration. By definition; if the Instrument Automation System is used as the primary maintenance data repository then the SIS maintenance data must be kept there also. The SIS must also be maintained for the complete lifecycle of the process.
Functional SIS Standards
– Defines the selection of SIS hardware by “Proven in use” or “Compliance with IEC 61508”
– Defined procedures to be used for uniquely identifying all constituent parts of a SIS (hardware and software) See ANSI/ISA-5.1-2009
– Requires the SIS system be composed of a separate and independent combination of sensors, logic solvers, final elements, and support systems
Presenter
Presentation Notes
Requires the SIS system be composed of a separate and independent combination of sensors, logic solvers, final elements, and support systems and selection of SIS hardware by “Proven in use” or “Compliance with IEC 61508”. A procedure must be in place for uniquely identifying all constituent parts of an SIS (hardware and software)
SIS Identification Standard
– Variable Modifier safety [S] shall not be used to identify Safety Instrumented Systems and Components (E.G. PSV-)
– Variable Modifier [Z] is used to identify the components of Safety Instrumented Systems (E.G. PZV-)
– ‘Diamond-in-square’ will depict either (a) alternate control system choice or (b) Safety Instrumented System (SIS)
ANSI/ISA-5.1-2009 Standard defined symbology that should be used on P&IDs to depict SIS system elements. Diamond-in-square will depict either an alternate control system choice or a Safety Instrumented System (SIS). Variable Modifier safety [S] used to identify Relief Valves as Safety devices shall not be used to identify Safety Instrumented Systems and Components as PSVs Variable Modifier [Z] was added in the ANSI/ISA-5.1-2009 Standard to identify the components of Safety Instrumented Systems as PZV- for a SIS Pressure Valve or TZSH- to identify a Temperature Switch High.
Manufactures Standards for SIS
♦ IEC 61508 defines a set of standards for “Functional safety of Electrical, Electronic and Programmable Electronic (E/E/PE) safety-related systems” 1. General Requirements 2. Equipment Compliance 3. Software Compliance 4. SIL Definitions 5. SIL Examples 6. Guidelines 7. Overview
Presenter
Presentation Notes
The Equipment Compliance portion ISA 84.01/IEC 61511 was further defined by IEC 61508 published in 2005. IEC 61508 defines a set of standards for “Functional safety of Electrical, Electronic and Programmable Electronic (E/E/PE) safety-related systems”. The IEC 61508 standard is divided into 7 parts with the primary function of establishing Safety Integrity Levels (SIL) that can be used to certify equipment for use in a safety system.
Manufactures Standards for SIS
• Manufactures switched from hard wired safety systems to safety PLC’s and safety networks:
– Reduced Risk of Process Operator Error – Heightened Flexibility of Configuration – Lower Installed Equipment Costs
– Functional Safety Certification to ensure that the product includes sufficient Functional Safety protection according to the required Safety Integrity Levels (SIL)
Presenter
Presentation Notes
By complying with IEC 61508 and switching from hard wired safety products to internationally certified, automated safety solutions, manufacturers enjoyed lower costs, heightened flexibility, and reduced chances for operator error. Instrument Computer Automated Engineering Systems that were designed to document the Basic Plant Control Systems and Distributed Control Systems are now required to handle the unique data requirements of Safety Instrumented Systems.
Computer Aided Engineering (CAE)
• “The safety-related portion of the Plant Control Systems configuration must remain in place for the lifecycle of the plant” ~ ANSI/ISA-84.00.01
• CAE Control Systems Data now exists throughout the lifecycle of the Plant
• Owner Operator Retention: – Instrument Indexes – Instrument Data Sheets – Instrument Calibration Data – Loop Wiring Drawings / Data – Critical Alarm Lists
Presenter
Presentation Notes
As the Computer Aided Engineering Systems moved to the plant they became the repository for data associated with all control systems and are maintained for the lifecycle of the plant. Additional functionality has been added to most Computer Aided Engineering Systems to provide for plant operations and maintenance data.
SIS fit to CAE and SPI
♦ ANSI/ISA-84.00.01-2004 created the need to document safety networks with CAE systems: – Safety Interlock (or Instrumented) Systems (SIS) – Burner Management Systems (BMS) – Fire and Gas Systems (F&G) – Shutdown Systems (ESD)
♦ Typical Documentation: – Safety Device Indexes – Safety Device Data Sheets – Safety Device Calibration Data – Safety Maintenance Data
Presenter
Presentation Notes
Because the ISA 84.01/IEC 61511 Standards for defining Safety Networks are fairly new, the industry is lagging behind in providing the special data fields required by safety DCS, PLC and wiring networks. Safety networks requiring documentation in Instrument Computer Aided Engineering Systems include Emergency Shutdown System (ESD), Burner Management Systems (BMS), Fire and Gas Systems (F&G) and Safety Interlock (or Instrumented) Systems (SIS).
Basic Parts of a SIS
♦ Initiators - Primary Sensing Elements
♦ Logic Solver - Programmable Logic Controllers
♦ Actuators - Final Control Elements
• Each SIS part must have appropriate certification, testing and documentation to maintain the integrity of the safety network
Presenter
Presentation Notes
The primary parts of a Safety Instrumented System are the Initiators, the Logic Solvers and the Actuators. Each of these elements must be engineered per the appropriate standard, tested before and during implementation and maintained to assure the integrity of the safety network throughout the life cycle of the process.
Reliability factors for SIS
• The most common areas of Failure (92%) are the Initiators and Actuators and their associated physical wiring systems
• The Initiators and Actuators are also the two areas that SPI interface with the SIS for Specification, Data Management, Wiring Documentation and Equipment Maintenance
Presenter
Presentation Notes
The two areas that Instrument Automation Systems interface with a Safety Instrumented System are the Initiators and the Actuators and their associated field wiring systems. Since safety devices are usually wired like other instruments, the primary function of the Computer Aided Engineering System is to maintain the integrity of the Safety Instrumented System by maintaining system separation and minimize the points of failure in the wiring matrix.
BPCS compared to SIS
• Typical SIS System Requirements – Signals are connected to a dedicated Isolated PLC – Multiple block and bleed Control Valve Configurations – Partial stroke testing to Improve
the Probability of Failure on Demand (PFD) thus increasing the SIL
– Discrete I/O vs. Analog (2oo3) – Redundant I/O & Wiring (2oo3) – Power supplied from redundant
UPS sources or COPS (Critical Operations Power Systems)
Presenter
Presentation Notes
Because of the requirement for redundant inputs, multiple block and bleed valve configurations and partial stroke testing to maintain high SIL ratings for control valves, the number of I/O needed to perform a control function is higher. Signals to a Plant Control system are generally analog connected to a Distributed Control System while Safety Instrumented System signals are usually Discrete Inputs and Outputs connect to a dedicated Programmable Logic Controller. Programmable Logic Controller I/O points are usually powered by external redundant uninterruptible power supplies per ISA S84 or Critical Operations Power System if the facility is in a Designated Critical Operations Area (DCOA).
SIS Index Data Requirements
♦ User Defined Fields and Tables for Safety Data ♦ Additional Index Data for SIS Systems:
– Unique Tag Identifiers for SIS Instrument Devices – Instrument System Identifiers – Power Requirements – Code Requirements – Maintenance Cycles – Interlock Numbers – SIS SIL Ratings
Note the “Z” Character in the Tag Number denoting SIS Tags per ANSI/ISA-5.1-2009
Presenter
Presentation Notes
Additional information may need to be added to the Index to identify information that is unique to the Safety Instrumented System. In most Instrument Automation Systems provisions for additional data fields can be made with “user defined fields” or “user defined tables”. Some typical data fields that can be added for Safety Instrumented Systems information are: SIL Ratings, Interlock Numbers and Maintenance Cycles. Special data fields can be further enhanced by the use of “user defined tables” or “pick lists”. The use of pick lists requires the users to select information from a list of pre-defined data entries, thus assuring data consistency
SIS Spec Sheet Requirements
♦ Additional Spec Sheet Data for SIS: – Safety Integrity Level Ratings – Testing Requirements – Certifications and Approvals – Redundancy or Conditioning Requirements – Special Notes for Design Engineering – Partial Stroke Testing Requirements (for Valves) – Cross references to Safety Documents
Presenter
Presentation Notes
The Safety Requirements Specification will define what conditions should be included on the instrument and process data sheets. Safety standard compliances and test requirements will need to be identified on the Spec Sheet for proper selection of the instruments. Sensors need to be specified that they are “Proven-in-use” or “designed per IEC 61508” and the Safety Integrity Level (SIL) or Certification requirement needs to be included in the Spec. For actuators, additional options for partial stroke testing devices and trip solenoids with dual coils should also be defined in the Spec Sheet. The Process data portion of the Spec will also indicate safety alarm and trip settings, failure states and other safety related process conditions.
SIS Wiring Requirements
♦ Issues When Wiring SIS: – PLC redundant power distribution uses common bus – Physical separation between SIS and BPCS wiring – Minimize terminals and connections as points of failure – Special colors, markings and labels for Safety Systems – May need ladder wiring diagrams instead of Loops – Need for Cause & Effect or Logic Diagrams – Special Power distribution diagrams for UPS or COPS
Presenter
Presentation Notes
Depending on the amount of safety integrity required, wiring elements may be redundant. The field wiring connections to the Safety Programmable Logic Controller I/O cards will have special requirements for the addressing schema and naming conventions. Power distribution of the redundant uninterruptible power supply at the I/O cards will also need to be provided in the wiring matrix. Then specifying or documenting the Safety Instrumented System wiring network be sure to specify physical protection for the cable, connections and Junction Boxes. Safety wiring needs to have protection during failure events so they must be hardened against fire and physical damage.
Are Existing SIS Grandfathered?
♦ S84.01-2004 Part 1 Clause 1y is considered the “grandfather clause” and states the following: – “For existing SIS designed and constructed in accordance with
codes, standards, or practices prior to the issuance of this standard (e.g. ANSI/ISA 84.01-1996), the owner/operator shall determine and document that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.”
♦ This exception is only for facilities built prior to 2004 ♦ The EPC has no control over Operations after turnover ♦ This clause was specifically requested by OSHA and has
been strictly enforced after catastrophic events when “Current Engineering Practices and Standards” were not followed by the EPC or Owner Operator
Presenter
Presentation Notes
S84.01-2004 Part 1 Clause 1y is considered the “grandfather clause” and states the following: “For existing SIS designed and constructed in accordance with codes, standards, or practices prior to the issuance of this standard (e.g. ANSI/ISA 84.01-1996), the owner/operator shall determine and document that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.” This exception is only for facilities built prior to 2004 – Plants engineered and designed after 2004 must follow S84.01 The EPC has no control over Operations after turnover so we must engineer in accordance with S84.01 to mitigate risk involvement. This clause was specifically requested by OSHA and has been strictly enforced after catastrophic events when “Current Engineering Practices and Standards” were not followed by the EPC or Owner Operator
