Society of Petroleum Engineers : Model Based Engineering
Technical Paper for ASPF 2012 - Choosing the right SIS
1. Choosing the right Safety Instrumented System
- Maximize Safety with Nonstop Production
Author: Alvin Chin – Sales Director
HIMA S.E.A. Sdn Bhd
Abstract
In today’s competitive environment in the global Oil & Gas, Petrochem, Chem. industries, the
decision to save costs i.e. CAPEX and OPEX are the key drivers. The fittest survives - when key
decisions are made to manage Plant’s profitability and productivity, while simultaneously
owners and operators are required to manage the balance in keeping their Plant operationally
safe to meet regulatory compliance and safety standards, such as IEC 61508, IEC 61511, and
ANSI/ISA-84. Choosing the right Safety Instrumented Systems (SIS) is a strategic choice.
The key factors to consider are:
Plant profitability
Maximum availability of the plant critical systems
Improves lifecycle costs
Achieve the high demand to protect plant at maximum safety (SIL3)
Keeping operational costs to a minimum and yet only shut down on a real process demand
This presentation raises questions for the Operators and Owners of plants to make the right
choice for an SIS to improve profitability and safety for their plants.
Introduction
End users want an SIS that protects the plant, shuts down on real alarms, and doesn’t shut down
for any other reason.
Managing risks and preventing disasters from happening is as always a challenge to today’s very
competitive world. Operators of hazardous offshore production platforms, FPSO, refineries,
onshore offloading terminals, petrochemical, chemical and even pharmaceutical plants are
constantly balancing between increasing production, avoiding unnecessary shutdown of their
plant operations yet not compromising the safety of their plant operational personnel and to
protect against equipment failures and to prevent damages to the environment directly or
indirectly.
There have been several unfortunate industrial disasters in the process industry in the past. There
will likely be many more to follow as our daily working conditions, materials, equipment and
performances keep changing and getting more and more demanding. Major accidents like
Flixborough, Piper Alpha, Bhopal, Texas City, Mumbai High North, Montara Well Head Platform
and the most recent Deepwater Horizon Macondo Blowout in 2010 have all painfully revealed
certain failures that we can learn from - failures that come with a cost of life, environment and
capital investment.
Today the offshore oil & gas and the petrochemical industry have tried to prevent disasters by
employing Emergency Shut Down systems (ESDs) for prevention and Fire and Gas systems (FGS)
2. for mitigation of disasters. These safety related systems serve the function of protecting
equipments and industrial processes where danger may occur in case of failure. These systems
are not part of the process control system. Until a few years ago these systems were being
designed in compliance with no reference to a general normative. This has since changed with
the increased adoption of IEC 61508 and IEC 61511Standards in the process Industry. These safety
systems are more commonly called Safety Instrumented Systems (SIS) defined in the IEC 61508
and 61511.
The problem has traditionally been viewed as one of risk management. How much risk can a
company allow, without inviting a disaster to happen?
The cost of safety is tied directly to the profits of a company. If it is an unsafe company - almost
certainly pay out more in Occupational Safety and Health Administration (OSHA) fines, lawsuits
and attorney's fees and also for increased insurance premiums than needed. All of these
payments directly affect the bottom line. Owners / Operators constantly balancing between
increase profitability i.e. driving up plant productivity and yet not compromising safety! Today,
every safety case must drive profitability.
Traditionally, safety systems are not popular with management. The safety systems are deemed
as costly and they are considered as a “sunken cost” - a cost that has already been incurred
and thus cannot be recovered and do not contribute to profit. With the exception of certain
companies who have worked to create exemplary safety records, most companies appear willing
to do the minimum in the area of safety systems that will allow them to appear compliant with
the law and the relevant standards. This may neither provide acceptable safety, or acceptable
downtime costs due to spurious trips and lifecycle activities.
Even though IEC 61508 and IEC 61511 mandate a continuous engineering process for safety
instrumented systems, including auditing and recalculating SIL levels and continuous testing
programs, selection of the right SIS systems are often relegated to the hands of the
instrumentation contractor when new plant construction occurs. This trend is still prevailing and
it is extremely difficult to get plant management to comprehend that simply ordering an EPC
Contractor to install SIL3 products with the appropriate TÜV certificate and a SIL 3 logic solver
(e.g. TMR or QMR PLC )to connect to those SIL3 products, does not make a safety system.
Top Management should take extra efforts to review the needs and to take control of the
decision to implement the right safety system at the early stage of say a Greenfield project so
that they can incorporate the right philosophy in choosing the most efficient process safety
design at pre-FEED or FEED stage with the most reliable safety solutions to optimise their
production and prevent unnecessary shutdowns. This critical decision should not be taken lightly
and not be relegated to EPC contractor but be made by plant owners directly.
Many plant personnel realised that though the SIS performing the Emergency Shutdown
functions does nothing during the normal operations of the plant. However, the SIS has final
control over whether the plant “runs” or “shut down”. Shutting down the SIS invariably means
shutting down a running plant in production. The SIS has its “hands around the neck” of plant
management, who can’t make product unless the SIS says you can. Today many end-users/
operators of plant are getting accustomed to unnecessary shutdown due to the following
activities such as
3. A mandatory safety system Operating System upgrade due to “software bugs” that have
to be fixed to prevent random failures of the SIS.
A modification of the logic programmes
A repair and maintenance activity such as to remove and replace a faulty CPU card,
Communication card or I/O cards
.…any work may, and often does, require an SIS shutdown to implement. Of course, an SIS
shutdown usually means a plant shut down.
What this means is that the lifecycle costs of the SIS may dwarf the entire control budget if the
SIS system chosen isn’t the best one for the process. Therefore, the design decision and the
purchasing decision for the SIS system may be even more important than that of the DCS and the
rest of the control system entirely. Yet plant management and plant engineering rarely conceives
of this decision in that way.
There is a movement toward the “combined integrated safety system” where the DCS vendor
supplies their version of an SIS. The benefits of having single source responsibility are obvious
and may sound logical. One has to review also the benefit of insisting that the EPC provide a best-
in-class basic process control system (DCS) and a best-of-breed safety instrumented system (SIS)
for the smooth operation of its plant and safety.
While an automation vendor is obligated to push their own system, whether or not it is
appropriate for the project, an EPC or a control system integrator is just as obligated to do the
work, expend the effort, to make the decisions at the start of a lifecycle, even though the EPC or
the Control System Integrator may not be around to see those decisions validated, that is to
provide for the optimum solution for both BPCS and SIS. In many cases, the EPC or Control
System Integrator may have handed their responsibilities to the plant owners once their
warranty obligation expires. The better solution for today’s process plants is to consider the
installation of a high performance stand-alone SIS with the features needed to minimize
downtime and improve safety. This type of SIS can easily integrate with any DCS system to
provide that best-in-class performance that the end user really wants.
What end users really want is a safety instrumented system that protects the plant at maximum
safety for equipment and personnel, and doesn’t shut down for any other reason, including
spurious trips and the so-called “lifecycle” activities. For plant management, long used to
production stoppages and delays from SIS system malfunctions, such an SIS system would be a
“Godsend”.
What Happens When You Make Changes?
Plants have lifecycles. Equipment, tanks, vessels and piping have lifecycles. Controls and control
systems have lifecycles too. This means that changes, upgrades and repairs must be made over
the course of the lifespan of the control system and the field devices connected to it.
These lifecycle events are not necessarily planned. The management of a plant cannot always
impose preventative or predictive maintenance practices, and even if they institute a rigorous
preventative or predictive maintenance program, accidental failures and unscheduled downtime
does occur.
If the plant safety systems are not designed to minimize downtime, significant costs may be
incurred.
4. What Happens When You Upgrade?
In the majority of SIS and F&G safety systems, upgrading the system requires at least one, and
perhaps more than one, shutdown. When this happens, the entire facility’s production stops,
because shutting down the SIS shuts down the BPCS (basic process control system)
automatically.
System upgrades can be planned lifecycle events. This means that the downtime of the entire
system has been planned for. However, “planned for” downtime costs the same as unplanned
downtime.
Let’s look for example at the Petronas off-shore oil platform. It produces approximately 50,000
barrels of crude oil every day. Since the price of oil has varied recently from approximately US$40
per barrel to US$140 per barrel, let’s use US$75 per barrel as a reasonable number. That would be
lost revenue of US$3,750,000 per day of planned downtime.
These lost of revenue due to this planned downtime on system upgrading can be prevented if
these system upgrades can be done online without interrupting production. In today’s context,
there aren’t many such safety systems that can fulfil this. Safety Instrumented Systems such as
the HIMA HIMax system have been designed to permit system upgrades without interrupting
production, and at the same time maintaining complete safety. Systems such as HIMax are based
on an architecture that permits faulty modules to be replaced online (hot-swapped) at any time,
without interrupting operation. Upgrades and system expansions need not require system (and
BPCS) shutdown.
What Happens When You Need Maintenance?
Long gone are the days of “run it ‘til it breaks” in process plants. Today predictive maintenance
technologies are being installed in process plants worldwide. The theory is that by using fault
detection software, combined with predictive algorithms, the exact time to failure of any
component or piece of equipment can be predicted, and replacement can be scheduled prior to
failure. In many cases, such as in the case of large rotating machinery or tankage or valves or
other inline components, a shutdown must occur in order to effect the replacement.
In most BPCS systems (the plant DCS), hot swapping components such as I/O cards and bus cards
can be done without shutting down the plant. But in most safety systems, that’s not permitted.
Let’s say the plant requires the addition of a new I/O or processor rack, new local I/O cards, new
remote I/O rack and cards…most systems would require the system to be taken down to make
those additions. How long is the system down? That depends on the extent of the upgrade and
how many modifications need to be made in marshalling cabinets, wiring busses and whether
there is requirement to install new field devices to connect to that new I/O.
Let’s see what a two-day shutdown for expansion and modernization might cost. Take the case
of a VietsoPetro oil platform.
VietsovPetro’s output of oil is say 60,000 barrels per day. That alone would represent a loss of
revenue (at our $75/barrel figure) of $9,000,000 for a two-day shutdown caused by the need to
modernize and expand the SIS. This loss doesn’t take into account that the VietsovPetro platform
also produces about 100 million cubic feet of gas per day.
5. Consider what the benefits and the significant cost of savings if we employed the latest state of
the art technology SIS that didn’t require an “all stop” downtime for upgrade or maintenance
would be, in relation to a two day shutdown of an oil platform like VietsovPetro.
What Is the Impact of Periodic Proof Testing on Production?
IEC 61508 and IEC 61511, and ANSI/ISA84.00.01-2004, which are the most referenced safety
standards for the process industries mandate an ongoing engineering, maintenance and proof
testing program to ensure that the system as it is installed at any moment in time actually fulfils
its design requirements and performs according to its stated SIL level. Many SIS systems require
entire system power cycling for proof testing. This means that the system must be powered off
and on (sometimes repeatedly). This, of course means that the plant must be shut down, or the
safety system interlocks will trip and the plant will have an unplanned shutdown. Some safety
instrumented systems require such proof testing every three years—with a plant shutdown
every three years accompanying it.
Plants do require periodic shutdowns themselves for maintenance and expansion. But adding
extra time, or requiring an “out of production schedule” shutdown for proof testing of the safety
system simply costs money. No wonder plant management detests the safety systems.
What Is the Real Cost of Downtime?
We have seen that downtime has real costs, and those costs add up to real money very quickly.
No plant can easily afford lost revenue in the millions of dollars per day range. When you add in
the additional costs of unplanned downtime due to spurious trips, the costs spiral.
Unplanned downtime is very costly. Even though the shutdown sequence caused by a trip of the
SIS or the F&G system is supposed to cause a “graceful shutdown” the reality is that it almost
never does. When a refinery is shut down suddenly, lines get plugged, valves stick, vessels get
coatings of tar and other impurities. Even though the system shutdown safely—that is to say, no
personnel were injured—an unplanned shutdown does not mean a simple or easy start-up. So
the cost of a spurious trip might wind up being several weeks of lost production.
Consider a refinery. Pertamina’s Cilacap refinery in Java, Indonesia processes approximately
230,000 barrels of crude oil per day. Generally, a barrel of oil produces about 19 gallons of
gasoline, 9 gallons of fuel oil, 4 gallons of jet fuel, and 11 gallons of assorted other products like
lubricating fluids, asphalt, kerosene, and plastic precursors.
Let’s add some dollar amounts to the mix. Let’s say gasoline is US$2 per gallon. Fuel oil is US$1.35
per gallon. Jet fuel sells for US$1.20 per gallon, and the lubricants and other by-products might
produce another US$1 per gallon.
That’s revenue of approximately US$15 million dollars per day (US$ 65 x 230,000 barrels per day).
Suppose a spurious trip cost a week’s production. That would be a cool $63 million in lost
revenue. And that would be just one trip.
Now, look at the lifecycle of that refinery. Refineries last longer than 50 years in production. If
the refinery suffered just one spurious trip per year, and that added one week per year of
downtime, which would be a lost revenue cost of more than $3 billion over the 50 year lifecycle
of the refinery.
6. Again consider what the cost of a safety system, installed, actually is. If a plant could be equipped
with a safety system where spurious trips were designed to be negligible, and where shutdowns
for planned maintenance and upgrades were rare instead of common, the real cost of downtime
wouldn’t be $65 million per week.
Any plant engineering and management personnel should look at their plant history of
shutdowns and downtime caused by spurious trips and downtime of the safety systems, and do
the math.
Installing a “nonstop” safety system such as the HIMA HIMax often generates an ROI of 30 days
or less. Even including the “cost of change” the ROI is significantly less than 12 months.
What Is the Solution to Increased Safety and Minimal Downtime?
Take for example Cilacap Refinery in Indonesia which is built in 1974 and had gone through a few
debottlenecking projects to increase capacity. Many refineries in the South East Asia are
approximately >20years old. Most of them have legacy control systems and they have legacy
safety systems.
One solution is to replace the DCS and the safety systems with combined systems that run on the
same backplane and have the same operating design. This solution, unfortunately, increases the
risk of common mode failure, and the chance of spurious trips, as well as increasing downtime,
since upgrades to the DCS may require taking the safety system off line as well. In addition, as we
have already noted, this solution risks combining the appropriate DCS with a safety system that is
not necessarily the preferred system.
The better solution, then, is to consider the installation of a stand-alone SIS with the features
needed to minimize downtime and improve safety, along with a best-in-class DCS.
Here’s a checklist of features such a safety system should offer:
1. The system should be flexible, scalable and most importantly allow online expansion
without having to shutdown the system thereby not interrupting plant production during
the lifecycle of the plant operation. Hence increase plant uptime and reduces Operating
expenses (OPEX). The system should have the ability to start at whatever size is required,
and be capable of essentially infinite expansion without loss of performance.
2. The system should allow for future expansion online without having to buy forward with
unnecessary spares for future expansion at the start of a Greenfield project thereby
saving capital expenses (CAPEX). The end-user should only buy what he needs now. They
need only to pay what they need when they need it.
3. The system should maintain its fast cycle times at high I/O counts. End users should seek
benchmarks that indicate that the system will be fast, and stay fast as it expands.
4. The system’s calculation capabilities must be very high, and complex algorithms should
not significantly increase the CPU overhead.
7. 5. The system should be compact. Space is often at a premium in marshalling cabinets and
on offshore installations, and the system should be designed with space saving in mind.
6. The system should have reliable and fast (1 ms) SOE (sequence of event) recording for
demanding critical applications.
7. The system should have high quality diagnostics.
a. Maintenance logs should be standard with relevant information such as reload,
download, run, stop, force, etc.
b. Condition monitoring for relays should be standard
c. Large capacity diagnostic storage should be provided. All diagnostic information must
be capable of being transferred out of the safety system to the DCS or to an Asset
Management System, or both.
8. The system should be able to network and communicate with all major open
communications protocols and all major data transfer protocols.
The system should be integrable via OPC or other data transfer protocol such as Modbus
TCP/IP with all major DCS systems and Asset Management Systems, and all the major data
transfer protocols must be supported.
9. The system should be capable of multitasking.
a. Multiple applications in the same system must be supported, and each individual
application needs to have individual cycle and scan time
b. Fixed cycle time must be supported. Time-critical and non-time-critical processes must
be permitted in the same system
c. Modification of one application must not affect any other application running on the
system, and adding, changing or upgrading applications must be reaction free.
Moving into the Future
What end users really want is a Safety Instrumented System that protects the plant at maximum
safety (SIL3), only shuts down on a real process demand, and does not shutdown for any other
reason, including SIS lifecycle activities.
What the future must bring is a “Nonstop” system that no longer produces the downtime of the
past, and that can be upgradeable far into the future.
A different perspective on Profitability
Traditionally, Plant owners have been using ROI (return on investment) as a tool for evaluating
their purchase of equipments. This may not be an effective tool for evaluating. ROI does not take
into account the consequences of a sudden unplanned shutdown, process trips or failures.
Another financial tool is now considered a better measure called the ROA (return on assets).
ROA is defined as ROA = Operating Income / Total Assets.
The higher the ROA, the more efficient the plant is using its ‘assets”. Let’s take a view that the
Safety System is considered an asset if it operates NonStop without causing unplanned/planned
shutdown thus contributing to a positive ROA.
8. In conclusion, plant owners and end-users are encouraged in reviewing each of their assets and
questioning whether its assets affect its plant operations and hence profit.
Choose the right SIS that will improves their plant profitability and yet not compromise safety.
End