Creation of a Corporate Safety Standard Based Upon The ANSI/ISA 84.01 and the IEC 61508

Creation of a Corporate Safety Standard Based Upon The ANSI/ISA 84.01 and the IEC 61508

Thomas A. Walczak (Thom)
Chief Critical Systems Engineer
GE Industrial Systems - GE Fanuc
3506 Hwy 6 South, # 361
Sugar Land, Texas 77478-4401

KEYWORDS

Standard(s), Safety Shutdown, ESD, SIS (Safety Instrumented System), SIL (Safety Integrity Level), Process Hazard, Chemical Hazard, Risk Reduction, Mitigation, PSM (Process Safety Management)

ABSTRACT

This paper describes how a process company should utilize the current and emerging global standards (i.e., the ANSI/ISA 84.01 and IEC 61508 documents) for developing a corporate standard. In the past, many process companies have had "standards" for many operational aspects of their plant processes, however, not all were separated from general process operation as far as safety systems are concerned. For those corporate standards that specifically addressed safety within the process and how automated control was to be accomplished, the basis for the document was usually uniquely developed. With the emergence of global standards, a source for a flexible but common methodology can be used successfully as a reference for developing corporate or site specific standards. One example of how this was accomplished will be the example citing PDVSA K-366, the safety standard recently completed for the National Petroleum Company of Venezuela.

INTRODUCTION

Process safety has historically been addressed with various levels of interest and enforcement globally. In the U.K. for example, the attention to safety on production platforms in the North Sea have and continue to be viewed with close scrutiny. In the U.S., until the early 90's, process safety and enforcement was generally left to the discretion of the individual companies. As a result, emphasis on the types and depth of safety system integration varied widely. This has occurred even between plants of the same company.

It may be important to note a defined connection between today's standards and events which occurred in the 1980's exists. Several global incidents resulting in asset damage, injuries, and fatalities, but not all, were brought to the public attention by the media. The most significant event which could not escape media attention globally was the incident in Bhopal, India, which ultimately resulted in thousands of fatalities and long ranging injuries.

The ISA SP.84 committee was formed in 1984 to look at how electrical, electronic, and programmable electronic safety systems should be integrated into the process most effectively to achieve an increased amount of protection to match the amount of risk associated with a given process. Work on a standard progressed slowly at first, as concensus was difficult to gain within the process community. These hidden obsticles would continue to (and partly still do) exist today as the levels of experience with safety management, statistical probability analysis, company culture, and even vendor bias, to name just a few, impede a majority concensus. Then the unexpected, but anticipated happened. On a day in 1989, not unlike any ordinary day along Highway 225 in Pasedena, Texas, a process incident occurred which grew suddenly in magnitude and resulted in dozens of serious injuries and fatalities.

This single event in Texas, finally prompted OSHA (the US Occupational Safety and Health Administration) to finally take direct action. OSHA issued guidelines for safety practices in the process industries in September 11, 1991, and reissued the revised content February 24, 1992, the document having been finalized. This document was published in CFR (Code of Federal Regulations) 29, Part 1910.119, and mandated in full by 1996. This OSHA document addresses a global spectrum of process hazards, and requires that process operators must complete an analysis which clearly identifies safety issues within the specific process. Additionally, the mandate establishes and assigns ultimate responsibility to those parties involved in all aspects of the process. This previously was something which presented itself as a nebulous task, as denial by parties involved in the Texas event was prevalent at the time.

Similarly, the Environmental Protection Agency (EPA) also responded with an expanded proposed list of hazardous chemicals in 1994, and expanded ten-fold the previous list of proposed hazardous chemicals.

Obviously, the original focus for the guidelines was primarily petro-chemical manufacturers and handlers: the large producers who use automated processes and critical processes. Targeted users however, include those industries having one or more included process hazards. For the process industry, the process hazards include a host of items: boiler controls and management systems, power generation gas and steam turbines, chemical and petroleum operations, rotating equipment, and others. Pollution of land and water resources are also an issue.

This paper describes existing technologies for meeting safety, environmental, and economic concerns which benefit employees, government, the public, users, and producers when corporate standards are developed, based upon practices, guidelines and standards established by international committees.

PROCESS RISK REDUCTION

The ISA (The International Society for Measurement and Control) SP.84 committee "Programmable Electrical-Electronic Systems (PES) for Use in Safety Applications" has attempted to quantify the requirements for meeting the new standards over a decade and a half. The requirements for meeting guidelines and standards have been often elusive or continually evolving, almost preventing a final resolution. The S.84.01 Äpplication of Safety Instrumented Systems for the Process Industry" standard was released in February 1996. Reducing process risk by the correct implementation of an automated safety system is diagramed in the Figure 1. below.

In 1993 the IEC (International Electrotechnical Commission) approved an ISA proposal to use the then dS.84 (d = draft) as the basis for developing an IEC safety standard specific to the process industry. The standard encompasses IEC SC65A/ WG10 Functional Safety: Safety Related Systems part 1 "General Requirements" and part 2 "PES Requirements," and IEC SC65A/ WG9 Functional Safety: Safety Related Systems part 3 "Software Requirements."

ISA S84.01/TR84.02 - IEC SC65A 61508/61511

The formation and purpose of the committee activities are to promote:

  • A common basis of measure for SIS systems.
  • Common definitions and terminology for technical discussions.
  • A quantifiable measurement for risk (as per the OSHA guideline).
  • A logical engineering approach to remove "emotions."
  • Elimination of the basis of confusion for safety parameters, measures, and technology.
  • Use of a common process-oriented LCM (Life Cycle Model) systematic engineered approach. (Figure 3)

The safety standard:

  • Has been developed for the process industries.
  • Separates control and safety and alarm interlock system functions.
  • Includes electrical, electronic and programmable electronic systems.
  • Considers the inclusion of sensors and final elements in addition to the PES.
  • Is based upon the IEC Safety Lifecycle Model (Figure 2) and the four IEC Safety Integrity Levels.

PDVSA CORPORATE K-336

Venezuela has one of the world's most prolific sedimentary basins, as the name "Venezuela" is synonymous with abundant hydrocarbons resources. Created in 1976, Petróleos de Venezuela, S.A.(PDVSA) has become a leading energy corporation. PDVSA is the parent company of the Corporation, which is owned by the Republic of Venezuela, and is charged with the development of the petroleum, petrochemical and coal industry, and is responsible for planning, coordinating, supervising and controlling the operational activities of its divisions, both in Venezuela and abroad.

PDVSA carries out exploration and production to develop oil and gas, as well as production of bitumen and heavy crude. Holding a leading position among the world refiners, its direct manufacturing and marketing network covers mainly Venezuela, the Caribbean, the United States and Europe. It is also active in the areas of petrochemical production, research and technology development, as well in industry- related activities of education and training.

The restructure of the Venezuelan energy corporation at the end of 1997 resulted in the founding of PDVSA Petróleo y Gas. Petróleo y Gas heads three major divisions responsible for the core activities of the business: PDVSA Exploration and Production, PDVSA Manufacturing and Marketing, and PDVSA Services. Each one of these divisions is composed of various companies and business units, located both in Venezuela and abroad. As a separate entity, Pequiven, its subsidiaries and joint ventures are developing the petrochemical sector. See Figure 3 Below:

As a global company, the effects of PDVSA's operations are affected internationally. In the United States (Figure 4.), PDVSA owns CITGO Petroleum Corp., a petroleum refining, marketing and transportation company, which is headquartered in Tulsa, Oklahoma, as well as the UNO-VEN Company.

Figure 4. Major Locations in the United States

In Europe (Figure 5.), PDVSA is a 50/50 partner with Germany's VEBA Oel AG in Ruhr Oel GmbH, the largest refining company in Germany, which supplies this important market with oil products and chemicals. PDVSA and Neste Corporation of Finland are equal partners in AB Nynäs Petroleum, which operates refineries in Sweden, Belgium and The United Kingdom.


Forming The Standards "TEAM"

Due to organizational structure and awareness, a small group of dedicated people formed a PDVSA committee to address the technological advances in safety, and review of the global standards that provided direction or tools to reach conclusions in safety assessments. In particular, and at highest risk, were the refinery processes.

Efforts toward the interaction between the Amuay and Cardón refining plants were begun as early as October 1995. By late 1996 the integration of the Amuay and Cardón refineries, both located in the Paraguaná peninsula in Falcón State, was complete. This important step enabled the creation of the Paraguaná Refining Center. The center is equipped with state-of-the-art plants and processing units, making it the world's largest refining center. Working as a safety engineer here, Alberto Paz attended several ISA major events, and became very familiar with the S.84 document.

Before the reorganization was completed, PDVSA engineers that fully represent the previous subsidiaries (Maraven, Lagoven and Corpoven) formed the team with management approval. In addition to company discipline divergence, the team members also came from different locations througout Venezuela (east, west, central, etc.) and areas such as refining, project engineering, exploration and production, etc.

Corporate Safety Requirements

PDVSA operates in a global environment. They must maintain awareness of current standards and guidelines that affect their operations. At the same time, common goals and values within interdisciplinary functions of the company was an ultimate requirement if a successful corporate standard was to be achieved. The team determined the following.

Process design parameters that meet emerging guidelines and regulations for system design criteria shall have the following requirements:

  • Safe, reliable operation performance
  • Improved product quality
  • Increased productivity
  • Reduced downtime
  • Raised profit levels

Designing and upgrading control system operation makes good sense all around. Programmable controllers as safety PES's (Programmable Electronic Systems) have been used in PDVSA control strategies for many years.

They can be seen in all applications from pipeline compressor control to gasoline refining.

In fact, up until this time, PDVSA used many TMR systems from different vendors that have been installed for several years now. By developing a corporate safety standard, it was also hoped that a better understanding of safety theory would provide appropriate design safety systems allowing other architectures to be implemented as in Figure 6.

Figure 6. TMR vs. Many Architectures

Utilizing ANSI/ISA as the Basis for a Corporate Standard:

Utilizing the S.84.01, a learning curve was necessary to understand completely the full meaning of the document. In interviewing the team, it became clear that the most relevant points were as follows: (See Figure 7.)

  • The Safety Integrity Level (SIL) associated to the probability of failure on demand, must be determined by a multi-disciplinary team as it is done in HAZOP analysis.
  • Engineering must be executed to verify the safety integrity level in protection systems.
  • Opportunity to select parameters to achieve the protection level needed at a lower cost.
  • The maintenance quality is considered a parameter that modifies the safety integrity level achieved.
  • Maximizes the security/cost ratio.
  • It accomplishes a better balance of the security contributions provided by each component of the system.

It is imperative that the determination of the Safety Integrity Level then be:

  • Performed by a multi-disciplinary team.
  • Determined the Maximum risk level acceptable (tolerable) at the facility.
  • Analyzes the "Security" conditions of the facility and its surroundings.
  • Studies the possible frequency and consequences of dangerous events.
  • Considers other protection mechanisms different to the Shutdown system.
  • Establishes the necessity of installing an ESD System and the strength it should carry.
  • Allows the identification of the risk reduction needed to not surpass the maximum risk set as a goal.
  • Avoids over-design allowing to maximize the security/cost relation.
  • Barrier: Small availability of qualified personnel to lead study.

Benefits Realized by Using the ANSI/ISA S.84.01 Standard

The benefits recognized by the team in starting with, and relying on a global standard were:

  • A safety life cycle defined design approach methodology.
  • It provided the basis and importance for having studies that determine where safety systems should be used.
  • A relative SIS (Safety Interlock System) to BPCS (Basic Process Control System) design relationship.
  • Availability and reliability analysis based on common failure data. Figure 8.

Figure 8. Example of Reliability Data Analysis

Example.
The Risk engineering determines a maximum probability of failure on demand (PFD) in 0.05 (Integrity that must be held by the Protection System)

The results of evaluating the architecture pre-determined to protect the installation draws the following results

PFDsis = PFDss + PFDls + PFDef
PFDsis = 1.00e-2+ 2.93e-6 + 3.00e-2
PFDsis = 0.01+ 0.00000 293 + 0.03
PFDsis = 0.04000293 < 0.05

For this example you can observe that the Central Element has a very high robustness (Generally Robustness and Costs have the same direction).

There is then the possibility of adjusting the robustness of the Central Element, reduce the costs, and still achieve the integrity level required.

In this example the Central Element could have been selected having a PFD of 0.009, so:

PFDsis = 0.01+ 0.009 + 0.03
PFDsis = 0.049 < 0.05

Difficulties Encountered Using the ANSI/ISA S.84.01 Standard

In some cases, the ANSI/ISA S.84 was not helpful, did not provide information, or was in conflict with the final K-336. The barriers the team has had to overcome when defining safety systems have been:

  • Definition of SIL level, lack or limited understanding/capabilities to perform this task by qualified personnel.
  • It wasn't clear enough on type of technology that should be performed/recommended. In general terms it lack practical applications. The ISA TR.84.02 should prove helpful here.
  • Multiple choice of equations to use, different set of equations/procedures can draw very different results when evaluating specific architectures. Wrong conclusions can be drawn.
  • Once a choice of equations is made, there is a need to identify reliable data. A unified criteria to select data seems to be needed. Apparently TUV-FM may have agreed to work together on this issue to certify data.
  • The basic benefit of the standard would be the implementation of a methodology that more clearly demonstrates a balance between the PES, field devices and all the components that comprises a safety system.

The PDVSA K-336 "SAFETY INSTRUMENTED SYSTEMS" Standard

In conclusion, today PDVSA has developed a corporate safety standard for the new millennium. The current status is as follows:

  • K-336 Revision effective as of February 1999.
  • Based on International Standard ANSI/ISA.S84.01.1996.
  • Aligned with the Current Draft Standard IEC d61508
  • Adjusted to Requirements: "Termination of Recipes".
  • No Specific Architectures are imposed.
  • Increase Protection Allowing the Balance of the Cost/Benefit ratio.
  • Apply existing technologies for meeting safety, environmental, and economic concerns and which benefit employees, government, the public, users, and producers.

References

Walczak, T.A., "Critical Control Capabilities Using Programmable Controllers", ISA Proceedings, New Orleans 1995

ISA (The International Society for Measurement and Control) SP84 committee "Programmable Electrical-Electronic Systems (PES) for Use in Safety Applications" , ANSI/ISA S 84.01, February 1996

Holscher,H.,Rader,J.,"Microcomputers In Safety Technique",
TUV Research Report

With special thanks to Alberto Paz, PDVSA Chief Safety Engineer Cardon Refinery, Amuay for providing the PDVSA materials.