Proceedings of the 2012 9th International Pipeline Conference IPC2012 Sep 24-28, 2012, Calgary, Alberta, Canada

IPC2012-90580

CONSIDERATIONS FOR IMPLEMENTATION OF SAFETY INSTRUMENTED SYSTEMS (SIS) FOR PIPELINE CONTROL SYSTEMS
Alireza Sahraei Enbridge Pipelines Inc. 10130 103 Street, Edmonton, AB T5J 3N9 Canada Tel: (780) 412-6473 Alireza.Sahraei@enbridge.com

ABSTRACT Safety instrumented systems are now well recognized and utilized by various operational companies in oil and gas majorly in integrated plants such as refineries, upgraders and petrochemical plants based on the both reliability and availability of these systems to prevent and mitigate any risk associated with any high consequence initiating event. The SIS requirements are well developed and globally accepted within IEC61511 and ISA84.01 standards in which the safety lifecycle requirements have to be met. The initial implementation of SIS in each plant has always been a challenging program because it needs tremendous effort to develop processes and procedures to meet any single clause of the lifecycle. At the same time, following the engineering best practices is another key factor of success for this implementation. However, in pipeline operations industry, there are additional aspects regarding risk management, design, operations and maintenance of the SIS, which have to be considered in addition to all code requirements and considerations on the integrated plants such as refineries, as mentioned above. These special considerations should not be underestimated and have to be dealt with as special requirements for the industry. These aspects raise sets of technical challenges for any implementation initiative and other planning or execution challenges which are directly related to the safety lifecycle.

INTRODUCTION SIS is not a new topic in oil and gas world although there are fewer companies in North American pipeline operations which have already implemented the SIS within their facilities, meanwhile there are some pipeline companies in overseas industry which are now dealing with existing SIFs on their operations. Because we have entered to era of more frequent incidents, according to the statistics, and the operating companies are more vigilant and cautious about safety of the public and their employees, at the same time the standard bodies and regulatory authorities in North America are gradually shifting toward legislating more mandatory safety initiatives on the industry side, the trend is moving toward having more operating companies complying with the functional safety standard IEC61511 (or equivalently ISA 84.01). This paper is based on the vision to bring up some of the most important considerations and challenges in general for establishment and implementation of SIS and more importantly considerations and challenges which are specific to the pipeline industry impartially and regardless of assessment of any specific company. It is also intended to open the concerns up for further detailed discussions and developments on each technical spot.

Copyright 2012 by ASME

NOMENCLATURE

Hazard identification and risk assessment

Management of functional safety and functional safety assessment and auditing

AICHE ALARP BPCS CCO CCPS DC EMC EMI FAT HMI IE IEEE IPL I&C ISA LOPA MOC OREDA PFD PLC RRF SAT SCADA SIF SIL SIS SOP TF

American Institute of Chemical Engineers As Low As Reasonably Practicable Basic Process Control System Control Center Operations Center for Chemical Process Safety Diagnostic Coverage Electro Magnetic Compatibility Electro Magnetic Interference Factory Acceptance Test Human Machine Interface Initiating Event Institute of Electrical and Electronic Engineers Independent Protection Layer Instrumentation and Controls International Society of Automation Layers Of Protection Analysis Management Of Change Offshore Reliability Data Probability of Failure on Demand Programmable Logic Controller Risk Reduction Factor Site Acceptance Test Supervisory Control And Data Acquisition Safety Instrumented Function Safety Integrity Level Safety Instrumented System Standard Operating Procedure Tolerable Frequency Common cause failure factor Average failure frequency, (Based on exponential reliability function) Dangerous failure frequency Detected dangerous failure frequency Undetected dangerous failure frequency Safe failure frequency Detected safe failure frequency Undetected safe failure frequency

Allocation of safety functions to protection layers

Safety requirements specification for the safety instrumented system

Figure 1 SIS safety lifecycle phases

Other optional approaches similar to cost/benefit analysis or functional analysis of safety system can be accomplished as well but should occur after risk assessment. It is challenging for an operating company to initiate implementation of the lifecycle as there are two separate types of initiatives which have to be considered: 1. New facilities and new projects (project is defined as any modification on existing facility to be completed by a certain planned date); Existing operating facilities;

Safety lifecycle structure and planning

Design and engineering of safety instrumented system

Design and development of other means of risk reduction

Verification

Installation, commissioning and validation

Operation and maintenance

Modification

Decommissioning

2. RISK ASSESSMENT CONSIDERATIONS Any SIS design and implementation should be driven from risk assessment as clearly specified in IEC61511 standard [1]. Figure 1. illustrates the functional safety lifecycle and clearly indicates that the lifecycle starts from risk assessment phase:

Each initiative needs to be dealt with a separate course of actions. In regards to the risk assessment, first step is to identify the corporate risk matrix which needs to be developed for different aspects of risks (e.g.: health and safety of personnel and public, environment, business/operation interruption, corporate reputation). This has to be developed further to thorough reviews among various stakeholders of the pipeline company considering these parameters: Geographical diversification; Differences in operations in each facility and region;

Copyright 2012 by ASME

Differences in jurisdictions and legislations; Diversification on existing facilities and associated reliabilities;

Obviously, the corporate risk matrix should be able to consistently cover all probable (incredible or non-incredible) scenarios in a way the proposed solutions (safeguards and IPLs) shall practicably mitigate the risks for both types of all facilities (existing and new ones). Typically plants such as refineries, upgraders, petrochemical or power plants are integrated and laid out in one physical location meanwhile the pipeline facilities are all distributed along with the pipeline right of way from injection point at the terminal and initiating station to the delivery point. Therefore the risk matrix of the company needs to be reviewed more frequently for the assurance of consistency, re-calibration and higher effectiveness. The same approach has to be taken for identifying TFs for each risk aspect. Each facility is located in a different environment and ecosystem, upstream and downstream elevation profile, hydraulic energy sources (transient and steady state), population density, products diversifications, local authorities and jurisdictions. Due diligence and attention should be taken to ensure the corporate TF table reflects what can be tolerated for all scenarios in all places including the special ones (e.g.: A facility right beside a lake and river with high rural population). If there is any special scenario in special place which has to take more conservative approach, TF should be tuned to include that scenario with extra caution without changing TF table for all other stations. Therefore TF table should be developed and calibrated to more extended details compared to an integrated plant. ALARP is a recommended tool which can be calibrated for identifying TFs for the pipeline company [2].
Unacceptable/intolerable region
(Risk can not be justified) De Manifestus (Evident) Risk Level

Similar to the risk matrix, TF table should be reviewed frequently and updated if required. For example if a facility is located closed to an newly developed urban area with high population which used to be more of a rural area, the health and safety TF regarding injury and fatality risks for public has to be reviewed and adjusted accordingly. The risk matrix and TF table are crucial inputs to risk assessment for SIS which typical utilizes a semi-quantitative analysis such as LOPA for existing/new facilities [3]. Other methods such as Risk Graph or Fault Tree can be utilized further to LOPA if more detailed and quantitative analysis is required for a specific location with availability of more accurate failure rate (reliability) data and clearly developed scenarios. Almost all the time LOPA should be a sufficient optimum tool for risk assessment and identifying the risk gap which needs to be filled by SIS. However, SIL validation calculations are followed afterwards as well at the safety control systems design stage. One other consideration regarding risk assessment is the impact of new projects on the existing facilities and introducing additional risks. This occurs more frequently in pipeline companies as an incredible scenario. The scope of the risk assessment for new project should include assessment of any potential impact which can vary from infrastructure impact to operations and control systems impacts. CODE REQUIREMENTS It has been demonstrated in risk assessment that a pipeline company is non-integrated and its diversification grows with the vastness of its pipeline systems. According to the IEC61511 the SIS lifecycle (Fig. 1) has to be laid out and mapped for the pipeline operations. The IEC 61511 (equivalently ISA 84.01) code compliant includes not only the requirements for each phase of the lifecycle but also the management system requirements to ensure internal audit, planning and compliance within a performance-based frame work. With this regard, these steps have to be highlighted and considered, for a pipeline company: Develop the MOC processes and procedures consistently in a corporate-wide scale; Establish a management system to engage key stakeholders and expert groups of employees and contractors including operations stakeholders, risk management group, process safety, control systems, SCADA, functional safety, application groups (leak detection, I&C, measurement and so on); Document and data retention management system has to be developed. QMS is recommended (as

The ALARP or tolerability region

Tolerable only if risk reduction is impracticable or if its cost is grossly disproportionate to the improvement gained

(Risk is undertaken only if a benefit is desired)

De Minimus (minumum) Risk Level

Broadly acceptable region

(No need for ALARP Analysis)

Figure 2 ALARP

Copyright 2012 by ASME

well as Integrated Management System, if applicable); All operations, maintenance (preventive and corrective), FAT, SAT, commissioning, bypass, de-commissioning processes/procedures have to be implemented in each site; The SIS strategy for audit, SIL verification and reassessment of existing facilities has to be laid out;

There are some aspects/parameters which can impact on the functional safety preferred strategy for each specific facility: Type of initiative: whether it is an existing facility or a new one; SIS infrastructure: whether its an existing facility or a new one; Risk gaps (e.g.: if there is no actual available IPL to fill remaining of that gap) Number of new required SIFs; Diagnostics availability; Actual reliability and availability of options (e.g.: one local BPCS loop and one alarm loop via SCADA vs. SIL1 SIF) Operations current maintenance programs (preventive, corrective and repair) at that specific facility; Operational/maintenance options; Complexity of the facility; Corporate planning and guidelines on safety initiatives; cost analysis for

Once again, as the pipeline operations is distributed and diversified, any of above mentioned steps have to be executed by not only senior management commitment and sponsorship but also all stakeholders full engagement from field to engineering and application groups. FUNCTIONAL SAFETY STRATEGY Similar to any other plants, Pipeline facilities can be equipped with various protection layers, which are demonstrated in Fig. 3:
Community Emergency Response Facility Emergency Response Physical Protection (Dike) Physical Protection (Relief Device)

Applications Protection (Pipeline overpressure at SCADA) SIS Alarms, Operators Intervention BPCS

Process

Figure 3 Typical Protection Layers

The IPLs are some of the protection layers which meet certain criteria including independency and applicability against specific IE to mitigate its associated risks of consequences by reducing frequency of occurrence of that event [3, 4]. An IPL doesnt necessarily need to be a SIS, as long as they are maintained in compliance with IEC61511, they can get credited accordingly. As an example if LOPA shows for a specific IE, two independent BPCS loops are sufficient, (although some criteria are applied here to verify validity of this claim including proper PFD calculations c/w common cause failure), those two IPLs can be utilized against to mitigate the risk of IE by reducing its frequency of occurrence below TF.

DIVERSIFICATION IN CONTROL SYSTEMS As it was demonstrated in Fig.3, in a pipeline company typically there are more diversifications when it comes to control. It is more valid statement when the geographical dimensions and complexity of pipeline systems grow in a pipeline company. The diversification is not only about the makes and models of control devices and controllers but also the types and architecture of controllers and automated IPLs. The diversification of the control starts from field devices in which different models of instruments and different installations details in BPCS result different PFD. The same concept is applicable to the local control network, PLC, switch, Director/RTU, SCADA communication and so on all considered as components of BPCS loops, Alarm and other non-SIS IPLs. Thorough and comprehensive analysis/review has to be made for each single control loops to ensure the functional safety aspects of each one are representing the actual loops in field.

Copyright 2012 by ASME

ASSESS BPCS CREDITABILITY FOR SIS The PFD calculation for BPCS is crucial step because despite the fact the PDF numbers are higher than SIL 1 (we typically enter to the SIL a range: <1), according to IEC61511 we are still able to apply the methodology and get credit for a BPCS loop accordingly if they meet the code requirements. Table. 1 indicates SIL to each associated PDF range: SIL rating SIL a (SIL 0) SIL 1 SIL 2 SIL 3 SIL 4
Table 1 SIL ranges

Sensor/Tx

Logic Solver (BPCS)

Final Element (Control End Device)

A) Typical PFD diagram for a local BPCS-based loop

Sensor/Tx

Logic Solver (BPCS)

Local Control Network

PFD range 0.1 <PFD <1 0.01 <PFD <0.1 0.001 <PFD <0.01 0.0001 <PFD <0.001 0.00001 <PFD <0.0001

SCADA
Note: Command is sent back from CCO via SCADA, Network and Logic Solver again which were considered in this PFD diagram once

Final Element (Control End Device)

Here is a quick review to highlight some of the considerations:

Control Center Operations (Application or operator)

B) Typical PFD diagram for a remote BPCS-based loop

Figure 5 PFD diagrams for typical local and remote BPCS-based loop
Subsystem A Subsystem B

Figure 4 PFD diagrams for two subsystems in series

The equation to calculate the probability of failure on demand (PFD) for a two subsystems in series, as demonstrated in Fig. 4, is:

As illustrated in Fig. 5, there are more components (subsystems) in pipeline BPCS-based loops. The loop (b) in Fig. 5 shows the CCO alarm or application loop credited as an IPL and therefore we need to calculate overall PFD and to identify the RRF of that IPL.

(* Max{

})

It should be noted that common cause failure factor () representing a cause which affects more than one channel is not applicable here as two subsystems in series (e.g.: sensor and logic solver) are not typically affected by a common cause as an incredible scenario, therefore the last term of above equation is negligible for BPCS PFD calculations, however it should be noted it has to be considered with using right reliability equation for the cases in which there are two sensors installed in parallel (instead of one) at field to provide better reliability. Typically accredited BPCS loop in lieu of a SIF consists of three basic components: Sensor (c/w transmitter), Logic solver which is typically the local implemented controller in the PLC and the final element which is typically the actuator and valve (in isolation, on-off or throttling applications), however in pipeline operations, a pump (c/w motor and VFD or just the power contactor) is considered a final element in some applications.

Additional subsystems: Local control network, SCADA (with its associated components on that facility), CCO (or applications) have a certain range of reliability in average (or equivalently PFD). As a practical approximation we can obtain the PFD of the loop in overall by this equation:

According to statistics and industry data in general, the last term related the final element is typically the bigger one compared to the other terms. Its summarized in the Table. 2 to show the contribution percentage for each component within a simple three component model [5]

Subsystem Sensor Logic Solver Final Element (Total)

Contribution to overall PFD 50% 15% 35% 100%

Table 2 Contribution percentage to the overall PFD in a three component model

Copyright 2012 by ASME

It should be noted the data is based on ESD actuators, in pipeline there would be other types of final elements (e.g.: pumps) which have better reliability rates. At the same time other three components (i.e.: network, SCADA and CCO/applications) are still contributing to the overall PFD and should not be eliminated. SCADA is relying on the radio or satellite communications. Probability of failure for the communication channel can be obtained by implementation of the fact that part of safe failures and part of dangerous failures are detectable via communication channel diagnostics in accordance with the defined below equations [6]:

the undetected dangerous failure rate ( be highly reduced.

) will

Control center operations reliability can be considerably improved by improving the alarm management system, workplace environment and also availability of SOPs. Some of the applications in the control center are not completely preventive to avoid loss of containment but they are protection layers (to some extent) which mitigate impact of the high consequence event or reduce the frequency of the higher consequence event or associated affected event. The two important applications in that layer are: SCADA overpressure protection; in which the downstream station is placed to safer operation with knowing that there has been an overpressure event in upstream station and will propagate toward the downstream one Leak detection system; in which we are able to mitigate by detection and putting restriction on the released volume to the environment. In general the leak detection systems are crucial protection layers as best in industry means and practices to mitigate the risk of the leak (in addition to integrity programs) in the pipeline industry and can be adopted in the functional safety context by working on the creditability and scope of leak detection system and modeling it properly in the functional safety context.

0 0 Undetected dangerous failure frequency is the variable which we would like to see as minimum as possible. In each typical communication channel (with respect to the type of communication medium, diagnostics features, type of coding, physical layer features etc), we need to establish a data gathering system for . We are able to minimize by minimizing on the diagnostics of the communication channel by improving the diagnostic factor and modifying the channel design to be able to reduce . More detailed calculation can be obtained from Markov model for more detailed cases if it can be considered with optimum states for a practical modeling [6]. Same concept is applicable to local network. We have to consider some additional concerns for the network: The security of the network: it could be susceptible to virus/malware attack or hacking in addition to the normal failure causes. Common cause failure can occur more often within the network components, as they can be failed due to common causes (e.g.: EMI/EMC issues, cabling and so on) Because we continuously use the network, we have to model it in high demand mode. If we have a good diagnostic and monitoring of the network,

It should be noted that due to certain criteria the BPCSbased IPLs can be only credited two times only, unless the third IPL is either non-BPCS-based one or completely independent in all subsystems. The second BPCS-based loop (either local or remote) has to be assigned with higher PFD due to the common cause failure. Company practices and standards should be developed in accordance with the industry best practices and pipeline operations actual field failure data. FAILURE/RELIABILITY DATA GATHERING SYSTEMS Failure and reliability data are crucial for a success of implementation of SIS within the whole lifecycle. There are three types of failure data: Industry data: OREDA, CCPS, Mil-Book, ISASP84; Vendor data: Certified by TV or Exida, Noncertified vendor data; Application data: In-house actual data from field operations;

Copyright 2012 by ASME

If the proper application data is available for specific device from different regions or facilities, those will be the most preferred data to be utilized for LOPA analysis and SIL determination and validation. The application data can be well classified in pipeline industry due to availability of similar installations compared to integrated plants, if the data is gathered. Otherwise the certified vendor data, industry data and non-certified vendor data should be gathered where available, refined and to be augmented with the conservative set of data. The data gathering system is getting inputs from operations and maintenance groups and to be maintained by functional safety engineering group to ensure any failure and associated corrective maintenance (replacement or partial repair), any preventive maintenance and minimal repair on any related device have to be documented and entered to the system accordingly. Data refining and filtering can be achieved by using adaptive or neural-fuzzy algorithms. OPERATIONS AND MAINTENANCE The SIS lifecycle starts from operations and maintenance and will end to them. It starts from risk assessment phase in which their inputs are required. In addition to data gathering system any of the SIS recommended practices, processes and procedures for proof test, SAT, commissioning, bypass, decommissioning and SOPs have to be developed by their collaboration. Planning and execution of the SIS initiative as well as maintaining it can only progress when they are engaged as key stakeholders through systematic communication channels and thorough review processes within the whole operations and maintenance teams in different groups of the organization. Senior management support is a key factor to a successful program. CONCLUSIONS Pipeline operations similar to any other operation companies need to plan and define the scope of SIS implementation. The senior management in each company has to envision the initiative, manage it as a mandate for the whole organization including sponsorship, support and engagement. The initiative has to be looked at two sets of actions, one as a initiative to establish the processes and procedure such as data gathering system, documentation management, maintenance management, lifecycle retention, SIS audit and planning,

technical practices for risk assessment, SIL determination, design, SIL validation, FAT, SAT, proof tests, commissioning, SIF re-validation, decommissioning and so forth, in accordance with the IEC61511 code requirements. The second set of actions includes the maintaining of the processes and procedures, verification of the risk assessment and SIS design and implementation, operational modifications and revalidation requirements, and any other operational SIS actions. Process and operations in pipeline industry is somehow different from other oil and gas businesses. The differences are growing when it comes to the SIS and functional safety. The diversification applicable to various aspects within this industry, non-integration facilities, regional priorities and differences in the business can make it challenging when compliance to the IEC61511 has to be met. With senior management envisioned support and execution of planned actions at each initiative, compliance is achieved and maintained consistently. REFERENCES [1] International Electrotechnical Commission, Standard IEC-61511, Functional safety - Safety Instrumented Systems For The Process Industry Sector, Edition 1.0, IEC, Geneva, 2003. [2] Fang, L., Wu. Z., Wei, L. and Liu, J., 2008 Design and Development of Safety Instrumented System, Proceedings of the IEEE, International Conference on Automation and Logistics, Qingdao. [3] Gruhn, P., Cheddie. H., 2006 Safety Instrumented Systems: Design, Analysis and Justification, 2nd Edition, ISA, Research Triangle Park, NC, pp. 94-96. [4] CCPE, 2001 Layer Of Protection Analysis, Simplified Process Risk Assessment, AIChE, New York, pp. 12-42. [5] Sato, Y., 2008 Introduction to Partial Stroke Testing, SICE Annual Conference 2008, The University ElectroCommunications, Japan. [6] Goble, W., Cheddie. H., 2005 Safety Instrumented Systems Verification: Design, Practical Probabilistic Calculations, 1st Edition, ISA, Research Triangle Park, NC, pp. 107-121.

Copyright 2012 by ASME