Protection layers process control system

In general, the safety of a process relies on multiple layers of protection. The first layer of protection is the process design features. Subsequent layers include control systems, interlocks, safety shutdown systems, protective systems, alarms, and emergency response plans. Inherent safety is a part of all layers of protection however, it is especially directed toward process design features. The best approach to prevent accidents is to add process design features to prevent hazardous situations. An inherently safer plant is more tolerant of operator errors and abnormal conditions. 

LOPA is a semi-quantitative tool for analyzing and assessing risk. This method includes simplified methods to characterize the consequences and estimate the frequencies. Various layers of protection are added to a process, for example, to lower the frequency of the undesired consequences. The protection layers may include inherently safer concepts the basic process control system safety instrumented functions passive devices, such as dikes or blast walls active devices, such as relief valves and human intervention. This concept of layers of protection is illustrated in Figure 11-16. The combined effects of the protection layers and the consequences are then compared against some risk tolerance criteria. 

Control layer Protection layer that is used to maintain the process within the normal operating limits, such as standard operating procedures, basic process control system, and process alarms. 

Requirement on the basic process control system as a layer of protection... 

The basic process control system may be identified as a protection layer subject to certain conditions. If functions are implemented in the BPCS for the purpose of reducing the process risk, the BPCS can be allocated a risk reduction for the identified risks it is intended to reduce. 

In situations where the SIS is the only layer of protection and is used for a safety function operating in the continuous mode of operation, then the diagnostic test interval will need to be such that faults in the SIS are detected in time to ensure the integrity of the SIS and to allow action to be taken to ensure a safe state in the event of a failure occurring in the process or the basic process control system. 

The lEC 61508 standard defines safety as "freedom from unacceptable risk" (Ref. 1). Functional safety has been defined as "part of the overall safety relating to the process and the Basic Process Control System (BPCS) which depends on the correct functioning of the SIS and other protection layers." The phrase "correct functioning of the SIS" identifies the key concern. A high level of functional safety means that a safety... 

The basic process control system may be identified as a protection layer as shown in Figure 9. 

The team should examine how the safety functions are allocated to each protection layer, such as the basic process control system or safety instrumented system. The assessment should focus on minimizing the common-cause failures between the safety functions associated with each identified process hazard. Then, each protection layer should be reviewed to ensure that adequate independence and separation is provided between layers. 

Layers of protection There are many independent layers of protection provided in the control measure in addition to the basic process control system. These layers of protection make the control measures more robust. Fig. 11/4.5.4-1 may be referred to for more detail. Detailed discussions are available in Chapter V. Common mode failure Common mode failure refers to the failure of more than one control system on account of a common cause, which underlines the importance of independent layers of protection. However, common cause can affect both engineering and administrative controls. So, while considering the adequacy of control measures used for risk prevention/reduction/mitigation, etc. it is necessary and important to see that all such control measures are not only independent but also do not suffer from common mode fculure—discussed in later part of the book. 

Zone Difference in security level at various parts of the network can be addressed by dividing the network into zones, defined as logical and physical informational, physical and application assets. To get an idea. Fig. XI/4.4-2 may be referred to. In fact. Fig. XI/4.1.3-1 also has zone division in a similar manner. One point worth noting is that SIS in both cases is segregated from the process control system via firewall protection so that it is in a safe condition and in a safe zone. In fact, this is a zone within a zone acting as a safety layer and an example of defense-in-depth. There can be multiple zones and separate zones. 

While these are useful aids to operation, neither the systems themselves nor the human interface with them are designed or managed in accordance with BS EN 61511. Therefore the credit to be taken for them should be limited. As they also typically rely on the same operator who has to bring the transfer to a stop, it is not appropriate for them to be considered as a protection layer. Instead they may be considered as a contributing factor to the reliability claimed for the operator, for example in relation to error recovery, in carrying out the basic process control function, and are therefore part of the basic process control system. 

It is possible to claim up to one risk reduction layer within the BPCS (Basic Process Control System) for the same hazard event when the BPCS is also the initiating event. Two risk reduction layers may be claimed within the BPCS if it is not part of the initiating cause. A risk reduction of no more than 10 1 can be claimed for each layer. Also the protection layer, and the initiating cause or the two protection layers, should not share the same field devices or I/O modules or processor module. 

Allocation of the safety functions to layers of protection taking account of potential reduction in effective protection due to common cause failure between the safety layers and between the safety layers and the Basic Process Control System (BPCS). ... 

The importance of safety systems has been gradually increasing in oil and gas industry. In general, safety systems, which are different and independent from each other, are considered to provide multiple protection layers. The typical multiple protection layers installed in oil and gas facilities are BPCS (Basic Process Control System), SIS (Safety Instrumented System) and Physical Mitigation System. 

Approved Independent Backup (AIB) - A secondary non-electrical/instrument safety layer, such as a relief valve used to prevent over pressure in a vessel. This feature will protect against a hazard If the Basic Process Control System fails. An event classification based on the existence of an Approved Independent Backup assumes that the process will be operational only when the Approved independent Backup features are operational. The backup should have the following features ... 

By attempting to maintain process conditions at or near their design values, the process controls so attempt to prevent abnormal conditions from developing within the process. Although process controls can be viewed as a protective layer, this is really a by-product and not the primaiy func tion. Where the objective of a function is specifically to reduce risk, the implementation is normally not within the process controls. Instead, the implementation is within a separate system specifically provided to reduce risk. This system is generally referred to as the safety interlock system. 

---