✕

There is no way around it: The functionally safer a system is built, the less reliable it becomes. Typically, process control systems are built with one or more independent protection layers (IPL): devices, systems or functions that prevent an undesired outcome without being adversely affected by other protection layers, or by the triggering event.

The kernel of the problem is embedded in the solution itself. Whenever a system — for instance, a distributed control system — is made safer using comparison (voting) redundancy or diagnosed outputs, it will become more susceptible to spurious trips.

This is the reason independent protection layers (IPL) taking higher credits than three orders of magnitude are avoided at all costs. An example is safety instrumented functions (SIF) with safety integrity level (SIL) higher than two -SIL 2.

When designers are forced to implement such a high performance solution, however, because there is no other way (a SIL 3 SIF, for example), it usually is classified as a high integrity protection system, or HIPS. Frequently, an exclusively dedicated and well-trained team of experts is assigned to the task of managing and maintaining HIPS due to the number of devices and procedures involved.

There are scenarios in which other instrumented IPL could reduce the burden of a SIF by optimizing risk reduction, however. Annex C of the IEC 61511-3: 2016 standard shows how basic process control systems (BPCS), alarms and release devices could take credit as IPL if they are proven to have specificity, independence, dependability and auditability.

The purpose of this two-part article is to point out possible scenarios in which rationalized alarm IPLs —that is, highly managed alarms (HMA) or safety alarms — are deemed appropriate to be implemented by the authority having jurisdiction (AHJ). I will disc;uss IEC61511 clauses on the subject as well as user standards such as NAMUR NE 165. In part two, I will illustrate these principles with a case study based on a typical API 556 furnace application (Annex A TR84.00.05).

Figure 1: IEC 61511-3 Annex C defines an example of safety-layer matrix methodology. The application of multiple protection layers to safeguard a process is used to reduce risk. Image provided by Siemens (Click on the image to enlarge.)

A Closer Look at Annex C of the IEC 61511-3 Standard

IEC 61511-3 Annex C (informative) defines an example of safety layer matrix methodology. The annex shows how the application of multiple protection layers to safeguard a process is used to reduce risk (figure 1).

This method, commonly referred to as the onion layers model, relies on three basic principles:

1. It is a group of control equipment or procedures.
2. It meets the following criteria:
   • Specificity (to a hazard).
   • Independence (from other independent protection layers).
   • Dependability. It reduces risk at least 10 times.
   • Auditability. Its performance should be measurable or estimable.
3. It complies with Clause 3.2.69, the definition of safety integrity level (SIL).

What is not disc;ussed in Annex C is how well we can — or should — optimize the risk reduction among the first three instrumented safeguards: for example, the basic process control system (BPCS), the alarms, and the safety instrumented function/system (SIF/SIS).

Now, is such disc;ussion “truly” necessary? After all, a SIF can reduce risk up to a maximum of five orders of magnitude (SIL 4). So, do we truly need more? Unfortunately, the safer a SIF is made, the less reliable it becomes. Therefore, designers try to avoid SIF with risk reduction factors (RRF) of more than three orders of magnitude (1,000 times) or safety integrity level higher than 2 (SIL 2).

In fact, when engineers are forced to use SIL 3 or SIL 4 SIF, they place such functions in a category of their own. As previously mentioned, they are known as high integrity protection systems (HIPS). A dedicated group of highly specialized personnel is assigned to their maintenance and supervision.

Basic Process Control System IPL

How much credit can be claimed for the BPCS as an IPL? The answer to this question is found in clause 9.3.2 of the functional safety standard for the process industry: “The risk reduction claimed for a BPCS protection layer shall be ≤10.” That is, of course, if the BPCS is not the origin or cause of the hazard.

The limitation to one order of magnitude is not absolute, however, and the very next clause (clause 9.3.3) of the same standard states: “If the risk reduction claimed for a BPCS protection layer is > 10, then the BPCS shall be designed and managed to the requirements within the IEC 61511 series.”

This clause seems to indicate that a BPCS must be certified for functional safety as per IEC 61508, or must be proven suitable by “prior use” determination (following IEC 61511 appropriate clauses), to claim more risk reduction than one order of magnitude. Yet, it will all depend on how the credit is claimed as well as on other components in the system. One example of claiming extra credits in such cases would be the use of alarms or interlocks. Keep in mind, however, that there are limits here, too.

Clause 9.3.4 limits the credits to BPCS that are designed and managed as per the IEC 61511 series: “No more than two BPCS protection layers shall be claimed for the same sequence of events leading to the hazardous event when the BPCS is not the initiating source of the demand.”

In summary, this means that if designed as a safety system, the BPCS can reduce the risk by more than one order of magnitude, but it is limited to two protection layers as a maximum.

Alarms as IPL

As it relates to alarms taking credit as IPLs, several other factors also must be taken into consideration. Alarms, by definition, imply human intervention. An action is expected from the operator after being alerted by an alarm to certain situations.

Figure 2: Table F-4 in IEC 61511-3: 2016 shows expected human performance. The table is expressed as PFDavg rather than as RRF. The operator’s response to alarms is judged to offer a typical risk reduction of 10. Human performance in the best-case scenario, by contrast, could be as good as two orders of magnitude. Image provided by Siemens (Click on the image to enlarge.)

Table F-4 in the IEC 61511-3: 2016 standard[1] shows expected human performance (figure 2). The table is expressed as the average Probability of Failure on Demand (PFDavg) rather than as Risk Reduction Factor (RRF), which seems more adequate. Here, the operator’s response to alarms is judged to offer a typical risk reduction of 10. Human performance in the best-case scenario, by contrast, could be as good as two orders of magnitude.

Although only illustrative, the implications of this table call for a deeper look.

Figure 3: This fault tree analysis demonstrates that an IPL alarm will fail if any of these conditions occur: the sensor fails, the logic solver (annunciator) fails, or the operator fails to react. Image provided by Siemens (Click on the image to enlarge.)

Consider the fault tree analysis shown in figure 3. An IPL alarm will fail if the sensor fails, the logic solver (annunciator) fails or the operator fails to react. Then, according to Table F-4, the sensor and logic solver should be “perfect,” and we must conclude that Table F-4 “Operators’ Response to Alarms” could not be referring to an alarm’s IPL.

Instead, have a look at human performance (trained, no stress). Here, it is implied — although indirectly — that the authority having jurisdiction (AHJ) could judge an IPL alarm to be possible with a caveat: “The IPL alarm hardware setup must meet a minimum performance.” It is obvious that, the better the sensors and the logic solver (in this case, the annunciator) perform, the more the AHJ can concentrate on the appropriateness of the alarm as an IPL.

IEC 61511 acknowledges alarms as another means of risk reduction that manages the likelihood of the hazardous event as an IPL (e.g., safety alarms). By contrast, IEC 62682, a standard for the management of alarms systems for the process industries, defines a safety alarm as one that is classified as critical to process safety for the protection of human life or the environment. In addition, IEC 62682 offers caveats, including:

• The alarm system needs to be rationalized. An unrationalized system is likely to have too many alarms, incorrect priorities and alarms without an operator response. These issues impact the operator’s ability to detect, diagnose and respond to all alarms.
• The alarm system performance needs to be measured and deemed acceptable. A system without a monitoring and assessment program is likely to have nuisance alarms, alarm floods, alarm overload and frequently occurring alarms.

“Deemed to be acceptable” comprises the kernel of this argument because, when it comes to alarms in general, some people do not accept alarms as IPLs because of the human intervention. Others believe that “all alarms could be IPL,” pointing out the example in Annex F of IEC 61511-3.

Both positions should consider that it is the application — and therefore the AHJ — that determines the acceptability of an IPL alarm. Yet, in any event, all IPL alarms should be highly managed alarms (HMA).

Figure 4: A highly managed alarm, or HMA, is defined in IEC 62682, clause 6.2.9. These are alarms that require more administration and documentation than others, such as it is in the case of alarms critical to process safety for the protection of human life (i.e., safety alarms). Image provided by Siemens (Click on the image to enlarge.)

Highly Managed Alarms and Namur NE 165

A highly managed alarm is defined in IEC 62682, clause 6.2.9 (figure 4). These are alarms that require more administration and documentation than others, such as it is in the case of alarms critical to process safety for the protection of human life (i.e., safety alarms).

Then, an IPL alarm is a well-rationalized safety alarm that has been deemed acceptable by the AHJ. But what do users say?

Figure 5: A highly managed alarm, or HMA, is defined in IEC 62682, clause 6.2.9. These are alarms that require more administration and documentation than others, such as it is in the case of alarms critical to process safety for the protection of human life (i.e., safety alarms). Image provided by Siemens (Click on the image to enlarge.)

Have a look at Namur recommendations per NE 165 (figure 5) about basic process control system protection layers. The standard recognizes that up to two protection layers are possible in a BPCS. This coincides with the IEC 61511 series in clause 9.3.4. Namur NE 165 defines BPCS-C (C denotes control) and BPCS-P (P denotes protection). But, it clarifies in clause 8:

BPCS-P can have a switching character (i.e. interlocks), but if necessary, can also be linked via an alarm with a suitable operating instruction (e.g., operator handles the actuator in response to the alarm). In both cases, however, the safe state condition must be achieved by triggering the BPCS-P (and, if applicable, the associated suitable operating instructions).

Thus, in summary, an IPL alarm:

• Must be a safety alarm as defined in IEC 62682 (implying HMA).
• Must have instrumentation with safety performance better than SIL 1.
• Must be rationalized and deemed acceptable for the AHJ.

How can all these qualities be integrated into a DCS? This question will be answered in part two of this series.