BPCS INDEPENDENCE - PART 2 (BEST PRACTICES)

Checkout Part-1 of this article in my earlier post from Sept. 2021 or on our website - www.watchmenise.com/articles

Abstract

Part 2 of this article is intended to build off the BPCS independence requirements described in Part 1 by discussing some best practices and practical design options for compliance with the IEC 61511 BPCS independence requirements. In this article, we will discuss some of the options available including benefits and detractors of each. Historically, segregation of control from safety systems has been considered a costly endeavor that has been shunned by smaller operating companies or on smaller scale facilities. With updates to technology, the cost of segregation is becoming more reasonable and there are many ways of achieving these standards requirements.???

Best Practices for Allowing Multiple BPCS Credits in LOPA

Attempting to apply dual credit for the BPCS category of protection layers in LOPA requires and understanding of the requirements. IEC 61511-2 Section 9.3.4 and 9.3.5 recommend that analysis be performed to ensure common cause and common mode failures are minimized. When practical, it is recommended that the independent BPCS platforms used be diverse to the greatest level practical including hardware, software, engineering tools and programming language. The level of diversity considered appropriate may depend on the level of risk associated with the application with greater levels of diversity being applied to high-risk applications.?

System Independence

Establishing a strong corporate standard for SIS and BPCS implementation at the start of the project will prevent costly changes late in the project during the HAZOP and LOPA assessments which in some cases may occur after the controls system has been purchased. A common practice that can be taken is to implement control and safety interlocks using independent systems. Implementing safety interlocks in a SIL certified logic solver will provide a high degree of flexibility for handling high risk scenarios as the risk analysis progresses during the project. Safety certified systems have come down in price and are becoming more affordable and practical to work with. In some cases, the LOPA team may identify a benefit to implementing an additional independent BPCS system to avoid the need for a SIF or to reduce the SIL target. This decision may be one best left to the LOPA team rather than at the start of the project.?

A design standard that requires two independent systems for control and shutdown is now quite common for larger scale and higher risk projects, however this has traditionally been less common on smaller, lower risk facilities. Many smaller applications such as wellsites, compressor stations and oil batteries have traditionally used either a common RTU or PLC for all control and shutdown functionality. The standards however apply the same for these types of facilities.?Therefore, they would also benefit from the same standardized approach of separating control from shutdown using two independent systems. As SIS applications have now been around for many years, cost effective SIS systems are becoming more readily available. In some cases, a small SIS can be implemented for similar pricing as a general use PLC. SIL certified relays making use of a hard-wired approach may also be applied when there are only a couple of SIF applications identified. Local pneumatic and hydraulic protection loops can also be considered when necessary assuming reliability requirements can be met. For these local electric or mechanical loops, the sensing and final elements may be monitored by the BPCS, activating an alarm in the event of a local shutdown.?

BPCS and SIS Architecture Options

There are a few different options available for implementing BPCS and SIS systems with the line between how independent they are becoming more blurred as technology advances. Control system vendors are developing innovative ways to establish independence using a common platform while attempting to minimize common cause and common mode failures. Greater care is required when implementing BPCS and SIS systems that are more closely integrated with the standards calling for quantitative analysis when common elements are used. The BPCS/SIS architecture types in use include:

- Air Gapped

- Interfaced

- Integrated?

- Common

The Air-Gapped system has the greatest level of independence and was the most common method of implementation in the early days of SIS. This system is physically separate and therefore has very little possibility of common cause or common mode failures. This often requires different suppliers and therefore can be a more costly option.

The Interfaced System is also physically separated and allows for communication between the BPCS and SIS systems. In this system a communications failure in one system does not cause the other system to fail. This system is still considered to have a high level of independence between systems. This option also typically makes use of different suppliers.

The Integrated system is commonly provided by the same supplier and both systems make use of the same network while retaining separate logic solvers and I/O. There is often increased commonality of components including in some cases engineering workstations and tools and therefore an increased opportunity for common cause and common mode failures. This system is typically simpler and therefore cheaper to implement due to the commonality of the platform.?

The Common System combines the BPCS and SIS into a common logic solver while retaining separate I/O and in some cases separate safety communications. To ensure sufficient independence, it may also be necessary to segregate the BPCS and SIS I/O into separate I/O networks and separate racks. This approach should only be considered if certified as compliant with the latest version of the IEC 61508 standards. This system has the lowest level of independence and the greatest opportunity for common cause, common mode and systematic failures.?

No matter the system that is selected, all SIS applications must be certified to IEC 61508. Higher risk applications may wish to consider selecting a system with a higher level of independence. Additionally, the user is responsible to ensure to implemented system meet the requirements of IEC 61511.?

What to do When Independence is Not Sufficient

While strict adherence to the most rigorous standards should be the ultimate goal, getting there can be a tough sell due to the potential price tag. Many industrial facilities were built at a time when these standards either did not exist or were considered a nice to have. The reality is that many facilities are still being built that still do not comply with the latest independence requirements for varying reasons. The following are some ideas on how to move towards compliance in a staged approach.

Rome wasn’t built in a day, but brick by brick it was completed. With future full compliance in mind, we can move toward that reality using a staged approach. Intermediary measure may include implementing diverse technologies and wiring practices, and independent I/O cards which in many cases can be completed for a reasonable cost. While this does not meet the intent of a fully compliant approach, it shows the issue of BPCS independence is taken seriously and shows some form of due diligence if a hazardous scenario arises.

In situations where strict adherence to the latest version of these standards is considered cost prohibitive, consider taking some short term proactive and affordable measures focused on a select few safety critical I/O. Consult your PHA and other documentation to determine which I/O is safety critical and prioritize upgrades based on the largest risk gaps. The highest risk functions can be re-wired into a fully independent logic solver, wired to remote I/O cards, make use of relays or loop splitters, among other solutions. Having your highest criticality safety functions managed under IEC 61511 can be an effective and affordable first step with lower criticality functions following suit at a later time. When considering migration plans to address obsolescence issues, this offers a great opportunity to move towards full compliance.?

Benefits of Standards Compliance

There are many benefits that come with the investment of complying with the IEC 61511 standard (including the rigorous BPCS independence requirements) including:?

a) Safer work environment for staff, environmental and asset protection, reduced risk of regulatory penalties or damaged reputation

b) Management of liability risk with standards compliance and risk mitigation

c) The analysis required to increase the reliability of SIS hardware reveals and corrects not only dangerous failures, but also safe failures leading to increased availability and plant up-time.

d) Flexibility when taking a system offline for maintenance (i.e. Fire & Gas System can still provide protection when the BPCS is down for maintenance).

e) Enhanced access controls and cyber security measures.

f) Simplify the analysis required on the BPCS and SIS that should occur if combined.

With some forethought and good engineering practices adopted at the start of the project, these requirements can be implemented at a reasonable cost and can come with many benefits. For brownfield applications, this has the potential to be a costly effort depending on the age of the existing system and standards they were implemented under. For this reason, it is highly recommended to engage a highly competent specialist prior to starting any updates.?

References:

IEC 61511: Functional safety - Safety instrumented systems for the Process industry sector

IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems?