Guidelines for Safe Automation of Chemical Processes E-Book

This book is on in a series of process safety guidelines and concept books published by the Center for Chemical Process Safety (CCPS). Please go to www.wiley.com/go/ccps for a full list of titles in this series.

It is sincerely hoped that the information presented in this document will lead to an even more impressive safety record for the entire industry. However, the American Institute of Chemical Engineers, its consultants, the CCPS Technical Steering Committee and Subcommittee members, their employers, their employers’ officers and directors, and SIS-TECH Solutions, LP and its employees do not warrant or represent, expressly or by implication, the correctness or accuracy of the content of the information presented in this document. As between (1) American Institute of Chemical Engineers, its consultants, CCPS Technical Steering Committee and Subcommittee members, their employers, their employers’ officers and directors, and SIS-TECH Solutions, LP and its employees, and (2) the user of this document, the user accepts any legal liability or responsibility whatsoever for the consequences of its use or misuse.

GUIDELINES FORSAFE AUTOMATION OF CHEMICALPROCESSES

SECOND EDITION

CENTER FOR CHEMICAL PROCESS SAFETYof theAMERICAN INSTITUTE OF CHEMICAL ENGINEERS

NEW YORK, NY

Copyright © 2017 by the American Institute of Chemical Engineers, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Names: American Institute of Chemical Engineers. Center for Chemical Process Safety.Title: Guidelines for safe automation of chemical processes.Description: Second edition. | Hoboken, New Jersey : Center for Chemical Process Safety of the American Institute of Chemical Engineers : John Wiley & Sons, Inc., [2017] |Includes bibliographical references and index.Identifiers: LCCN 2016044310 (print) | LCCN 2016048203 (ebook) | ISBN 9781118949498 (cloth) | ISBN 9781119351894 (pdf) | ISBN 9781119352136 (epub)Subjects: LCSH: Chemical processes--Automation--Safety measures.Classification: LCC TP155.7 .G85 2017 (print) | LCC TP155.7 (ebook) | DDC 660/.2804--dc23LC record available at https://lccn.loc.gov/2016044310

In Honor of Victor Joseph Maggioli, Sr.

The 2nd edition of CCPS’ Guidelines for Safe Automation of Chemical Processes is dedicated to Victor Joseph Maggioli, Sr., who passed away in April 2016. Vic served on the process control safety subcommittee that collaborated to write the 1st edition of this book. He made extensive use of knowledge and experience obtained while working for DuPont to help craft what became the guiding document for the application of instrumentation and controls in safety applications.

Until the publication of the international standard IEC 61511 in 2003, Vic brought the 1st edition of these guidelines to each domestic and international standards’ committee related to safe automation and held it up as the hallmark for the committees to aspire. Vic worked tirelessly for more than 5 decades to document the principles, techniques, methods, and practices that contribute to the safe and reliable operation of chemical processes. This 2nd edition is dedicated to his leadership and technical contributions.

TABLE OF CONTENTS

LIST OF FIGURES

LIST OF TABLES

ABBREVIATIONS

GLOSSARY

ACKNOWLEDGEMENTS

1 PROCESS SAFETY AND SAFE AUTOMATION

1.1 OBJECTIVE

1.2 SCOPE

1.3 LIMITATIONS

1.4 TARGET AUDIENCE

1.5 INCIDENTS THAT DEFINE SAFE AUTOMATION

1.6 OVERVIEW OF THE CONTENTS

1.7 KEY DIFFERENCES

2 THE ROLE OF AUTOMATION IN PROCESS SAFETY

2.1 PROCESS OPERATIONS

2.2 PLANT AUTOMATION

2.3 A FRAMEWORK FOR PROCESS SAFETY

2.4 RISK-BASED DESIGN

2.5 RISK MANAGEMENT OF EXISTING FACILITY

3 AUTOMATION SPECIFICATION

3.1 PROCESS AUTOMATION LIFECYCLE

3.2 FUNCTIONAL SPECIFICATION

3.3 DESIGNING FOR OPERATING OBJECTIVES

3.4 INHERENTLY SAFER PRACTICES

3.5 DESIGNING FOR CORE ATTRIBUTES

3.6 CONTROL AND SAFETY SYSTEM INTEGRATION

4 DESIGN AND IMPLEMENTATION OF PROCESS CONTROL SYSTEMS

4.1 INPUT AND OUTPUT FIELD SIGNAL TYPES

4.2 BASIC APPLICATION PROGRAM FUNCTIONS

4.3 PROCESS CONTROL OBJECTIVES

4.4 PROCESS CONTROLLER TECHNOLOGY SELECTION

4.5 DETAILED APPLICATION PROGRAM DESIGN

5 DESIGN AND IMPLEMENTATION OF SAFETY CONTROLS, ALARMS, AND INTERLOCKS (SCAI)

5.1 SCAI CLASSIFICATION

5.2 DESIGN CONSIDERATIONS

5.3 SCAI TECHNOLOGY SELECTION

6 ADMINISTRATIVE CONTROLS AND MONITORING

6.1 INTRODUCTION

6.2 AUTOMATION ORGANIZATION MANAGEMENT

6.3 PROCESS SAFETY INFORMATION

6.4 OPERATING PROCEDURES

6.5 MAINTENANCE PLANNING

6.6 HUMAN AND SYSTEMATIC FAILURE MANAGEMENT

6.7 MANAGEMENT OF CHANGE

6.8 AUDITING, MONITORING AND METRICS

APPENDIX A. CONTROL SYSTEM CONSIDERATIONS

A.1 CONTROL SYSTEM TECHNOLOGIES

A.2 ADDITIONAL CONSIDERATIONS FOR PROCESS CONTROL APPLICATIONS

APPENDIX B. POWER, GROUNDING, AND SHIELDING

B.1 POWER SUPPLY AND DISTRIBUTION

B.2 GROUNDING FOR SAFE, RELIABLE OPERATIONS

B.3 SIGNAL SHIELDING AND GROUNDING PRACTICES

B.4 SPECIAL SCAI CONSIDERATIONS

APPENDIX C. COMMUNICATIONS

C.1 COMMUNICATION CLASSIFICATIONS

C.2 COMMON COMMUNICATION NETWORK TOPOLOGIES

C.3 COMMUNICATION BETWEEN DEVICES

C.4 WIRELESS COMMUNICATION

C.5 COMMON COMMUNICATION CONFIGURATIONS

C.6 COMMON DATA COMMUNICATION ISSUES

C.7 PROCESS CONTROL AND SAFETY SYSTEM COMMUNICATIONS

C.8 SCAI COMMUNICATIONS

APPENDIX D. ALARM MANAGEMENT

D.1 ALARMS

D.2 STANDARDS AND RESOURCES

D.3 ALARM MANAGEMENT

D.4 MANAGING THE SAFETY ASPECTS OF ALARMS

D.5 ALARM SYSTEM PERFORMANCE BENCHMARKING

D.6 ALARM MANAGEMENT SOFTWARE

APPENDIX E. FIELD DEVICE CONSIDERATIONS

E.1 GENERAL SIGNAL SAFETY

E.2 FIELD DEVICE SELECTION

E.3 FLOW MEASUREMENT

E.4 PRESSURE MEASUREMENT

E.5 LEVEL MEASUREMENT

E.6 TEMPERATURE MEASUREMENT

E.7 ON-STREAM PROCESS ANALYSIS

E.8 AUTOMATED VALVES

E.9 ELECTRIC MOTORS

E.10 STEAM TURBINE VARIABLE SPEED DRIVES

APPENDIX F. SIS EQUIPMENT SELECTION

F.1 SELECTION BASIS

F.2 ADDITIONAL CONSIDERATIONS

APPENDIX G. HUMAN MACHINE INTERFACE DESIGN

G.1 GENERAL

G.2 OPERATOR INTERFACE STANDARDS AND RESOURCES

G.3 INSTRUMENT PANELS

G.4 CONFIGURABLE OPERATOR WORKSTATIONS

G.5 PROCESS ALARMS

G.6 SIS IMPACT ON HMI

G.7 CONTROL-CENTER ENVIRONMENT

G.8 VIDEO

G.9 OPERATOR INTERFACES OF FUTURE

G.10 HMI CONSIDERATIONS CHECKLIST

APPENDIX H. APPLICATION PROGRAMMING

H.1 SOFTWARE TYPES

H.2 APPLICATION PROGRAM DEVELOPMENT

H.3 APPLICATION PROGRAMMING LANGUAGES

H.4 APPLICATION PROGRAM DEVELOPMENTAL MODELS

H.5 PROCESS CONTROL APPLICATION PROGRAM

H.6 SCAI APPLICATION PROGRAM

APPENDIX I. INSTRUMENT RELIABILITY PROGRAM

I.1 INTRODUCTION

I.2 TRACKING FAILURE

I.3 DATA TAXONOMY

I.4 DATA COLLECTION EFFORTS

I.5 FAILURE INVESTIGATION

I.6 CALCULATION OF FAILURE RATE

I.7 VERIFICATION

APPENDIX J. ACCEPTANCE TESTING GUIDELINES

J.1 ACCEPTANCE TESTING

J.2 STANDARDS

J.3 FACTORY ACCEPTANCE TEST

J.4 SITE ACCEPTANCE TEST (SAT)

INDEX

Pages

ii

iii

iv

v

xi

xii

xiii

xiv

xv

xvi

xvii

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

75

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

211

212

213

214

215

216

217

218

219

220

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

260

261

262

263

264

265

267

268

269

270

271

272

273

274

275

278

276

277

279

280

281

282

283

284

285

286

287

290

288

289

291

292

293

294

295

298

296

297

299

300

301

302

303

304

305

306

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

410

409

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

441

442

443

444

445

447

446

448

449

450

451

452

453

454

455

456

457

458

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

483

482

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

597

598

599

600

601

602

603

604

605

606

607

LIST OF FIGURES

FIGURE 1.1.

PROCESS SAFETY SUPPORTED BY INHERENTLY SAFER DESIGN AND FUNCTIONAL SAFETY MANAGEMENT

FIGURE 1.2.

RELATIVE COST TO MAKE DESIGN CHANGES AS A FUNCTION OF PROJECT PHASE

FIGURE 1.3.

PROTECTION LAYERS USED AS MEANS OF RISK REDUCTION

FIGURE 1.4.

PROTECTION LAYERS SHOWING RELATIVE RISK REDUCTION, RELIABILITY AND SUSTAINABILITY

FIGURE 2.1.

FEED FORWARD AND FEED BACK WORK PROCESSES FOR QUALITY ASSURANCE

FIGURE 2.2.

OPPORTUNITIES FOR INHERENT SAFETY DIMINISH OVER TIME

FIGURE 2.3.

PRIORITY OF INHERENTLY SAFER DESIGN AND PROTECTION LAYERS IN RISK MANAGEMENT

FIGURE 2.4.

ANATOMY OF A LOSS EVENT

FIGURE 2.5.

CONTROL ROOM

FIGURE 2.6.

EXAMPLE OF PROCESS CONTROL SYSTEM

FIGURE 2.7.

EXAMPLE OF SAFETY SYSTEM

FIGURE 2.8.

CLASSIFICATION OF SCAI

FIGURE 2.9.

EXAMPLE OF INTEGRATED CONTROL AND SAFETY SYSTEM

FIGURE 2.10.

TYPICAL COST VERSUS VALUE TRENDS FOR RISK REDUCTION MEANS

FIGURE 2.11.

PROPAGATION OF A LOSS EVENT

FIGURE 2.12.

TYPICAL LAYERS OF PROTECTION

FIGURE 2.13.

EXAMPLE ELEMENTS REQUIRED FOR A SAFETY SYSTEM USING INSTRUMENTATION AND CONTROLS

FIGURE 2.14.

FUNCTIONAL SAFETY PLAN FOR PROCESS CONTROL AND SAFETY SYSTEMS

FIGURE 2.15.

PROCESS HAZARD IDENTIFICATION PROCESS

FIGURE 2.16.

ASPECTS OF UNDERSTANDING RISK

FIGURE 2.17.

TYPICAL USES OF HAZARD EVALUATION METHODS

FIGURE 2.18.

RISK ANALYSIS WORK PROCESS

FIGURE 2.19.

RISK ASSESSMENT WORK PROCESS

FIGURE 2.20.

RISK MANAGEMENT WORK PROCESS

FIGURE 2.21.

RISK MONITORING WORK PROCESS

FIGURE 3.1.

LIFECYCLE PROCESS FOR AUTOMATION PROJECT

FIGURE 3.2.

INFORMATION REQUIREMENT FOR AUTOMATION PROJECT

FIGURE 3.3.

RELATIONSHIP OF 7 CORE ATTRIBUTES AND THE OPERATING OBJECTIVES

FIGURE 3.4.

SETPOINT SPECIFICATION WITHOUT COMPENSATING FOR MEASUREMENT ERROR OR PROCESS LAG

FIGURE 3.5.

SETPOINT SPECIFICATION WITHOUT COMPENSATING FOR MEASUREMENT ERROR

FIGURE 3.6.

SETPOINT SPECIFICATION COMPENSATING FOR MEASUREMENT ERROR AND PROCESS LAG

FIGURE 3.7.

RELATIONSHIP OF SETPOINT AND RESPONSE TIME TO OPERATING AND SAFETY LIMITS

FIGURE 3.8.

OVERALL AUTOMATION NETWORK SHOWING HIERARCHICAL LEVELS

FIGURE 3.9.

BLOCK DIAGRAM OF AIR GAPPED SYSTEMS

FIGURE 3.10.

PICTORIAL DIAGRAM OF AIR-GAPPED SYSTEMS (2 ZONES)

FIGURE 3.11.

BLOCK DIAGRAM OF INTERFACED SYSTEMS (2 ZONES)

FIGURE 3.12.

PICTORIAL DIAGRAM OF INTERFACED SYSTEMS

FIGURE 3.13.

BLOCK DIAGRAM OF INTEGRATED SYSTEMS WITH ISOLATED NETWORKS

FIGURE 3.14.

PICTORIAL DIAGRAM OF INTEGRATED WITH ISOLATED NETWORKS (2 ZONE)

FIGURE 3.15.

BLOCK DIAGRAM OF INTEGRATED SYSTEMS WITH SHARED NETWORK (1 ZONE)

FIGURE 3.16.

PICTORIAL DIAGRAM OF INTEGRATED WITH SHARED NETWORK (1 ZONE)

FIGURE 3.17.

SHARED DATA BUS

FIGURE 3.18.

EXAMPLES OF LOGIC SOLVER COMPONENT SHARING

FIGURE 3.19.

SHARED LOGIC SOLVER

FIGURE 4.1.

OVERALL CONTROL SYSTEM INCLUDES THE PROCESS CONTROL SYSTEM AND SAFETY SYSTEM

FIGURE 4.2.

GENERAL PROCESS CONTROL SYSTEM DESIGN STRATEGY

FIGURE 4.3.

ORIGINAL AND DIGITIZED VERSION OF ANALOG SIGNAL

FIGURE 4.4.

ORIGINAL AND DIGITIZED VERSION OF BINARY SIGNAL

FIGURE 4.5.

PROCESS CONTROL OBJECTIVES

FIGURE 4.6.

RELATIONSHIP AMONG LEVELS

FIGURE 4.7.

MANUAL OPERATION

FIGURE 4.8.

GENERAL PROGRAMMABLE PROCESS CONTROL SYSTEM

FIGURE 4.9.

PROCESS CONTROL ARCHITECTURE

FIGURE 4.10.

OPERATOR INTERFACE GRAPHIC

FIGURE 4.11.

PID CHARACTERISTICS

FIGURE 4.12.

RESET WINDUP

FIGURE 4.13.

OPERATOR INTERFACE DRILL DOWN

FIGURE 4.14.

NAMUR NE 43 PROCESS SIGNAL CONDITIONS [2003]

FIGURE 5.1.

SCOPE OF COVERAGE FOR SCAI HARDWARE AND SOFTWARE

FIGURE 5.2.

EXAMPLES OF SAFETY CONTROLS USING PROGRAMMABLE (A) AND DISCRETE (B) LOGIC SOLVERS

FIGURE 5.3.

EXAMPLES OF SAFETY ALARMS USING PROGRAMMABLE (A) AND DISCRETE (B) LOGIC SOLVERS

FIGURE 5.4.

EXAMPLES OF SAFETY INTERLOCKS USING PROGRAMMABLE (A) AND DISCRETE (B) LOGIC SOLVERS

FIGURE 5.5.

PROCESS CONTROL AND SAFETY SYSTEM NETWORK

FIGURE 5.6.

REDUNDANCY SCHEME, OPERATION, AND FAULT TOLERANCE

FIGURE 5.7.

BASIC SIL 1 USING PROGRAMMABLE (A) AND DISCRETE (B) LOGIC SOLVERS

FIGURE 5.8.

BASIC SIL 2 USING PROGRAMMABLE (A) AND DISCRETE (B) LOGIC SOLVERS

FIGURE 5.9.

BASIC SIL 3 USING PROGRAMMABLE (A) AND DISCRETE (B) LOGIC SOLVERS

FIGURE 5.10.

PASSIVE DIAGNOSTICS

FIGURE 5.11.

PROCESS CONNECTION EXAMPLES

FIGURE 5.12.

SAME CARD AND DIFFERENT CARD CONNECTION

FIGURE 5.13.

DUAL SOV CONFIGURATIONS – 1OO2 (A) AND 2OO2 (B)

FIGURE 5.14.

DOUBLE-BLOCK-AND-BLEED VALVES

FIGURE 5.15.

EXAMPLE OF DIFFERENT STATES OF A NORMALLY OPEN CONTACT IN DTT SERVICE

FIGURE 5.16.

EXAMPLE OF DIFFERENT STATES OF A NORMALLY OPEN CONTACT IN ETT SERVICE

FIGURE 5.17.

EXAMPLE OF MOTOR CONTROL CIRCUIT WITH ETT AND DTT COMPONENTS

FIGURE 6.1.

APPROACHES TO HUMAN ERROR REDUCTION

FIGURE 6.2.

PROCESS SAFETY PYRAMID

FIGURE 6.3.

AUDIT PROGRAM FLOWCHART

FIGURE A.1.

PID ELECTRONIC CONTROL CIRCUIT

FIGURE A.2.

DIRECT-WIRED SYSTEM. (A) BLOCK DIAGRAM FORMAT (B) SCHEMATIC DIAGRAM FORMAT (C) DIRECT-WIRED SYSTEM WITH ALARM FEEDBACK

FIGURE A.3.

PROGRAMMABLE AND NON-PROGRAMMABLE TRIP AMPLIFIERS

FIGURE A.4.

(A) PROGRAMMABLE SINGLE LOOP (B) MULTI-LOOP CONTROLLER

FIGURE A.5.

TYPICAL DCS ARCHITECTURE

FIGURE A.6.

CASCADE CONTROL

FIGURE A.7.

FEED FORWARD CONTROL WITH FEEDBACK TRIM CONTROL EXAMPLE

FIGURE A.8.

RATIO CONTROL EXAMPLE

FIGURE B.1.

BLOCK DIAGRAM OF TYPICAL POWER DISTRIBUTION SYSTEM WHEN AN UNINTERRUPTABLE POWER SUPPLY IS NOT REQUIRED

FIGURE B.2.

BLOCK DIAGRAM OF A TYPICAL POWER DISTRIBUTION SYSTEM WHEN AN UNINTERRUPTABLE POWER SUPPLY IS REQUIRED

FIGURE B.3.

TYPICAL ELECTRICAL GROUNDING SYSTEM WHEN AN UNINTERRUPTABLE POWER SUPPLY IS NOT REQUIRED

FIGURE B.4.

TYPICAL ELECTRICAL GROUNDING SYSTEM WHEN AN UNINTERRUPTABLE POWER SUPPLY IS REQUIRED

FIGURE B.5.

TYPICAL INSTRUMENT SYSTEM SIGNAL SHIELDING AND GROUNDING PRACTICES.

FIGURE C.1.

COMMUNICATION HIERARCHIES

FIGURE C.2.

COMMUNICATION NETWORK TOPOLOGIES

FIGURE C.3.

OSI COMMUNICATION STACK

FIGURE C.4.

COMMUNICATION BETWEEN OSI COMMUNICATION STACKS

FIGURE C.5.

COMMUNICATION STACKS

FIGURE C.6.

PROCESS CONTROL TO PROCESS CONTROL COMMUNICATION LINK

FIGURE C.7.

PROCESS CONTROL TO SCAI COMMUNICATION LINK WITH FIREWALL

FIGURE C.8.

SCAI TO SCAI COMMUNICATION LINK

FIGURE C.9.

ELECTROMECHANICAL TO DIGITAL COMMUNICATIONS

FIGURE C.10.

LOCAL AND REMOTE I/O

FIGURE C.11.

DISTRIBUTED I/O AND MULTI-DROP CONFIGURATIONS

FIGURE C.12.

POINT TO POINT, STAR, AND MESH WIRELESS TOPOLOGIES

FIGURE C.13.

GENERIC MULTI-ZONE FIREWALL PROTECTION SYSTEM

FIGURE C.14.

AIR GAPPED ARCHITECTURE

FIGURE C.15.

AIR GAPPED WITH HARDWIRED COMMUNICATIONS

FIGURE C.16.

INTEGRATED SYSTEMS WITH SHARED NETWORK SERIAL COMMUNICATION ARCHITECTURE.

FIGURE C.17.

TIGHTLY COUPLED SYSTEM ARCHITECTURE

FIGURE C.18.

COMBINED SYSTEMS WITH STRONG DEPENDENCY

FIGURE C.19.

FULLY SHARED LOGIC SOLVER – SAFETY SYSTEM WITH EMBEDDED PROCESS CONTROL FUNCTION

FIGURE D.1.

WHERE THE RUBBER MEETS THE ROAD

FIGURE D.2.

ALARM MANAGEMENT LIFECYCLE

FIGURE D.3.

IPL ALARM MANAGEMENT

FIGURE E.1.

ORIFICE METER

FIGURE E.2.

ORIFICE METER WITH PRESSURE AND TEMPERATURE COMPENSATION

FIGURE E.3.

VORTEX FLOW METER

FIGURE E.4.

MAG METER

FIGURE E.5.

EXAMPLE TURBINE METER

FIGURE E.6.

DUAL TUBE CORIOLIS METER

FIGURE E.7.

CLAMP-ON ULTRASONIC DOPPLER FLOW METER

FIGURE E.8.

THERMAL MASS METER

FIGURE E.9.

TYPICAL PD METERS

FIGURE E.10.

EXAMPLES OF PRESSURE TRANSMITTERS AND THEIR PRIMARY ELEMENTS

FIGURE E.11.

DIFFERENTIAL PRESSURE TRANSMITTER WITH REMOTE SEALS

FIGURE E.12.

HYDROSTATIC TANK GAUGING EXAMPLE

FIGURE E.13.

EXAMPLE OF A DISPLACER TYPE LEVEL INSTRUMENT

FIGURE E.14.

MAGNOSTRICTIVE FLOAT TYPE LEVEL SWITCHES

FIGURE E.15.

MECHANICAL FLOAT TYPE LEVEL SWITCHES

FIGURE E.16.

GWR COMBINED WITH A MAGNETIC LEVEL GAUGE

FIGURE G.1.

RELATIONSHIP BETWEEN HUMAN MACHINE INTERFACE AND THE OPERATOR

FIGURE G.2.

SIMPLE INSTRUMENT PANEL

FIGURE G.3.

MODERN GRAPHIC HMI CONSOLE

FIGURE G.4.

HIGH LEVEL DISPLAY

FIGURE G.5.

MOBILE OPERATOR INTERFACE

FIGURE G.6.

MOBILE OPERATOR INTERFACE

FIGURE G.7.

MOBILE OPERATOR INTERFACE

FIGURE G.8.

LIGHTBOX TYPE ANNUNCIATOR

FIGURE G.9.

EXPLOSION-PROOF ANNUNCIATOR

FIGURE H.1.

WATERFALL PROGRAM DEVELOPMENT MODEL

FIGURE H.2.

V-MODEL

FIGURE I.1.

CONFIDENCE LEVELS

FIGURE I.2.

STRESS VS. STRENGTH

LIST OF TABLES

TABLE 1.1.

FEATURES ASSOCIATED WITH A POSITIVE SAFETY CULTURE

TABLE 1.2.

TARGET AUDIENCE AND ESSENTIAL KNOWLEDGE

TABLE 1.3.

INCIDENTS THAT DEFINE SAFE AUTOMATION

TABLE 2.1.

HUMAN FACTORS GUIDELINES FOR REMOTE OPERATIONS

TABLE 2.2.

EXAMPLE POSITIVE AND NEGATIVE HUMAN FACTORS

TABLE 2.3.

ELEMENTS OF INCIDENT OUTCOMES

TABLE 2.4.

CONTRIBUTORS TO ERROR-LIKELY SITUATIONS

TABLE 3.1.

AUTOMATED VERSUS MANUAL OPERATION

TABLE 3.2.

TYPICAL SAFETY DEVICE RESPONSE TIME

TABLE 3.3.

PERFORMANCE SHAPING FACTORS FOR OPERATIONS

TABLE 3.4.

COMMON PERFORMANCE SHAPING FACTORS (PSF) AFFECTING MAINTENANCE

TABLE 3.5.

COMPARISON OF INFORMATION TECHNOLOGY SYSTEMS AND INDUSTRIAL CONTROL SYSTEMS

TABLE 4.1.

POSSIBLE SOURCES OF DATA ERRORS

TABLE 4.2.

LEVELS OF DATA ACCESS AND MANIPULATION

TABLE 5.1.

SCAI CLASSIFICATION AND REQUIRED RISK REDUCTION

TABLE 5.2.

RISK REDUCTION VERSUS TYPICAL REDUNDANCY SCHEMES

TABLE 6.1.

INDIVIDUAL AND COGNITIVE PHENOMENA UNDER STRESS

TABLE 6.2.

EXAMPLES OF CHANGES THAT MAY IMPACT THE AUTOMATION DESIGN

TABLE 6.3.

EXAMPLE LEADING INDICATORS RELATED TO SCAI (ADAPTED FROM ISA TR 84.00.04)

TABLE D.1.

DECISION/ACTION ELEMENTS

TABLE E.1.

HAZARDOUS AREA CLASSIFICATION

TABLE G.1.

CHECK LIST FOR THE PROCESS CONTROL SYSTEM OPERATOR INTERFACE

TABLE I.1.

EXAMPLE RANGES OF MTTF

D

AND MTTF

SP

FOR FIELD EQUIPMENT

TABLE I.2.

EXAMPLE RANGES OF MTTF

D

AND MTTF

SP

FOR LOGIC SOLVERS.

TABLE I.3.

90% UPPER AND LOWER CONFIDENCE BOUNDS ON DESIGN RRF

TABLE J.1.

EQUIPMENT TYPICALLY NEEDED TO CONDUCT TESTING

ABBREVIATIONS

AC

Alternating current

ALARP

As low as reasonably practicable

AMS

Asset management system

API

American Petroleum Institute

ASM

Abnormal situation management consortium

ATEX

Atmosphères Explosibles

BPCS

Basic process control system

CCTV

Closed circuit television

CPU

Central processing unit

CSA

Canadian Standards Association

DC

Diagnostic coverage

DC

Direct current

DCS

Distributed control systems

DDC

Direct digital control

DMZ

Demilitarized zone

d/P

Differential pressure

DSSS

Direct sequence spread spectrum

DTT

De-energize–to-trip

EEMUA

Engineering Equipment and Materials Users’ Association

EMC

Electromagnetic compatibility

EMD

Electo-mechanical devices

EMI/RFI

Electromagnetic interference

EN

European Norm

ERG

Electronic reference ground

ETT

Energize-to-trip

F&G

Fire and gas

FAT

Factory acceptance testing

FHSS

Frequency hopping spread spectrum

FNICO

Fieldbus non-incendive concept

FISCO

Fieldbus intrinsic safe concept

FMEA

Failure mode and effects analysis

FPL

Fixed programming language

FSA

Functional safety assessment

FSK/PSK

Frequency or phase shift keying

FSSL

Fail-safe solid-state logic

FVL

Full variability language

gpm

Gallons per minute

GWR

Guided wave radar

H&RA

Hazard and risk analysis

HRA

Human reliability analysis

HART

Highway addressable remote transducer

HAZOP

Hazard and operability study

HFT

Hardware fault tolerance

HMI

Human machine interface

I&E

Instrument and electrical

IEC

International Electrotechnical Commission

IEEE

Institute of Electrical and Electronics Engineers

I/O

Input/output

I/P

Current to pneumatic

IFAT

Integrated factory acceptance test

IL

Instruction list

IPL

Independent protection layers

IRN

Instrument Reliability Network

IS

Intrinsic safe

ISA

International Society of Automation

ISM

Industrial, scientific, and medical

ISO

International Organization for Standardization

KPI

Key performance indicator

LED

Light emitting diode

LOPA

Layers of protection analysis

LVL

Limited variability language

MAC

Media access control

MOC

Management of change

MTBF

Mean time between failure

MTTF

D

Mean time to failure dangerous

MTTF

SP

Mean time to failure spurious

MTTRes

Mean time to restoration

NC

Normally closed

NFPA

National Fire Protection Association

NEC

National Electrical Code

NO

Normally open

NooM

N out of M

NRTL

Nationally recognized testing laboratory

OPC

Object linking and embedding for process control

OSI

Open systems interconnection

PAC

Programmable automation controller

PC

Personal computer

PD

Positive displacement

PE

Programmable electronic

PES

Programmable electronic systems

PFDavg

Probability of failure upon demand average

P&ID

Process and instrument diagram

PID

Proportional-integral-derivative

PLC

Programmable logic controllers

PSSR

Pre-startup safety review

PST

Partial stroke testing

PTB

Physikalisch-Technische Bundesanstalt

PV

Pressure valve

QRA

Quantitative risk analysis

RAGAGEP

Recognized and generally accepted good engineering practice

RC

Resistor—capacitor

RF

Radio frequency

RFI

Radio frequency interference

RRF

Risk reduction factor

RTD

Resistance temperature detectors

SAT

Site acceptance testing

SC

Systematic capability

SCADA

Supervisory control and data acquisition

SCAI

Safety controls, alarms, and interlocks

SCFH

Standard cubic feet per hour

SCFM

Standard cubic feet per minute

SCMH

Standard cubic meters per hour

SFF

Safe failure fraction

SIF

Safety instrumented function

SIL

Safety integrity level

SIS

Safety instrumented system

SIT

Site integration test

SLC

Single-loop controller

SRS

Safety requirements specification

STR

Spurious trip rate

T/C

Thermocouples

TDMA

Time-division multiplexing access

TSO

Tight shut off

TTL

Transistor-transistor logic

UPS

Uninterruptible power supply

VAC

Volts alternating current

VDC

Volts direct current

WDT

Watchdog timers

GLOSSARY

Abnormal Operation

Operation outside the normal operating limits necessitating corrective action by either a protective system or by trained personnel to achieve or maintain a safe state of the process.

Access Security

Core attribute of a protection layer, involving the use of administrative controls and physical means to reduce the probability for unintentional or unauthorized changes.

Administrative Controls

Procedural mechanism for controlling, monitoring, or auditing human performance, such as lock out/tagout procedures, bypass approval processes, car seals, and permit systems.

ALARP

As low as reasonably practicable; the concept that efforts to reduce risk should be continued until the incremental sacrifice (in terms of cost, time, effort, or other expenditure of resources) is grossly disproportionate to the incremental risk reduction achieved. The term as low as reasonably achievable (ALARA) is often used synonymously.

Analog

Relating to information represented by a continuously variable physical quantity such as spatial position, voltage, etc.

Analog Comparison Function Analog Controller

Function that uses comparison operators to produce a binary output signal from one or more analog input signals. Non-programmable control system that executes analog logic,

Analog Function/Analog Logic

Function that uses mathematical operators to produce an analog output signal based on one or more analog input signals.

Analog Signal Architecture

Signal that is continuous in both time and magnitude. Specific configuration of hardware and software components in a programmable electronic system.

As-Found

Initial state of the equipment prior to any corrective action or preventive maintenance activity.

As Good as New

Equipment is maintained in a manner that sustains its useful life.

As-Left

Final state of the equipment after corrective action or preventive maintenance activities have been completed.

Asset Integrity

See mechanical integrity.

Automation System

System composed of sensors (e.g., pressure, flow, temperature transmitters), logic solvers (e.g., programmable controllers, distributed control systems, discrete controllers), final elements (e.g., control valves, motor control circuits), and support systems (e.g., utilities, interfaces, and communications).

Availability (mean)

The fraction of time that the system is capable of performing its required functions. The fraction of time a system is fully operational.

Bad Actors

Instruments that have repeated failures at a frequency inconsistent with design assumptions or with operational needs.

Binary

Relating to, composed of, or involving two things

Binary Function/Binary Logic

Function that uses logical operators to produce a binary output signal based on one or more binary input signals.

Binary Signal

Signal that may be continuous in time but that has only two possible values (e.g., 0 or 1); also referred to as digital signals, discrete signals, or Boolean signals.

Bypass

Action or facility to prevent all or parts of the automated system functionality from being executed. As an example for a control system this can be placing the part of the system in manual operation, or for a safety system this could include forcing points, overrides, defeats, inhibits, disabling, muting or physical bypasses.

Car Seal

A metal or plastic cable used to fix a valve in the open position (car sealed open) or closed position (car sealed closed). Proper authorization, controlled via administrative procedures, must be obtained before operating the valve. The physical seal should have suitable mechanical strength to prevent unauthorized valve operation.

Claim Limit

The maximum integrity level in which equipment can be used without additional hardware fault tolerance against dangerous failure The limit occurs due to random and systematic failures.

Common Cause Failure

Concurrent failure of different devices, resulting from a single event, where these failures are not consequences of each other (IEC 61511).

Common Mode Failure

Concurrent failures of different devices characterized by the same failure mode (i.e., identical faults)

Compensating Measure

Temporary implementation of planned and documented methods for managing risks during any period of maintenance or process operation when it is known that the performance of the safety systems are degraded.

Competency

The ability of a person to do a job in accordance with recognized and generally accepted good engineering practice.

Component

One of the parts of system, subsystem, or device performing a specific function.

Conduit (cybersecurity)

Logical grouping of communication channels, connecting tow or more zones, that share common security requirements.

Conduit (instrumentation)

A tube made of metal, plastic, fiber, or fired clay is used to protect and route electrical wiring.

Consequence

The undesirable result of a loss event, usually measured in health and safety effects, environmental impacts, loss of property, and business interruption costs.

Continuous Mode

A mode of operation of an IPL where a dangerous failure causes a hazardous event without further failure

Control System

System that responds to input signals from the process and/or from an operator and generates output signals causing the process to operate in the desired manner.

Dangerous Failure Dangerous Failure Rate

Failure which impedes or disables a given safety action. The rate at which a device fails to an unsafe state. This is normally expressed in expected number of failures per year.

De-energize To Trip

Circuits where the final elements are energized under normal operation and the removal of the power source causes the final element to take its specified safe state

Degraded Condition

A condition that results from a partial failure of the system. The degraded system remains functional though with a potentially lower integrity or reliability.

Delphi method

A polling of experts using the following procedure: Select a group of experts (usually 3 or more). Solicit, in isolation, their independent estimates on the value of a particular parameter and reasons for the choice. Provide initial results to all experts and all revisions to initial estimates. Use the average of the final estimates as the best estimate of the parameters. Use the standard deviation of the estimates as a measure of uncertainty. The procedure is interactive, with feedback between interactions.

Demand Mode

A dormant or standby mode of operation where the system takes action only when a process demand occurs and is otherwise inactive. Low demand mode occurs when the process demand frequency is less than once per year. High demand mode occurs when the process demands happen more than once per year.

Demand Rate

The number of demands divided by the total elapsed operating time during which the demands occurred

Demilitarized Zone

Common, limited network of servers joining two or more zones for the purposes of controlling data flow between zones.

Dependent Failure

Failure whose probability cannot be expressed as the simple product of the unconditional probability of the individual events, which causes it.

Design Limit

The extreme value of a process variable that protects the mechanical integrity of the process equipment.

Detected

Relating to hardware and software failures or faults, which are not hidden, because they announce themselves, or are discovered through normal operation or though dedicated detection methods

Diagnostic Coverage

Fraction of dangerous failures detected by diagnostics. Diagnostic coverage does not include any faults detected by proof tests.

Diagnostics

A frequent (in relation to the process safety time automatic test to reveal faults (IEC 61511).

Digital Signal (communications) Discrete Controller

Signal that is discrete in time and quantized in magnitude Non-programmable control system that executes binary logic

Diversity

Existence of different means of performing a required function.

Dormant

A state of inactivity until a specific parametric level is reached.

Energize to Trip

Circuits where the final elements require power to achieve or maintain a specified safe state.

Engineered System

A specific system designed to maintain a process within the safe operating limits, to safely shut it down in the event of a process upset, or to reduce human exposure to the effects of an upset.

Error

Discrepancy between a computed, observed or measured value or condition and the true, specified or theoretically correct value or condition.

Failure

Loss of ability to perform as required.

Failure Mode

Manner in which a failure is observed. A failure mode might be identified as loss of function; spurious operation (function without demand); an out-of-tolerance condition; or a simple physical characteristic such as a leak observed during inspection.

Fault

Inability to perform as required, due to an internal state.

Fault Tolerance

Ability to continue to perform a required function or operation in the presence of faults or errors.

Field Device

Process control or safety device connected directly to the process or located in close proximity to the process; e.g., sensors, final elements and manual switches.

Final Element

Process control or safety device that implements the physical action necessary to achieve or maintain a safe state; e.g., valves, switch gear, and motors, including their auxiliary elements (such as the solenoid valve used to operate a valve).

Fit For Purpose

Prior use evidence demonstrates satisfactory performance, and the assessment of the current condition of equipment determines that it is suitable for continued use in the application.

Frequency

Number of occurrences of an event per unit time (typically per year).

Function Functionality

A relationship or expression involving one or more variables. Core attribute of a protection layer, defining the intent of the protection layer and the approach taken within the overall risk reduction strategy.

Functional Safety

Part of the overall safety relating to the process and its control system which depends on the correct functioning of the SCAI and other protection layers.

Functional Separation

Achieved through elimination of the sources of common cause failure in the execution of the process control and SCAI functions, despite the possible presence of interconnected equipment.

Good Engineering Practice

Basis for engineering, operation, or maintenance activities and are themselves based on established codes, standards, published technical reports or recommended practices or similar documents.

Ground Loop

Created when a voltage difference exists between the electrical ground wire used by the electrical system and earth ground.

Human Error

Intended or unintended human action or inaction that produces an inappropriate result.

Hybrid Control System

Control system that uses a combination of controller technologies, typically used to enable the execution of functions that may not be performed adequately by a single technology

Independence

Core attribute of a protection layer in which the performance of the protection layer is not affected by the initiating cause of a loss event or by the failure of other protection layers.

Independent

Given events A and B, A is independent of B if, and only if, the probability of A is unchanged by the occurrence of B. If A is independent of B, B is likewise independent of A.

Independent Protection Layer

A device, system, or action that is capable of preventing a scenario from proceeding to the undesired consequence without being adversely affected by the initiating event or the action of any other protection layer associated with the scenario.

Inherently Safer Design

A way of thinking about the design of chemical process and plants that focuses on the elimination or reduction of hazards, rather than on their management and control.

Inherently Safer Practices (for automation systems)

A way of thinking about the design of the automated system that focuses on the elimination or reduction of the failure mechanisms that result in system failure.

Inherently Safer Strategy (for automation systems)

The four inherently safer strategies are:

Minimize--reducing the use of automation features that tend to increase the failure mechanisms that result in system failure

Substitute--replacing an automation feature with an alternative that reduces or eliminates the frequency of dangerous failure

Moderate--using automation features to facilitate operating the facility under less hazardous conditions; using automation features which minimize or limit the impact of dangerous failure of the automation system on the process operation

Simplify--specifying automation features in a manner that eliminates unnecessary complexity and makes operating and maintenance errors less likely, and which is forgiving of errors.

Initiating Cause

In the context of hazard evaluation, the operational error, mechanical failure or external event or agency that is the first event in the loss event sequence and marks the transition from a normal situation to an abnormal situation.

Initiating Event

The minimum combination of failures or errors necessary to start the propagation of a loss event. It can be comprised of a single initiating cause, multiple causes, or initiating causes in the presence of enabling conditions.

Instrumented System

A system composed of interconnected devices, such as sensors, logic solvers, final elements, and support systems, that are designed and managed to achieve a specified functionality and performance. An instrumented system may implement one or more functions.

Instrument Reliability

Relies on a variety of maintenance activities to ensure that instrumentation and controls consistently do what they are supposed to do.

Integrity

Core attribute of a protection layer related to the risk reduction reasonably achievable given its design and management. Integrity is limited by the rigor of the management used to identify and correct equipment failures and systematic failures.

IPL Response Time

The IPL response time is the time necessary for the independent protection layer (IPL to detect the out-of-limit condition and to complete the actions necessary to stop the process from progressing away from the safe state

Lagging Indicator

Outcome-oriented metrics, such as incident rates, downtime, quality defects, or other measures of past performance.

Layers of Protection

A concept whereby a device, system, or human action is provided to reduce the likelihood and/or severity of a specific loss event.

Leading Indicator

Process-oriented metrics, such as the degree of implementation or conformance to policies and procedures, that support the functional safety management system and has the capability of predicting performance.

Lessons Learned

Applying knowledge gained from past incidents into current practices.

Likelihood

A measure of the expected probability or frequency of occurrence of an event. This may be expressed as an event frequency (e.g., events per year), a probability of occurrence during a time interval (e.g., annual probability), or a conditional probability (e.g., probability of occurrence, given that a precursor event has occurred).

Logic Function

Function which performs the transformations between input information (provided by one or more input functions) and output information (used by one or more output functions)

Logic Solver

Part of either the process control system or safety system that performs one or more logic functions

Loss event

Point in time in an abnormal situation when an irreversible physical event occurs that has the potential for loss and harm impacts.

Management of Change

A management system whereby a formal process is used to review, document, and approve modifications to equipment, procedures, raw materials, process conditions, staffing, organization, etc., other than replacement in kind, prior to implementation.

Manufacturer

A person, group, or company that produces a product for users.

Maintainability

Ease by which equipment can be maintained in order to identify fault correct faults, improve performance, sustain the core attributes, or adapt to a changed operating environment

Mean Time Between Failure

For a stated period in the life of a device, the mean value of the length of time between consecutive failures under stated conditions.

Mean Time to Restoration (MTTRes)

Expected time to achieved restoration, including the time to detect the failure, the time spent before starting the repair, the effective time to repair, and the time before the equipment is returned to service.

Mechanical Integrity

The condition of an asset that is properly designed and installed in accordance with specifications and remains fit for purpose.

Metric

An observable measure that provides insights into a concept that is difficult to measure directly.

Mode of Operation (of a SCAI)

Way in which a SCAI operates, which may be low demand mode, high demand mode or continuous mode.

Low demand mode: where the SCAI is only performed on demand, in order to transfer the process into a specified safe state, and where the frequency of demand is no greater than once per year

High demand mode: where the SCAI, is only performed on demand, in order to transfer the process into a specified safe state, and where the frequency of demands is greater than one per year

Continuous mode: where the SCAI retains the process in a safe state as part of normal operation

MooN

A system, or part thereof, made up of N independent channels, which are so connected, that M channels are sufficient for successful operation.

Never Exceed Limit

The closest approach value to the design limit, allowing for operational and mechanical integrity uncertainties.

Operability

The degree to which equipment enables operations to perform various tasks and activities necessary to operate the process in accordance with operating procedures.

Operating Environment

Conditions inherent to the installation of a device that potentially affects its functionality and integrity, such as:

External environment, e.g., winterization needs, hazardous area classification;

Process operating conditions, e.g., extremes in temperature, pressure, vibration;

Process composition, e.g., solids, salts, or corrosives;

Process interfaces;

Integration within the overall plant maintenance and operating management systems;

Communication through-put, e.g., electro-magnetic interference; and

Utility quality, e.g., electrical power, air, hydraulics.

Operating Plan

Document or set of documents defining the strategic goals, tactical objectives, and operating constraints for the process facility.Note: The documentation typically includes, but is not limited to: maximum and minimum targeted operating rates; target turnaround interval(s); process availability criteria; safe operating limits for critical process parameters; product quality limits; plant staffing limits; etc.

Operator Interface

Means by which information is communicated between a human operator and the control system (e.g., display interfaces, indicating lights, push-buttons, horn, alarms). When dedicated for safety information, it is referred to as the Safety Interface.

Performance Shaping Factor

Any inherent characteristic of an individual, such as personality, level of fatigue, skill, and knowledge, and of the work situation, such as task demands, plant policies, interface design, training and ergonomics.

Physical Separation

Achieved when the system implementing the process control functions potentially initiating loss events and the systems implementing the SCAI functions responding to these events do not share any equipment or data.

Prior Use

Documented assessment that a device is fit for purpose and can meet the required functional and safety integrity requirements, based on previous operating experience in similar operating environments.

Procedural Controls

See Administrative Controls

Process Control System

System that responds to input signals from the process and its associated equipment, other programmable systems, and/or from the operator and generates output signals causing the process and its associated equipment to operate in the desired manner.

Process Lag Time

Value, either calculated or estimated, that accounts for dynamic effects after the safety action (e.g. closure of a valve) has been completed.

Process Operating Mode

Any planned state of process operation, such as start-up after emergency shutdown; normal start-up, operation, and shutdown; temporary operations; transient operation; and emergency operation and shutdown.

Process Safety Time

Time period between a failure occurring in the process and the occurrence of the hazardous event if action is not taken.

Programmable Controller

Control system based on digital computing technology that executes a variety of function types (e.g., analog, binary, sequential); also referred to as programmable electronic systems (PES) or digital controllers.

Proof Test

Periodic test performed to detect dangerous hidden failures in a system so that, if necessary, a repair can restore the system to an “as good as new condition, or as close as practical to this condition.

Quality

Totality of characteristics of an entity that bear on its ability to satisfy stated and implied needs

Random Failure

Failure, occurring at a random time, which results from one or more of the possible degradation mechanisms in the hardware.

Redundancy

The existence of more than one means of performing a required function or for representing information.

Redundancy Scheme

See MooN

Reliability

Core attribute of a protection layer related to the probability that the equipment operates according to its specification for a stated period of time under all relevant conditions.

Reliability Parameters

The collection of mathematically defined properties (e.g., reliability, availability, dependability) used in reliability engineering to describe the behavior of systems and their elements.

Remote Access

Any access to a control system or safety system by any user of the system (human, software process, or device) communicating from outside the perimeter of the zone being accessed.

Risk

A measure of the human injury, environmental damage, or economic loss in terms of both the incident likelihood and the magnitude of the loss or injury.

Risk Assessment

The process by which the results of a risk analysis (i.e., risk estimates) are used to make decisions, either through relative ranking of risk reduction strategies or through comparison with risk targets.

Risk Management

The systematic application of management policies, procedures, and practices to the tasks of analyzing, assessing, and controlling risk in order to protect employees, the general public, the environment, and company assets.

Risk Reduction

Measure of the degree to which a layer or system lowers the potential for a loss event.

Safe Failure Safe Upper (or Lower) Operating Limit Safety Margin

Failure which favors a given safety action. The extreme values within which a process should be maintained during normal operation Value, either calculated or estimated, that allows for operational and mechanical integrity uncertainties.

Safe State

State of the process when safety is achieved.

Safeguard

Any device, system, or action that either interrupts the chain of events following an initiating event or that mitigates the consequences. A safeguard can be an engineered system or an administrative control.

Not all safeguards meet the requirements of an IPL

.

Safety Controls, Alarms, and Interlocks

Process safety safeguards implemented with instrumentation and controls, used to achieve or maintain a safe state for a process, and required to provide risk reduction with respect to a specific scenario of concern (ANSI/ISA 84.91.01, 2012c).

Safety Function

Function to be implemented by one or more protection layers, which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event.

Safety Instrumented System (SIS)

A separate and independent combination of sensors, logic solvers, final elements, and support systems that are designed and managed to achieve a specified safety integrity level. A SIS may implement one or more safety instrumented functions (SIFs).

Safety Integrity Level (SIL)

Discrete level (one out of four) allocated to the SIF for specifying the safety integrity requirements to be achieved by the SIS.

Safety Manual

Information that defines how a safety device, subsystem or system can be safely applied.

Safety System

Equipment and/or procedures designed to limit or terminate an incident sequence, thus avoiding a loss event or mitigating its consequence.

Sequential control function

Function that uses analog comparison logic, binary logic, or a combination thereof to determine when a process is permitted to transition from one process operating mode to another.

Security

A password, key, procedure, or other device, which has the ability to limit change in selected parameters. The existence and enforcement of techniques that restrict access to data, and the conditions under which data may be obtained.

Signal

Method used to transmit or receive information or instructions, typically by means of electrical impulse or radio wave.

Spurious Operation

Failure causing the equipment to take action on the process when not required. Spurious operation has an immediate impact on the process uptime and potentially on process safety.

Supervisory Control Function

Complex logic, typically executed outside of the local process controller, used for advanced control functions such as coordinating production management or performing process optimization

Supervisory Controller

Control system, typically using advanced commercial computer technology, that performs supervisory control logic to coordinate the operation of one or more process controllers

Support Systems

Human machine interfaces, communications, wiring, power supplies, and other utilities, which are required for the system to function.

Sustainability (of automation)

Ability or capacity of something to achieve the desired performance. If an activity is said to be sustainable, it should be able to continue forever.

Systematic Failure

Failure related to a pre-existing fault which consistently occurs under particular conditions, and which can only be eliminated by removing the fault by a modification of the design, manufacturing process, operating procedures, documentation or other relevant factors.

The way things are done

The risk management, design, operation, and maintenance strategies that are applied at the operating facility

Trip

A process shutdown that may be due to a process demand or to a spurious action of a system

Uncertainty

A measure, often quantitative, of the degree of doubt or lack of certainty associated with an estimate of the true value of a parameter.

User

A person, group, or company that owns or runs a process industrial facility

User Approval

Management system used to determine and document that equipment and associated documentation, procedures, and training is suitable for an intended purpose, classification, operating environment and function complexity.

Validation

Confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled. End-to-end testing is a critical part of validation for a new or modified system.

Verification (automation) Worst Credible Case

Confirmation by examination and provision of objective evidence that the requirements have been fulfilled. The most severe incident considered plausible and reasonably believable.

Zone (electrical)

Classification system for electrical and electronic equipment and wiring for all voltages in locations where fire or explosion hazards may exist.

Zone (security)

Grouping of logical or physical elements that share common security requirements.

ACKNOWLEDGEMENTS

The American Institute of Chemical Engineers (AIChE) and the Center for Chemical Process Safety (CCPS) express their appreciation and gratitude to the members of the Guidelines for Safe Automation of Chemical Processes 2nd Edition subcommittee of the CCPS Technical Steering Committee for providing input, reviews, technical guidance, and encouragement to the project team throughout the preparation of these Guidelines. CCPS expresses gratitude to the team member companies for their generous support of this effort. CCPS also expresses appreciation to the members of the Technical Steering Committee for their advice and support in the writing of these Guidelines.

Subcommittee Members for Guidelines for Safe Automation of Chemical Processes 2nd Edition. CCPS thanks the subcommittee for their significant efforts and their contributions to advancing the guidance provided to industry on the use of instrumentation and automation in process control and safety system applications. Subcommittee members included:

Wayne Garland,

Chair

Eastman Chemical Company

Angela Summers, contract editor

SIS-TECH

Mohammed (Rehan) Baig

Bayer

Michael Boyd

Husky Energy

William Bridges

Process Improvement Institute (PII)

Mike Broadribb

Baker Risk

John Day

Air Products

Dave Deibert

Air Products

Richard Dunn

Dupont

Bill Fink

Sage Environmental

Wayne Garland

Eastman

Andrew Goddard

Arkema

Bill Hearn

SIS-TECH

Kevin Klein

Chevron

Len Laskowski

Emerson

John Martens

Exponent

Norm McLeod

Arkema (retired)

Bill Mostia

SIS-TECH

Russel Ogle

Exponent

Justin Ogleby

Solutia

Ken O’Malley

aeSolutions

Eloise Roche

SIS-TECH (formerly Dow)

Pete Stickles

IoMosaic

Greg Weidner

Huntsman

CCPS thanks Angela Summers and her project team at SIS-TECH who prepared the peer review manuscript on behalf of the subcommittee, resolved peer review comments, and created the final consensus version published herein. Bill Mostia made significant contributions to the appendices in these Guidelines and successfully bridged the technology gap between the 1993 publication and this one. The efforts of Sheila Vogtmann (SIS-TECH) in preparing the graphics, editing the text and formatting the document are also much appreciated.

The CCPS Staff Consultant was Dan Sliva, who coordinated meetings and facilitated subcommittee reviews and communications.

Peer Reviewers for Guidelines for Safe Automation of Chemical Processes 2nd Edition

Before publication, all CCPS books are subjected to a thorough peer review process. CCPS gratefully acknowledges the thoughtful comments and suggestions of the peer reviewers. Their work enhanced the accuracy and clarity of these Guidelines. Although the peer reviewers have provided many constructive comments and suggestions, they were not asked to endorse these Guidelines and were not shown the final draft before its release.

Rahul Bhojani

BP

Zachery Bluestein

Emerson

Randy Freeman

S&PP Consulting

Dirk Hablawetz

BASF

Greg Hall

Eastman

Jennifer Kline

Eastman

Thomas Lamp

Eastman

Keith Lapeyrouse

Process Reliability Solutions

Jennifer Leaf

Eastman

Vic Maggioli

Feltronics (retired)

Tim Murphy

Arkema

Jeff Phillips

Air Products

Richard Roberts

Suncor Energy

Bernd Shroers

Bayer Germany

Paden Standifer

Eastman

Randy Stein

Dow

Jimmy Sullivan

Eastman

Larry Suttinger

Savannah River Site

Hal Thomas

exida

Andy Walters

Air Products