Autopro Blog

Basic Process Control Systems – Value in Today’s Project Architecture

May 16, 2019


For as long as I can remember, there has always been debate about how much credit can be given to the Basic Process Control System (BPCS), be it a state-of-the-art Distributed Control System (DCS) or a Programmable Logic Controller (PLC). In the earlier days of IEC 61511, a general assumption was made, that the more current versions of these systems are “widely available” and can accept an initiating event failure (i.e., control loop) and one Independent Protection Layer (IPL). Beyond this, not much thought was given towards how to implement or other requirements.

This topic has evolved through the IEC and Center for Chemical Process Safety (CCPS) communities and currently, there are two general approaches. For the purposes of this blog, I am going to use the CCPS as the guideline (the IEC approach is similar). These are generally described as follows:

• CCPS Approach A – Separate BPCS, Shutdown System (SDS) and Safety Instrumented System (SIS) where the BPCS and SDS accept only one IPL per system per Layers of Protection Analysis (LOPA) scenario and of course the remaining gap is taken up with the SIS.
• CCPS Approach B (or Dual Credit) – Allow two IPLs OR one initiating event and one IPL into the BPCS or LOPA scenario with the remaining gap taken up with the SIS.

It must be noted that the requirement for the SIS depends on the application of all IPLs, including non instrumented layers, relief devices, secondary containment, etc.

Center for Chemical Process Safety Approach A (Separate BPCS, SDS and SIS)

Approach A is fairly simple to understand but does have increased hardware costs associated with it. For this reason, many are now opting for the Dual Credit Approach as on the surface, the costs are lower as fewer controllers are required. This is not necessarily the case, as you will see further in this blog.

Center for Chemical Process Safety Approach B (Dual Credit)

When considering the latter approach there are some fundamentals that must be well understood. The correct application starts with the LOPA or even with the Hazard and Operability Study (HAZOP). In direct application, it can be applied as a general rule to an entire facility or by exception on an evaluated case by case basis.

One of the first things that must be ensured is that everyone involved in the LOPA understands the basis of the Approach B implementation (blanket or exception based). It is imperative that the facilitator applies the rules in a rigid and consistent manner or significant re-work could be encountered later on in the project.

Applying the Dual Credit Approach as an evaluated exception basis will require some criteria, such as non-fatality consequences or lower likelihood frequencies, as examples.
The second critical item is evaluating the BPCS components as a system to determine if there is enough reliability to facilitate two independent IPLs (or an initiating event and one IPL). Each IPL cannot provide a Risk Reduction Factor (RRF) greater than 10 (or a single credit) and since there are two; the BPCS must be capable of providing a minimum RRF of 100. The IPLs must follow all of the general rules as outlined by IEC and CCPS, including the requirement that all components shall have their I/O segregated. This is where things get complicated based on how Approach B is applied.

Dual Credit Approach Applied on Exception vs Entire Facility Basis

If the approach is applied on an exception basis, a facility may have 10-20 scenarios (or less), which can be identified in the LOPA as recommendations with close-outs. A important factor to keep in mind is that if a channel stops working, requiring the input to be relocated, it cannot be placed on the same I/O module as the corresponding initiating event or IPL within the same cause-consequence or LOPA scenario.

If the Dual Credit approach is applied to an entire facility, the same rules apply. If each application of the Dual Credit approach is not identified as a recommendation (there could be hundreds of scenarios on a large facility), the IPLs will need to be identified and evaluated within each scenario as a separate exercise after the LOPA report has been issued. As the number of scenarios increases, so does the effort required to collect, evaluate, segregate and maintain the I/O segregation.

As with most projects, parts of existing plants that are modified with HAZOP and LOPA revalidation studies, tag changes, deletions/additions and HAZOP/LOPA recommendation close-outs will add to the complexity of ensuring that the final product is segregated correctly. The effort to complete this task can be quite significant, and any reductions in the cost of a second BPCS (to be used as an SDS) may not outweigh the effort described here.

Final Thoughts - CCPS Approach A (Separate BPCS, SDS and SIS) vs CCPS Approach B (Dual Credit)

The trend we saw in the 80s and 90s of using the DCS for regulatory control and a PLC for discrete functions still has some merit to it, and makes sense when we look at evaluating risk scenarios using today’s methods. The DCS has evolved to where it can handle discrete functions economically and industry has trended towards combining and simplifying. This has led us to these two approaches.

I have always advocated for implementing SIS only when absolutely necessary (and as a last resort). The size of the SIS should be as small as is practical, simple as possible, and the functions within it having a Safety Integrity Level (SIL) as low as possible. Implementing a SDS within the control system architecture gives tremendous flexibility while significantly reducing the size of (or eliminating) the SIS. Having been involved in all of the methods described above, Approach A is the simplest and easiest to execute from an engineering/cost perspective. The exception-based implementation of Approach B would be my second choice as long as the exception criteria are clear and concise.

Using the global application of the Dual Credit Approach is not recommended. Projects of a few hundred I/O can have dozens of instances of the Dual Credit Approach. The costs to execute on a project this size can easily be larger than configuring the entire BPCS and will inject complexity into the long term maintenance and potential expansion of the facility.

Before undertaking any approach, take the time to evaluate each one and understand the potential impacts to your project and the long term maintenance. Seek the advice of a functional safety expert and make sure that the cost savings on the hardware will not be consumed by engineering, implementing, and maintaining the Dual Credit application.