Implementing

The Challenge Behind the Solution

A major chemical manufacturing facility faced a significant challenge with their TDI tanks and reactor systems. The nature, process, design, and complexity of these reactors posed a high risk severity, making it crucial to implement a robust safety system. The dilemma was balancing the need for stringent safety measures with the operational efficiency required to meet production demands. This situation is common amongst companies in the chemical industry facing similar safety and operational challenges in high-risk environments.

The Critical Issues

Production operations were hampered by four fundamental challenges:

• High Risk Severity: The reactors were assessed as having an unacceptable risk severity due to their design and process complexity
• Operational Constraints: Production demands created turbulent installation and commissioning windows, requiring adaptable testing and commissioning schedules
• Safety Compliance: Ensuring compliance with IEC-61511 standards for functional safety in the process industry sector
• Cybersecurity Risks: The need to protect the Safety Instrumented System (SIS) from unauthorised access and cybersecurity threats

A Smarter Approach to Control

Rather than applying piecemeal safety solutions, we focused on collaboration with the production team to design, configure, and commission a comprehensive Safety Instrumented System (SIS). This approach ensured that all safety requirements were met whilst maintaining operational efficiency.

Core Solution Elements:

• Installation of a new Safety Controller (Logic Solver) to carry out Safety Instrumented Functions
• Implementation of a separate SIS network architecture to mitigate cybersecurity risks
• Detailed validation and testing methodology to ensure system functionality

Key System Components

Control Panel:

• Enclosure Model: Rittal VX Range, dimensions 1200x800x300 mm
• Power Distribution: Phoenix Control switch mode PSU, 100 to 240 VAC, Output: 24 V
• UPS: Phoenix Contact UPS providing 24VDC at 5A/hrs

SIS Logic Solver:

• Model: S7-ET200SP CPU1512SPF-1 Safety Controller (SIL 2/PLd certified)
• I/O Modules: ET200SP MODULE 4F-AI, F-DI, 8F-DO, 8DI, 8DO
• Networking: Dual embedded Ethernet ports

Actuators and Indicators:

• LED Indicator Lamps: Siemens SIRIUS ACT 22mm range
• Pushbuttons: Siemens SIRIUS ACT 22mm range
• Emergency Stop Pushbutton: Siemens SIRIUS ACT 22mm range

Pricing Information:

• Components purchased: £67,000
• Labour costs: £18,000
• Validation and testing: £15,000

How the System Functions

Installation Process: The SIS Logic Solver and IO base are located within the new Control Panel designated as SIS-CP. DC power is provided by Phoenix Control switch mode PSU with a power rating of 240 W. Panel cable entry is top entry only via removable gland plates, with all cables and protection glands installed according to specification.

Safety Instrumented Functions (SIFs):

• TDI Tank High Level: Monitors high level in the TDI tank and activates safety measures when hazardous conditions occur
• TDI Tank High Oil Temperature: Stops the oil heater system on detection of high temperature to prevent thermal runaway
• TDI Tank High Pressure: Monitors pressure inside the TDI tank and activates emergency venting when critical thresholds are exceeded

Control Functions:

• Reactor Lid Proximity Switch: Monitors the status of reactor lids and activates safety measures if lids are opened during operations

Diagnostics and Reset Process: Diagnostics for input and output signals are built into the trip logic and will cause the trip to activate if any anomaly occurs. All SIFs are latched and must be manually reset. Only when all Trip Initiators are determined healthy can these be manually reset using the reset switches, with keys held in position for a minimum time of 2 seconds.

Key Technological Advantages

Enhanced Safety Compliance: The system incorporates safety signature verification to ensure project integrity and verify correct project downloads. Manual reset functionality ensures all trip initiators are healthy before system reset, preventing premature restart of dangerous processes.

Cybersecurity Protection: The SIS operates on a separate network architecture that does not connect to existing facility networks, protecting against unauthorised access and cybersecurity threats. This air-gapped approach ensures that production network vulnerabilities cannot compromise safety systems.

Robust Validation Process: The system undergoes rigorous Factory Acceptance Testing (FAT) and Site Acceptance Testing (SAT) to ensure compliance with IEC-61511 standards. This dual-stage validation process ensures both theoretical compliance and practical operational effectiveness.

Frequently Asked Questions

How does the SIS protect against cybersecurity threats in today’s connected environment?

The SIS is designed with a completely separate network architecture that maintains no connection to existing facility networks, creating an effective air gap against unauthorised access and cybersecurity threats. This approach follows IEC-61511 guidelines for network security in safety systems. The system uses dedicated Ethernet ports with isolated IP addresses (for I/O communications and for change control), ensuring that safety functions cannot be compromised through network vulnerabilities. Additionally, all system changes require physical access to the safety controller and use cryptographic signatures to verify authorised modifications.

What validation and testing processes ensure the system meets safety requirements?

The system undergoes a comprehensive two-stage validation process designed to meet IEC-61511 standards. Factory Acceptance Testing (FAT) demonstrates that the system meets all requirements defined in the Safety Requirements Specification (SRS) under controlled conditions. This includes testing all Safety Instrumented Functions, manual reset procedures, and diagnostic capabilities. Site Acceptance Testing (SAT) then validates system operation in the actual installation environment, ensuring proper integration with existing process equipment. The testing methodology includes verification of trip response times, fail-safe behaviours, and communication with the Basic Process Control System (BPCS). All tests are witnessed and documented to provide audit trails for regulatory compliance.

How does the manual reset system prevent unsafe restart conditions?

The manual reset system incorporates multiple safety checks to prevent premature or unsafe system restart. All Safety Instrumented Function (SIF) trips are latched, meaning they cannot automatically reset even when the triggering condition clears. Before any manual reset can be performed, the system verifies that all trip initiators are healthy and that hazardous conditions have been properly addressed. The reset switches require deliberate action, with keys held in position for a minimum of 2 seconds to prevent accidental activation. This approach ensures that operators must consciously verify safe conditions before returning the system to operational status, significantly reducing the risk of recurring safety incidents.

What ongoing maintenance and calibration does the SIS require?

The Safety Instrumented System requires periodic proof testing as defined by IEC-61511 standards, typically annually or based on calculated safety integrity levels. This includes functional testing of all input sensors, logic solver operations, and final control elements. Diagnostic functions continuously monitor system health and alert operators to any degradation in safety performance. The Phoenix Contact UPS requires routine battery testing and replacement every 3-5 years. All safety instrumented functions undergo response time verification during scheduled maintenance windows. The system maintains detailed diagnostic logs that facilitate predictive maintenance and help optimise proof testing intervals whilst maintaining required safety integrity levels.

The Long-Term Impact

The implementation of this comprehensive Safety Instrumented System demonstrates how thoughtfully designed safety solutions can simultaneously address regulatory compliance and operational efficiency requirements. By approaching cybersecurity, functional safety, and operational flexibility as interconnected aspects of the same system, the solution delivers protection levels that would be impossible with isolated safety add-ons.

This project serves as a blueprint for how chemical manufacturing facilities can modernise their safety systems without sacrificing production efficiency, proving that with the right approach, safety and productivity goals can actually reinforce rather than compete with each other. The success of this implementation has established new operational standards for high-risk chemical processes and serves as a model for future safety system innovations in similar industrial applications.