Providing Process Safety

Most safety instrumented systems (also known as emergency shutdown systems) prior to 1968 were implemented using relays. The advent of the PLC (programmable logic controller) changed all that. Hard wired solid state systems – systems designed to replace relays without using software – were also popular for several decades. Software based systems form the majority of safetyinstrumented systems installed today.

General purpose PLCs have a variety of weaknesses in safety applications that have been recognized for many years; primarily the lack of thorough diagnostics. Standards, users, vendors and integrators have understood these weaknesses and some have engineered customized solutions toovercome many of the deficiencies.

Such a customized general purpose PLC engineered and configured for safety is referred to as a “safety configured PLC”, while specialized PLCs designed from the ground up specifically for critical safety applications are referred to as “safety PLCs” – which have been available since the early 1980s. Over time, more vendors have entered the market. Changes in technology have led to a variety of recent developments, such as described below. And many vendors have released new systems which are aconsiderable departure from past systems.

Smaller, scalable, distributed

The first popular safety PLCs introduced in the mid 1980’s were triplicated. These systems were naturally much more expensive than non-redundant general purpose PLCs. They were often considered too expensive to have multiple distributed systems scattered around a facility. The most economical implementation of such systems was often one large, centralized system: one large 1,000 I/O system was cheaper than 10 smaller 100 I/O systems scatteredaround a plant.

However, not all systems are 1,000 plus I/O. Some vendors therefore developed safety PLCs targeted for small I/O applications. However, using one system for small applications and a completely different system for large applications in the same facility is hardly an ideal solution (even though they may be from the same vendor). A number of vendors have recently released systems that can be small and standalone, as well as large and distributed, all usingthe same hardware.

Flexible redundancy

As mentioned, the first popular safety PLCs in the mid 1980s were triplicated. Like the early Ford Model T that came in any color you wanted – so long as it was black – you could get one of these systems in any configuration you wanted – so long as it was triplicated. These were also some of the first systemsto be independently certified.

Dual-redundancy vendors then got their systems certified to the same level of safety in order to compete with the triplicated systems. The dual vendors also offered non-redundant configurations. When the triplicated vendors came out with new systems, they were still triplicated. When the single and dual vendors came up with new systems, they were stillsingle and dual.

Three different vendors released new safety PLCs in 2008 that can be configured single, dual, or triple (one even offering quad). In one system, some modules can be single, others dual, and otherstriplicated. Flexible redundancy, all within one system, allows the system to more closely match the safety andreliability requirements for each loop in a cost effective manner.

Control plus safety

The traditional approach for control and safety systems has been to buy two separate platforms from two separate vendors. Control and safety systems do need to communicate with each other, and this can be done using either an industry standard protocol (e.g. Modbus, OPC), or using the same proprietary highway as the control system(often using some form of gateway).

While major control system companies usually offer safety systems, many systems were either acquired from different companies or supplied through some form of partnership with a different company (e.g., Invensys & Triconex, ABB & August, Rockwell &ICS Triplex).

This traditional approach has the advantage of allowing the user to purchase what they believe to be the best of both worlds, i.e., a control system from one company and a safety system from another. However, this means the user must deal with two different vendors, learn two different hardware and software platforms, send people to more training courses, experience the frustration of getting bothsystems to communicate together effectively, etc.

Eventually however, control system vendors decided to develop their own safety systems, and the trend now is to have one vendor supply both systems. The control and safety systems often look very similar (although they are not interchangeable), people only have to attend one training class, the systems are usually programmed using the same software, communication between systems is effortless, and there is no more finger-pointing when there are problems. However, this approach also introduces more potential common cause problems (a single failure causing multiple items to fail) due toerrors with hardware, software and personnel.

Safety fieldbus

Fieldbuses – digital networks for sensors and final elements – allow multiple field devices to be connected on a single pair of wires. Commonly cited features and benefits include reduced wiring, higher levels of internal diagnostics, and lower total costs. Fieldbuses have been available for general process control applications for a number of years, but their use in safety has been consideredquestionable by many.

This concern with safety has to do with whether a digital messagehas been corrupted or whether the configuration and functionality have been changed in an unauthorized manner. Safety standardsstate that buses are acceptable only if they meet the integritylevel requirements. There were no buses that could meet suchrequirements in the past when the standards were written, but thishas been changing.

Profisafe is a safety protocol used along with Profibus and Profinet, and it has been certified for use in SIL (safety integrity level) 3 applications for a number of years. Its initial use was primarily in the machinery industry, but there have been recent releases of Profisafe devices for the process industry. At least one safety PLC isable to incorporate Profisafe devices.

Foundation Fieldbus is the only bus that allows control in the field (i.e. a master controller such as a PLC or DCS is not necessary). Although currently standard Foundation fieldbus is not suitable for safety applications, the Fieldbus Foundation has been working on Foundation fieldbus for safety (Foundation fieldbus SIF) for several years, with users, safety PLC and field device manufactures as part of the consortium. Early field device products were demonstrated in the summer of 2008 and final products (both field devices and logicsolvers) are expected to be released in 2010.

The primary benefit touted by safety fieldbus manufacturers and consortia is diagnostics: being able to better and earlier predict problems before they have an impact on the process, such asproblems that might lead to a shutdown.

In fact, increased device diagnostics has nothing to do with the bus technology itself, it is simply additional capabilities built into the field devices themselves so they can detect a higher percentage of failures. Sensors certified for use in SIL 2 and 3 have been available for many years and they have nothing to do with bus technology. Valves that implement partial stroking have also been available formany years and they have nothing to do with bus technology.

But how can a sensor communicate extensive diagnostic information on a standard 4-20mA signal? One such method is the use of Hart (highway addressable remote transducer), which combines additional information such as device diagnostics along with the standard 4-20 mA signal. Hart devices have been available for decades, but it has only been very recently that some safety PLCshave been able to incorporate Hart information directly.

Certification issues

Using a safety PLC certified for use in SIL 3 does not provide asystem with SIL 3 performance. A chain is only as strong as the weakest link, and field devices are the typical weak link in mostsafety instrumented systems. Table 1 shows the overall systemperformance requirements to achieve the different integrity levels.

Fault tolerance tables in the safety standards clearly show the level of redundancy of field devices that will be required to meet SIL 2 and 3 applications. (See Table 2) One-out-of-two or twoout- of-three sensor configurations and one-out-of-two final element configurations are generally required for SIL 2. The total installed cost of a SIL 2 sensor has been reported as high as US$10,000; redundant final elements are often even more expensive. Thismeans implementing SIL 2 loops can be very expensive.

However, the standard does acknowledge cases where the fault tolerance numbers may be reduced by one, resulting in significantly lower costs. One such instance would be using field devices designed and analyzed according to the IEC 61508 standard. The first safety certified transmitter was released around 1998, the second a fewyears later.

Vendor interest in developing and certifying such devices was not strong initially. However, recent standards and end-user demands has prompted many vendors to develop new field devices that are certified for use in safety applications. There are now dozens of safety certified field devices on the market today. The main difference with these devices is their much higher level of internaldiagnostics.

Redundancy is not always the magic answer for safety; diagnostics is an important factor. Some sensors have achieved this with diverse, redundant electronics. The whole point of certified devices is simpler designs with less hardware and therefore lower total cost for users. Single devices with high levels of diagnostics usually offer similar safety performance to redundant standard devices, at a muchlower cost.

Unfortunately, some of the recent device certifications have been “questionable”. Some valve manufacturers’ safety certification reports clearly indicate that their certification was based on cycling their valve for 10,000 cycles in a laboratory, and that failure rates were based on field returns. Most valves in the process industry are in dormant applications and many never move except when tested. Most valve problems beyond the warranty period are not reported back to the manufacturer. If a certification is based on unrealisticassumptions, it is of questionable value.

Redundancy levels

While the standards do not mandate redundancy levels, they do come close. They try to make it clear that a system consists of sensors, logic and final elements. For all those who think SIL 3 applications can simply be solved by simply implementing a SIL 3 certified logic box (as some have thought for a long time), nothing could be further from the truth. SIL 2 and higher applications typically require redundant field devices. This is shown in a simple and obvious manner with the fault tolerance tables listed in thestandards. Table 2 is reproduced from ISA 84/IEC 61511.

A minimum hardware fault tolerance of N means that N+1 devices failing dangerously – i.e. will not function when called upon – will result in a loss of the safety function. A fault tolerance of 0 means if a single device fails the function will not work; this is a simplex or non-redundant configuration. A fault tolerance of 1 means if there are two simultaneous failures the function will not work. This is a one-out-of-two (1oo2) or a two-out-of-three (2oo3)configuration.

Partial stroking assures the valve is not stuck (just like running your backup generators weekly assures you they will start when needed). There are now over a dozen manufacturers that offer partial stroke solutions. The primary benefit of partial stroking safety valves is saving money, either from reduced manual testingor eliminating the need for redundant hardware.

If you had a loop that needed to meet SIL 2 performance, wouldyou rather implement two valves in series (according to Table 2),

or a single valve with partial stroking? The standards do allow the fault tolerance numbers in the table to be decreased by one under certain circumstances. (The standards also state how the numbers may need to be increased by one under other circumstances.) This means a single sensor and/or valve may be able to meet SIL 2 performance. The key is using devices with proven low failure rates or devices that incorporateextensive diagnostics.

Human issues

Most safety PLCs are certified byindependent third parties for use in critical safety applications according to international standards.Unfortunately, many systems do not work effectively because theywere either specified, designed, installed, operated, or maintainedincorrectly. Using a certified system does not automatically make afacility safe. People must implement them properly. The standardsstate that everyone involved must be “competent” to do theirassigned tasks. But how does one evaluate competency?

Three different groups have tackled this issue over the last decade by issuing certifications/certificates to people based on either experience, coursework, examination, or a combination of all three. The first was the CFSE/CSFP (Certified Functional Safety Expert and Certified Functional Safety Professional) program in 2001; TÜV Rhineland set up their FSExp/FSEng (Functional Safety Expert and Functional Safety Engineer) program a few years later; and ISA (International Society of Automation) developed a threepart safety system certificate program in 2008. All are an attempt toverify and document someone’s “competency”

Items to consider for personnel qualifications (from IEC 61511): 1. Engineering knowledge, training and experience appropriate to the process application. 2. Engineering knowledge, training and experience appropriate to the applicable technology used (for example, electrical, electronic or programmable electronic). 3. Engineering knowledge, training and experience appropriate to the sensors and final elements. 4. Safety engineering knowledge e.g. process safety analysis. 5. Knowledge of the legal and safety regulatory requirements. 6. Adequate management and leadership skills appropriate to their role in safety lifecycle activities. 7. Understanding of the potential consequence of an event. 8. The safety integrity level of the safety instrumented functions. 9. The novelty and complexity of the application andthe technology.

Fire & gas systems

Current standards covering fire and gas systems are prescriptive and focus on commercial applications such as buildings. Many end users in the process industry believe there is a need for a performancebased standard for fire & gas systems used in industrial applications.

Performance based standards such as IEC 61508 and 61511 use the term safety integrity level (SIL) to describe system performance, and there are many devices used in safety instrumented systems in the process industries that are independently certified for use incertain integrity levels. However, there is also considerable debate whether fire & gas system hardware should have SIL ratings at all.

Vendors are naturally interested in promoting independently certified hardware in order to differentiate their products, and many fire & gas vendors are now promoting products certified against the IEC 61508 standard. However, considering the differences between safety instrumented systems and fire & gas systems, focusing on the SIL rating or performance of the actual fire & gas hardware aloneis considered a questionable practice by some.

Unlike safety instrumented system hardware, claiming any integrity level for fire & gas hardware alone can be misleading. That information alone does not allow one to determine whether the overall system will meet the desired level of risk reduction. Detector coverage (i.e. are there enough sensors strategically placed to actually see the problem; are sensors being voted such that it takes more than one sensor to detect a problem, making it even less likely for multiple sensors to detect a problem) and mitigation effectiveness (i.e. will the mitigation effectively reduce the hazard) have a dominating impact on fire & gas system performance and may prevent most systemsfrom ever meeting SIL 1 performance levels.

For example, if the detector coverage is less than 90 percent (some studies have shown it to be significantly lower), and mitigation effectiveness is 90 percent (an estimate at this time as there seems to be little documented evidence to justify any particular number), then it does not matter what sort of electronic system goes in the middle, the overall system cannot even achieve SIL 1 performance(90 percent).

Using hardware certified for use in SIL 2 simply means the hardware meets a certain level of performance (see Table 1), it does not mean the overall system will provide the level of risk reduction implied in the certification (simply due to factors beyond thehardware itself).

However, it is possible to apply performance based concepts to fire and gas systems. It is possible to assign risk reduction targets for fire and gas systems and apply quantitative techniques insystem verification.

Work is proceeding within the ISA 84 committee on ways to account for detector coverage, mitigation effectiveness and other factors, thus allowing a quantitative, performance based approach to fire and gas system design. Once the detector coverage and mitigation effectiveness limitations are better understood and addressed, then focusing on the SIL rating of the hardware will bemore meaningful.

Paul Gruhn is a Certified Functional Safety Expert (CFSE) and TrainingManager at ICS Triplex, a Rockwell Automation company.