Knowledge Center: Plant Safety

Honeywell delivers operational integration with critical system segregation. With secure integration at the control data and operator levels, Honeywell provides a common operational interface to the process and equipment for both control and safety.

A truly integrated system delivers: • Integrated operational interface • Integrated fire and gas system • Integrated peer control • Integrated power supplies • Integrated diagnostics• Integrated modifications• Integrated postmortem analysis• Integrated simulation and optimization

Safety Manager integrates with the Experion PKS process controller to unify Honeywell’s safety controller with its Experion platform. This integration provides plant-wide Safety Manager point data, diagnostics and system information, alarms and events, operator displays and sequence of event information to any Experion Station, to provide: • Fast, high speed and bi-directional data exchange • Direct communication with no Experion server or other equipment required • The ability to use currently available infrastructure with no additional or new hardware needed • Built-in physical and logical redundancy• Flexibility with multiple C300 controllers that can connect to multiple Safety Manager controllers• Fault reaction configuration per point • Safety Manager point data is instantly available for C300 control functions

Integrating safety with control provides multiple benefits to end-users, including minimizing intervention and shutdowns and being able to recover more easily from process upsets; reduced hardware and installation cost; and easy configuration with preconfigured function block selections.

Honeywell’s approach to integration avoids adding extra equipment, such as serial interface hardware, which adds cost for serial interface licenses, Ethernet cabling, serial interface configuration software, cabinet square footage, power supplies, spare parts, racks, engineering hours to configure, switches, and engineering hours to maintain.

Safety Manager Honeywell’s Safety Manager is a robust, safe, high availability controller for safety instrumented systems (SIS) applications that delivers enhanced safety assurance for industrial plant operators. Safety Manager helps lower the cost of safety and improves plant performance by reducing the risk of safety incidents, maximizing production uptime, reducing the cost of compliance and providing productivity tools that help manage safety in the plant.

Using QMR (2oo4D) diagnostic based technology, Safety Manager is a key component in delivering a layered approach to plant safety, providing applications such as emergency shutdown, process shutdown, fire and gas detection, burner management, compressor control, pipeline management or any critical safeguarding in the process industry. End-users can achieve 2oo4D (2 out of 4 with integrated diagnostic to a > 99.9% coverage) even without the second CPU, providing a fully SIL 3 certified solution which allows continuous production.

Safety Manager is a user-programmable, modular, microprocessor-based safety system which can perform a wide range of critical process control and safety instrumented functions, including:• High-integrity process control • Burner/boiler management systems • Process safeguarding and emergency shutdown• Turbine and compressor control and safeguarding• Fire and gas detection systems• Pipeline monitoring

Mitigate risk with a layered approach Honeywell employs a layered approach to safety and security. Every Safety Manager includes an embedded and certified safety firewall to protect the critical SIS layer of protection from cyber attacks and disruption of service.

Safety and control systems must be integrated to allow for smooth and safe plant operation, while still maintaining a safe separation where appropriate. Dedicated safety-related functions such as the actual safety application (either the application during design or the application running on the dedicated safety hardware) must stay segregated and must be subject to high safety integrity.

• Secure Separated Databases Within Honeywell’s solution, separate databases store the safety and control strategies, and separate software modules are available through dedicated tools such as Safety Builder and Control Builder. Maintaining separate tools with separate databases prevents unauthorized changes or corruptions, decreases safety risks and prevents common cause failures.

• Database Integrity and Security All Safety Builder modules are protected from viruses and harmful hacking by a built-in protection mechanism that checks the integrity of the software before installation, after installation and during run time. The integrity of all data accessed through Safety Builder, as well as the integrity of an application loaded into Safety Manager, is protected against unwanted changes to protect the entire safety application during the entire lifecycle.

• Managed and Protected Database EnvironmentA secure login scheme protects Safety Manager from off- and on-process changes. This login scheme uses a dedicated protection mechanism with several access levels for the engineering application, loading of the application in the controller and forcing points in Safety Manager. A user expiration mechanism downgrades the access level after a user-defined period of time elapses to protect the application from accidental or unauthorized changes when Safety Builder is unmanned over a specified period.

• Dedicated Software and Hardware Using dedicated and specifically developed hardware and software, according the IEC61508 safety standard, reduces the risk of a common cause failure. Using dedicated hardware and software for both safety and control protects the safety system from any defects in the control-related operations. In addition, the safety and control strategies are developed by different groups using dedicated methods. Conversely, using the same hardware or software for both safety and control increases the possibility of systematic controller failures, including those that result from design errors. A clear separation reduces the effort for testing and designing safety systems.

• Secure Environment As the use of Ethernet networking and commercial-off-the-shelf software increases, it becomes more important to keep safety and control separate. These COTS technologies are not subject to a dedicated protection method, as prescribed by the IEC61508. Personal computers, servers, mobile phones and other electronic equipment connected to the Internet are vulnerable to risks, such as viruses or denial-of-service attacks. Maintaining separate control and safety systems provides a secure environment with additional layers of protection. In addition, Safety Manager is protected from outside threats by an embedded hardware firewall, which isolates the safety application during runtime execution from external devices. With this embedded firewall and the use of a SIL 4 certified proprietary protocol, the data integrity between control and safety is protected and guaranteed.

Building the integration Honeywell’s integrated safety and control offerings hold true to the separation principles. Since 1996, Honeywell has offered an integrated control and safety solution driven by the separation principle – hardware and software diversification, integrated operator interface, integrated data processing, integrated analysis and integrated alarm management.

Operational integration allows plant personnel to have a seamless interface to the process that is under control, while maintaining safe separation. From an operational perspective, it makes no difference where the application is running. All required information is available to the operator. This allows for a wide range of applications running in Honeywell equipment to be monitored plant-wide from any operator console, from rotating equipment and compressor protective systems through emergency shutdown systems to large plant-wide fire and gas applications.

A complete overview of all information needed from the operator’s point of view is available on the operator stations through Experion Station. This communication architecture delivers a scalable solution, from a small control and safety network to large plant architectures with over 100,000 monitored I/O points through one integrated solution.

Peer-to-peer communication through the Peer Control Data Interface (PCDI) between Safety Manager and C300 controllers is easily established, allowing for a fully redundant, robust, fast and cost-effective communication between process safety and process control without jeopardizing IEC 61508 segregation requirements. PCDI communicates over the existing redundant FTE network for peer-to-peer communication between Safety Manager and C300 controllers without the need of additional equipment. Point data from the Safety Manager can be used in any C300 controller on the same FTE community.

Sharing data between Safety Manager and C300 controllers supports the following scenarios:

• Safety Manager point data is instantly available at the process control level. This supports using field sensor data originating from the safety layer in the process control layer to reduce the installed field sensor equipment by 30%, thus saving over US$750,000.00 on an average process unit. Reducing the installed field equipment further reduces maintenance costs.

• A Safety Manager-managed process upset supports a “soft landing” of the downstream process with the C300 Controller. This avoids the downstream ESD demand, manages the downstream process shutdown and provides an easier process restart after an process upset. This principle will increase process uptime and decrease the consequence of a process trip. This can result in a cost reduction of US$100,000 a year for a process unit.

• Automatic process interlock from shutdown valve to control valves will keep the PID from winding up and the control valve from ramping wide open to prevent a surge when the shutdown valve is subsequently opened.

• Automatically bypassing a low flow or pressure trip on a pump discharge based on the running status of the pump.

• Automatic suppression of alarms in either the C300 Controller or Safety Manager when some process units are out of service or a trip is in bypass. For example, when the

• Safety Manager trips a pump, it will suppress any process control system un¬commanded change alarms.

• Automatic opening and closing of shutdown valves during a compressor purge sequence.

Communication networking Safety Manager networks provide the means to decentralize process safeguarding with central process monitoring and control capabilities. In a network, multiple Safety Managers are interconnected through dedicated Ethernet (or serial) communication links. This communication is based on the Honeywell proprietary, TÜV-approved SIL 4 SafeNet communication protocol. SafeNet is the only SIL 4 certified protocol available in the process industry today. The SafeNet protocol includes a high level of error detection and recovery, and built-in redundancy which makes it suitable for exchanging safety-related information while maintaining optimum availability.

Communication within Safety Manager networks is based on the peer-to-peer concept. With this concept, data communication with any connected Safety Manager in a SafeNet topology is possible.

The SafeNet concept supports safety solutions in line with the plant design, with every independent process unit being safeguarded by a separate Safety Manager. This minimizes the risk of nuisance plant trips during unit maintenance. Although SafeNet can run on any medium, including FTE, Honeywell recommends using a separate physical medium. A dedicated safety network provides the right level of architectural communications segregation. To ensure continued availability: • All safety functions will continue even if a complete process control collapse occurs• A dedicated network for safety guarantees availability of redundant safety functions in case of communication problems on FTE network (no nuisance alarms) • Complete segregation of process control from process safety • No common cause network failures

Range of solutions Honeywell offers products and services that map against the entire the IEC 61511 lifecycle, from a pre-assessment that provides a quick overview of the safety status of the facility to decommissioning services. A full range of safety consultancy services help customers manage their safety and risk management needs.Honeywell safety experts have the experience to guide and assist end users in the implementation of international safety standards such as IEC 61508 / IEC61511 and ANSI/ISA S84.01, and can help customers to: • Formulate and manage their safety lifecycle model • Carry out hazard and risk analysis and definition of safety functions• Define safety requirements • Provide expertise on failure rate assessments• Perform safety and availability calculations • Provide advice on optimal proof test intervals

Safety servicesWith z Safety Manager, end-users can hire Honeywell, hire a third-party or select their own in-house resources to implement the system. They can assemble an optimized project team that not only gets the original project completed correctly, but also provides the learnings that make on-going system maintenance efficient and affordable. Honeywell goes well beyond traditional project services by providing a set of technology services designed to help industrial professionals monitor the health and reliability of safety instrumented systems.

Safety instrumented systems are vital assets because they protect lives, processes and equipment. However, the systems themselves also need protection through performance monitoring. Many existing tools, however, are not capable of automatically monitoring the actual performance of an SIS. Honeywell’s SIS-Health Monitoring solution addresses that weakness by collecting necessary, meaningful data and giving engineers the tools they need to act on it.

By precisely monitoring system status, Honeywell’s SIS-Health Monitoring reduces unnecessary maintenance and engineering and minimizes failures that might lead to safety incidents and unexpected plant downtime. These services can be universally applied to any type or brand of safety instrumentation.

SIS typically include sensors, controllers and actuators that help bring processes to a safe state when dangerous conditions develop. Reports suggest that more than 20 percent of plant incidents are caused by SIS maintenance and testing errors. Often, SIS maintenance and testing are performed too frequently because system status cannot be accurately monitored. This unnecessarily opens the door to human errors that can cause the system to fail. Additionally, the lack of reliability data has lead to unnecessary SIS engineering, which can also lead to system failure.

Studies show that companies can save up to $100,000 to $1 million per year if their SIS and associated safety instrumented functions (SIFs) are properly engineered and maintained. Honeywell’s SIS-Health Monitoring enables better work practices that can lead to 20-30 percent savings on installation and operating costs, and it can be customized for specific plant requirements, conditions and process demands.

The current release includes two modules, which can operate as standalone units or together as an integrated system. They can be universally applied to any type or brand of safety instrumentation:

• The SIS-Health Monitoring Local Reliability Database – can be applied to any SIS and stores all inventory information regarding a site’s safety instrumentation. Based on the failure behavior of the site’s instrumentation, SIS-Health Monitoring can help determine reliability and safety performance characteristics such as trends, demand rates and time-dependent failure rates.• The SIS-Health Monitoring Analysis Toolset – enables operators to analyze, validate and optimize the SIF reliability and its Safety Integrity Level (SIL), which is a statistical representation of reliability.

For more information Please visit Honeywell website at www.honeywell.com/ps/sea