Knowledge Center: Plant Safety

In this fast-paced, information superhighway “global village”, most process engineers may have had some project experience or at least read up on the various International Safety Standards like IEC61508, IEC61511 or ISA84. However, in terms of selecting the appropriate safety instrumented system criteria, there may be confusion over what is actually needed and over-specifying a system, leading to too much redundancy simply to comply with safety integrity level (SIL) requirements. More engineers are beginning to explore various options to optimize safety design cost while continuing to ensure that plant safety and production are never compromised.

There are many types of safety instrumented systems available in the market. Some are putting more availability (hardware) or diagnostic (software) to ensure that their systems can comply with the safe failure fraction (SFF) requirement to meet safety integrity levels. What then is the necessary level of fault tolerance to achieve a particular integrity level?

And although many safety devices have been proven to be substantially safe and reliable, one should not exclude the probability of malfunction or failure. So, how can we solve this issue?

Fail in a safe way A safety system is supposed to protect a process installation from out-of-control situations. This means that if the safety system fails, you want it to fail in a safe way and manageable way. Safety standards like IEC 61508 and IEC 61511 have captured this in their SFF definition, where basically for high safety integrity levels, a high SFF is required.

Also, when a failure has occurred, you want to know about it immediately. This information is important for two reasons. Firstly, you want to “repair” the failed device/component expediently so that normal operation is restored. Secondly, you want to know how the safety instrumented system would react in case of such a failure.

For example, if the analog signal from a transmitter of a dynamic process temperature indicates a fixed steady timeline, we know that something has gone wrong with that transmitter, though the process being protected may be under perfect control by the DCS.

The question is what should we do then? Would it be better to shut-down the process or should you continue the operation, perform the repair within a few hours and take a “risk” during these few hours?

The answer depends on two aspects. What is the level of the risk we are taking (in other words, what is the safety integrity level specified for that particular safety function?), and whether redundancy is implemented such that the assumed healthy channel is still able to shut down in case of a demand.

Depending on diagnostics For safety instrumented systems, “diagnostics” is a built-in means to automatically retrieve information on whether a failure in the system has occurred. Based on the information coming from diagnostics, the repair can quickly begin. As mentioned, the system reaction can also be determined. Diagnostics is also included in the definition of the SFF, in which case a high safety integrity level is achieved.

In the process industry, the safety instrumented systems are usually characterized by a chain of sensing devices such as transmitters, switches, logics solvers like relays or safety PLCs, and actuating elements such as valves, pumps and motors, etc.

While sensing and actuating devices are mainly characterized by a low level of diagnostic coverage, safety PLCs have higher levels of diagnostics.

For instance, safety PLCs can achieve SIL 3. Some safety PLC systems based on high diagnostic coverage (DC) have approval to use single I/O channels. Other safety PLC systems are based on fault-tolerance and use triplicate I/O channels, often with 2oo3 voting. As for the Central Processing Part of both types of systems, it is observed that both concepts of diagnostics and fault-tolerance are combined in the design.

In order to achieve a relatively high SIL from field devices, a good engineering practice is to duplicate or triplicate the field devices and apply 1oo2 or 2oo3 or even 1oo3 voting. This has an interesting effect on the overall design for a safety function as the I/O channels automatically replicate in line with field devices.

For safety PLC systems with SIL 3 approval for single I/O channels, refer to Figure 1, which illustrates that in the case of 2oo3 voting, these channels will be configured as such in the functional logic diagrams. This will result in additional fault-tolerance for safety integrity and process availability. For safety PLC systems based on standard triplicate I/O channels, refer to Figure 2. These channels will also (again) be triplicated in the functional logic diagrams. This means that for a particular safety function where e.g. SIL 3 is required, in case of 2oo3 voted transmitters, the used number of input channels (IC) will increase to nine.

CapEx & OpEx AdvantagesFrom a safety integrity perspective, both the concepts of diagnostics and/or fault-tolerance result in a more reliable and safer design. However from an engineering perspective, there are obvious advantages too. Diagnostics-based safety systems use only about half the number of I/O channels, and as such, half the number of cabinets compared to triplicated systems. A smaller footprint (floor space) and less hardware, spare parts, energy consumption and maintenance also lead to a drastic drop in OpEx.

In conclusion, diagnostics can not only achieve a higher SIL, but can also minimize the cost for CapEx and OpEx. Today’s installed base of field devices have not invested much in diagnostics. Given the enormous potential for cost savings, implementing diagnostics in safety systems is a win-win situation for our industry.

For more information Please visit Honeywell website at www.honeywell.com/ps/sea