5.8
Programmable Safety Systems ASISH GHOSH
(2005)
Partial List of Programmable Safety System Suppliers for Process Industries:
ABB (Elsag-Bailey Controls) (www.ABB.com) G.E. Fanuc Automation (www.GEIndustrial.com) HIMA-Americas Inc. (www.hima-americas.com) Honeywell ACS Service (honey well.com/acs) ICS Triplex (www.icstriplex.com) Rockwell Automation (www.rockwellautomation.com) Siemens (www.sea.siemens.com) Yokogawa Corp. of America (www.yca.com) Triconex/Invensys (www.Triconex.com)
Partial List of PLC Suppliers:
ABB (Elsag-Bailey Controls) (www.ABB.com) Allen-Bradley/Rockwell Automation (www.AB.com) Automation Direct (www.Automationdirect.com) Danaher (Eagle Signal Controls) (www.Dancon.com) Eaton (Cutler-Hammer) (www.EatonElectrical.com) Emerson (Westinghouse) (www.EmersonProcess.com) Fuji Electric Corp. (www.FujiElectric.com) G.E. Fanuc Automation (www.GEIndustrial.com) Giddings & Lewis (www.GLControls.com) Idec Corp. (www.Idec.com) International Parallel Machines Inc. (www.ipmiplc.com) Mitsubishi Electric (www.meau.com) Modicon/Schneider Electric (www.Modicon.com) Moeller Corp. (www.Moeller.net) Omega Engineering (www.Omega.com) Omron Electronics Inc. (www.Omron.com) Reliance Electric Co./Rockwell Automation (www.Reliance.com) Siemens (www.sea.siemens.com) Toshiba Inc. (www.Toshiba.com) Triconex/Invensys (www.Triconex.com) Uticor Technology Inc. (www.Uticor.com)
INTRODUCTION
on orderly shutdown procedures in case of an emergency. The major trends in safety systems are 1
Since the publication of the IEC 61508 safety standard and more 2 recently the IEC 61511 standard for process safety, the interest in rigorous safety analysis and in certified safety instrumented systems (SISs) has increased considerably among the users. As users are becoming more knowledgeable about safety issues, they are increasingly focusing on the goal of overall safety. Users want their safety systems to be cost-effective and to provide closer integration of the safety and control systems. They are looking for flexible architecture with more scalability. They are also looking for increased functionality for modifying alarm limits based on process conditions and
• • • •
Increased focus on overall safety Closer integration with control systems Increased flexibility and scalability Increased function block capabilities
Both IEC 61508 and 61511 standards are performancebased; as such, they do not mandate any specific safety system architecture or risk assessment procedures. However, they do provide guidance on the analysis of safety life cycle, hazards, and risks, and on methods for determining safety requirements. 993
© 2006 by Béla Lipták
994
PLCs and Other Logic Devices
TABLE 5.8a Factors that Increase Risk • Operating plant and machinery closer to their limits • Transient operation states • Use of hazardous raw materials • Manufacture of hazardous intermediates • Presence of untrained personnel • Absence of safety culture Transient operations include startup, shutdown, shift change, and workforce transitions
Safety system certifications should objectively assess the reliability and availability of critical control and safety shutdown systems and related equipment. Technical Inspection Associations (in German, Technischer Uberwachungs Verin, or TUVs) in Germany have been in the forefront of inspection and certification of safety-related systems worldwide. In choosing a safety system, users should take into account not only all the features of that system but also the specified restrictions, which are spelled out by the certification authority. This information is often found in the product safety manual. In choosing a system supplier, users should take into account the supplier’s knowledge and experience in safety analysis, their application knowledge, and local support. Risk Reduction Risk is usually defined as a combination of the severity and probability of an unplanned event. Risk depends on how often that event can happen and how bad it will be when it does. In manufacturing operations, the type of events and their associated Risk with safety protections
risks include loss of life or limb, environmental impact, loss of capital equipment, and loss of production. For many manufacturers, loss of company image can also be a significant risk factor. With increased environmental awareness, regulatory concerns, and threat of litigation, risk reduction is becoming more and more important to most manufacturers (Table 5.8a). The best way to reduce risk in a manufacturing plant is to design inherently safe processes. However, inherent safety is rarely achievable in today’s manufacturing environments. Risks prevail wherever there are hazardous or toxic materials stored, processed, or handled (Figure 5.8b). Because it is impossible to eliminate all risks, a manufacturer must agree on a level of risk that is considered to be acceptable. After identifying the hazards, a study should therefore be performed to evaluate each risk situation by considering likelihood and severity. Site-specific conditions, such as population density, in-plant traffic patterns, and meteorological conditions, should also be taken into consideration during risk evaluation. The risk levels that are determined by the safety studies can be used to decide if the risks are within acceptable levels. Basic process control systems, including process alarms and the means of manual intervention, provide the first level of risk reduction in a manufacturing facility. Additional protection measures are needed where a basic control system does not reduce the risk to an acceptable level. They include safetyinstrumented systems along with hardware interlocks, relief valves, and containment dikes. To be effective, each protection subsystem should act independently of the others (Table 5.8c). History In the early days of process control, commonly used alarming and safety interlocking devices included pressure, flow, level, Risk with process control system
Tolerable risk
Risk without protective measures
Increased risk Necessary minimum risk reduction
Actual risk reduction
Risk reduction achieved by all control and safety related systems and external risk reduction facilities
FIG. 5.8b Reducing risk.
© 2006 by Béla Lipták
5.8 Programmable Safety Systems
TABLE 5.8c Driving Forces for Lowering Risks
Input circuit
995
Output circuit
Processor
• Higher environmental awareness Diagnostic circuit
• Increased regulatory considerations • Emergence of safety standards
Input circuit
• Maintaining company image
and temperature switches. These switches were simple mechanical or electromechanical devices that, upon detection of hazardous conditions, activated valves, motors, and other plant equipment to bring a process to a safe state. Other mechanical devices, which are also still used today, include such physical devices as electrical fuses, safety valves, and rupture disks. While the electromechanical and solid-state relays could be used to design more sophisticated safety systems, they were difficult to program or to interface with digital computers. Hence, programmable safety systems were developed in the early 1970s. Programmable safety systems provide scalability, flexibility, and ease of configuration (Table 5.8d). Duplex and Triplex Designs In the late 1970s, August Systems pioneered the development of the programmable safety system, which was followed by systems from Triconex and Triplex. These three suppliers developed the triple modular redundant (TMR) systems, in which three independent, parallel TABLE 5.8d Typical Applications of Safety Systems • Emergency shutdown (ESD) • Fire and gas monitoring and protection • Critical process control
• Turbine and compressor control • Unmanned installations
Input leg A
Input leg B
Input leg C
FIG. 5.8e Typical TMR system.
© 2006 by Béla Lipták
Diagnostic circuit
FIG. 5.8f Typical duplex system.
processors with extensive diagnostics are integrated into a single system (2oo3). At each decision point within the system, a twoout-of-three vote is taken to determine failures and guarantee correct operations. Other suppliers of TMR systems for process industries include GE Fanuc and Yokogawa (Figure 5.8e). A dual redundant system with extensive diagnostics (duplex) is another common safety system design. Here, two identical processors are configured as a married pair to check the health of the system (1oo2D). In this arrangement, two identical processors operate in parallel. They use the same inputs, while only one processor controls the output modules at any given time. The outputs of both processors are always compared to ensure that they are synchronized and identical. If they disagree, a diagnostic evaluation is initiated to determine which of the two is still reliable, and that the one used will continue the process in a safe state or shut it down. At the same time, messages are to fix the failed processor (Figure 5.8f). Major suppliers of duplex systems include ABB, Honeywell, Siemens, and Yokogawa. Quadruple Redundant Systems Another safety system design is the quadruple modular redundant (quad) system. The quad architecture provides four processors — two per channel (2oo4) — which may be viewed as a pair of duplex
• Burner management and control
Input
Output circuit
Processor
Processor A
Processor B
Output leg A
Output leg B
Processor C
Output leg C
Voter
Output
996
PLCs and Other Logic Devices
IEC 61508: General Safety Standard 1oo2D
The IEC 61508 standard is in seven parts: I/O bus 2
I/O bus 1
µP1
DPR
Diagnostic DPR
Diagnostic
µP2 CM 1
µP1 1oo2
1oo2
µP2
CM 2
2oo4
1oo2D
Actuator
Actuator
FIG. 5.8g Typical quad system.
• • • • • • •
Part 1: General requirements Part 2: Requirements for safety-related systems Part 3: Software requirements Part 4: Definitions and abbreviations Part 5: Examples of methods for the determination of safety integrity levels (SILs) Part 6: Guidelines on the applications Part 7: Overview of techniques and measures
The standard is generic and can be used directly by industry, as a standalone standard, and by international standards organizations as a basis for the development of industryspecific standards, such as for the machinery sector, the process sector, or the nuclear sector. The IEC 61511 standard is more specific to the process industries. IEC 61511: Safety Standard for Process Industries
systems with diagnostics. Both pairs of active processors operate synchronously with the same user program. A hardware comparator and a separate fail-safe watchdog monitor the operation of each pair of processors to diagnose and resolve anomalies (Figure 5.8g). At present HIMA and Honeywell are the two major suppliers of quad systems. The safety and availability of quad, TMR, and duplex systems are comparable. It is the quality of diagnostics and the system implementation that determines their relative performance. In recent years, the increased awareness of safety, the impact of various regulatory agencies, and the publication of safety standards have led to the rapid growth in demand for safety systems. Many DCS- and PLC-based control system suppliers are competing for a share of this market. SAFETY STANDARDS The IEC 61508 safety standard published by the International Electrotechnical Commission (IEC) is applicable to a wide range of industries and applications. The standard is intended both as the basis for the preparation of more specific standards and for standalone use. A more specific international safety standard for process industries (IEC 61511) has also been published. Since the publication of IEC 61508 and IEC 61511 standards, interest in rigorous safety analysis and in applying certified safety instrumented systems has increased. These standards give guidance on good practice and offer recommendations, but do not absolve its users of responsibility for safety. The standards not only deal with technical issues but also include planning, documentation, and assessment of all activities. Thus, the standards deal with the management of safety throughout the entire life of a system.
© 2006 by Béla Lipták
While IEC 61508 has seven parts, the IEC 61511 standard has only three parts: • • •
Part 1: Framework, definitions, system, hardware, and software requirements Part 2: Guidelines on the application Part 3: Guidance for the determination of the required safety integrity levels
IEC 61511 Part 1 is primarily normative, while Parts 2 and 3 are informative. Part 1 is structured to adhere to a safety life cycle model similar to that in the IEC 61508 standard. The hazard and risk analysis utilizes the notion of protection layers and specifies the safety integrity level concept developed by the IEC 61508 standard. It also lists key issues that need to be addressed when developing a safety requirement specification. Issues like separation, common cause, response to fault detection, hardware reliability, and proven-in-use are also addressed in this part (Table 5.8h). In this part of the standard, software safety requirement specifications are included, addressing such items as TABLE 5.8h Main Differences Between IEC 61508 and IEC 61511 Standards IEC 61508
IEC 61511
Generic safety standard for broad range of applications
Sector-specific safety standard for the process industries
Applies to all safety-related systems and external risk reduction facilities
Applies only to safety-instrumented systems
Primarily for manufacturers and suppliers of safety systems and devices
Primarily for system designers, integrators, and users of safety systems
5.8 Programmable Safety Systems
architecture, relationship to hardware, safety instrument functions, safety integrity level, software validation planning, support tools, testing, integration, and modification. In addition, a section is dedicated to factory acceptance testing requirements, and another section lists the installation and commissioning requirements. Part 2 of the standard provides “how to” guidance on the specification, design, installation, operation, and maintenance of safety instrumented functions and related safety instrumented system as defined in Part 1 of the standard. Part 3 of the standard provides guidance for development of process hazard and risk analysis. It provides information on: • • •
The underlying concepts of risk and the relationship of risk to safety integrity The determination of tolerable risk A number of different methods that enable the safety integrity levels for the safety instrumented functions to be determined
It also illustrates methods from different countries that have been proven-in-use. It further illustrates good engineering practices across cultural and technological differences, providing the end user with effective methods from which to select.
ANSI/ISA-84.01 Standard The original ANSI/ISA-84.01 standard was published in 1966; as such, it predates the IEC 61508 safety standard. However, it is being abandoned in favor of the IEC 61511 international standard. A new ISA standard was released in 2004, which was nearly identical to the IEC 61511 safety standard. There is, however, a grandfather clause in the new version that allows the continued use of safety systems following the original version of the standard. The safety standards give guidance on good practice and offer recommendations, but do not absolve its users of responsibility for safety. The standard recognizes that safety cannot be based on retrospective proof, but must be demonstrated in advance, and there cannot be a perfectly safe system. Therefore, the standards not only deal with technical issues, but also include planning, documentation, and assessment of all activities. Thus, the standard deals with the management of safety throughout the entire life of a system. The standards bring safety management to system management and safety engineering to software engineering. Safety Integrity Levels Safety integrity is defined as the likelihood of a safety instrumented system satisfactorily performing the required safety functions under all stated conditions, within a stated period. A safety integrity level (SIL) is defined as a discrete level for specifying the safety integrity requirements of safety functions. Whereas a safety integrity level is derived from an assessment of risk, it is not a measure of risk. It is a
© 2006 by Béla Lipták
997
TABLE 5.8i Safety Integrity Levels (SIL) Safety Integrity Level (SIL)
Probability of Failure on Demand Mode of Operation
1
≥10 to 10 to 10 to