5.8
Programmable Safety Systems
ASISH GHOSH
(2005)
Partial List of Programmable
Safety System Suppliers
for Process Industries:
ABB (Elsag-Bailey Controls) (www.ABB.com)
G.E. Fanuc Automation (www.GEIndustrial.com)
HIMA-Americas Inc. (www.hima-americas.com)
Honeywell ACS Service (honey well.com/acs)
ICS Triplex (www.icstriplex.com)
Rockwell Automation (www.rockwellautomation.com)
Siemens (www.sea.siemens.com)
Yokogawa Corp. of America (www.yca.com)
Triconex/Invensys (www.Triconex.com)
Partial List of PLC Suppliers:
ABB (Elsag-Bailey Controls) (www.ABB.com)
Allen-Bradley/Rockwell Automation (www.AB.com)
Automation Direct (www.Automationdirect.com)
Danaher (Eagle Signal Controls) (www.Dancon.com)
Eaton (Cutler-Hammer) (www.EatonElectrical.com)
Emerson (Westinghouse) (www.EmersonProcess.com)
Fuji Electric Corp. (www.FujiElectric.com)
G.E. Fanuc Automation (www.GEIndustrial.com)
Giddings & Lewis (www.GLControls.com)
Idec Corp. (www.Idec.com)
International Parallel Machines Inc. (www.ipmiplc.com)
Mitsubishi Electric (www.meau.com)
Modicon/Schneider Electric (www.Modicon.com)
Moeller Corp. (www.Moeller.net)
Omega Engineering (www.Omega.com)
Omron Electronics Inc. (www.Omron.com)
Reliance Electric Co./Rockwell Automation (www.Reliance.com)
Siemens (www.sea.siemens.com)
Toshiba Inc. (www.Toshiba.com)
Triconex/Invensys (www.Triconex.com)
Uticor Technology Inc. (www.Uticor.com)
INTRODUCTION
on orderly shutdown procedures in case of an emergency.
The major trends in safety systems are
1
Since the publication of the IEC 61508 safety standard and more
2
recently the IEC 61511 standard for process safety, the interest
in rigorous safety analysis and in certified safety instrumented
systems (SISs) has increased considerably among the users. As
users are becoming more knowledgeable about safety issues,
they are increasingly focusing on the goal of overall safety.
Users want their safety systems to be cost-effective and
to provide closer integration of the safety and control systems. They are looking for flexible architecture with more
scalability. They are also looking for increased functionality
for modifying alarm limits based on process conditions and
•
•
•
•
Increased focus on overall safety
Closer integration with control systems
Increased flexibility and scalability
Increased function block capabilities
Both IEC 61508 and 61511 standards are performancebased; as such, they do not mandate any specific safety system
architecture or risk assessment procedures. However, they do
provide guidance on the analysis of safety life cycle, hazards,
and risks, and on methods for determining safety requirements.
993
© 2006 by Béla Lipták
994
PLCs and Other Logic Devices
TABLE 5.8a
Factors that Increase Risk
• Operating plant and machinery closer to their limits
• Transient operation states
• Use of hazardous raw materials
• Manufacture of hazardous intermediates
• Presence of untrained personnel
• Absence of safety culture
Transient operations include startup, shutdown,
shift change, and workforce transitions
Safety system certifications should objectively assess the
reliability and availability of critical control and safety shutdown systems and related equipment. Technical Inspection
Associations (in German, Technischer Uberwachungs Verin,
or TUVs) in Germany have been in the forefront of inspection
and certification of safety-related systems worldwide.
In choosing a safety system, users should take into account
not only all the features of that system but also the specified
restrictions, which are spelled out by the certification authority.
This information is often found in the product safety manual.
In choosing a system supplier, users should take into account
the supplier’s knowledge and experience in safety analysis,
their application knowledge, and local support.
Risk Reduction
Risk is usually defined as a combination of the severity and
probability of an unplanned event. Risk depends on how often
that event can happen and how bad it will be when it does. In
manufacturing operations, the type of events and their associated
Risk with
safety
protections
risks include loss of life or limb, environmental impact, loss of
capital equipment, and loss of production. For many manufacturers, loss of company image can also be a significant risk
factor. With increased environmental awareness, regulatory concerns, and threat of litigation, risk reduction is becoming more
and more important to most manufacturers (Table 5.8a).
The best way to reduce risk in a manufacturing plant is
to design inherently safe processes. However, inherent safety
is rarely achievable in today’s manufacturing environments.
Risks prevail wherever there are hazardous or toxic materials
stored, processed, or handled (Figure 5.8b).
Because it is impossible to eliminate all risks, a manufacturer
must agree on a level of risk that is considered to be acceptable.
After identifying the hazards, a study should therefore be performed to evaluate each risk situation by considering likelihood
and severity. Site-specific conditions, such as population density,
in-plant traffic patterns, and meteorological conditions, should
also be taken into consideration during risk evaluation.
The risk levels that are determined by the safety studies
can be used to decide if the risks are within acceptable levels.
Basic process control systems, including process alarms and
the means of manual intervention, provide the first level of
risk reduction in a manufacturing facility. Additional protection measures are needed where a basic control system does
not reduce the risk to an acceptable level. They include safetyinstrumented systems along with hardware interlocks, relief
valves, and containment dikes. To be effective, each protection
subsystem should act independently of the others (Table 5.8c).
History
In the early days of process control, commonly used alarming
and safety interlocking devices included pressure, flow, level,
Risk with
process
control
system
Tolerable
risk
Risk without
protective
measures
Increased risk
Necessary minimum risk reduction
Actual risk reduction
Risk reduction achieved by all control and safety
related systems and external risk reduction
facilities
FIG. 5.8b
Reducing risk.
© 2006 by Béla Lipták
5.8 Programmable Safety Systems
TABLE 5.8c
Driving Forces for Lowering Risks
Input
circuit
995
Output
circuit
Processor
• Higher environmental awareness
Diagnostic circuit
• Increased regulatory considerations
• Emergence of safety standards
Input
circuit
• Maintaining company image
and temperature switches. These switches were simple
mechanical or electromechanical devices that, upon detection
of hazardous conditions, activated valves, motors, and other
plant equipment to bring a process to a safe state. Other
mechanical devices, which are also still used today, include
such physical devices as electrical fuses, safety valves, and
rupture disks.
While the electromechanical and solid-state relays could
be used to design more sophisticated safety systems, they were
difficult to program or to interface with digital computers.
Hence, programmable safety systems were developed in the
early 1970s. Programmable safety systems provide scalability,
flexibility, and ease of configuration (Table 5.8d).
Duplex and Triplex Designs In the late 1970s, August Systems pioneered the development of the programmable safety
system, which was followed by systems from Triconex and
Triplex. These three suppliers developed the triple modular
redundant (TMR) systems, in which three independent, parallel
TABLE 5.8d
Typical Applications of Safety Systems
• Emergency shutdown (ESD)
• Fire and gas monitoring and protection
• Critical process control
• Turbine and compressor control
• Unmanned installations
Input
leg A
Input
leg B
Input
leg C
FIG. 5.8e
Typical TMR system.
© 2006 by Béla Lipták
Diagnostic circuit
FIG. 5.8f
Typical duplex system.
processors with extensive diagnostics are integrated into a single
system (2oo3). At each decision point within the system, a twoout-of-three vote is taken to determine failures and guarantee
correct operations. Other suppliers of TMR systems for process
industries include GE Fanuc and Yokogawa (Figure 5.8e).
A dual redundant system with extensive diagnostics (duplex)
is another common safety system design. Here, two identical
processors are configured as a married pair to check the health
of the system (1oo2D). In this arrangement, two identical processors operate in parallel. They use the same inputs, while only
one processor controls the output modules at any given time. The
outputs of both processors are always compared to ensure that
they are synchronized and identical. If they disagree, a diagnostic
evaluation is initiated to determine which of the two is still
reliable, and that the one used will continue the process in a safe
state or shut it down. At the same time, messages are to fix the
failed processor (Figure 5.8f). Major suppliers of duplex systems
include ABB, Honeywell, Siemens, and Yokogawa.
Quadruple Redundant Systems Another safety system
design is the quadruple modular redundant (quad) system.
The quad architecture provides four processors — two per
channel (2oo4) — which may be viewed as a pair of duplex
• Burner management and control
Input
Output
circuit
Processor
Processor
A
Processor
B
Output
leg A
Output
leg B
Processor
C
Output
leg C
Voter
Output
996
PLCs and Other Logic Devices
IEC 61508: General Safety Standard
1oo2D
The IEC 61508 standard is in seven parts:
I/O bus 2
I/O bus 1
µP1
DPR
Diagnostic
DPR
Diagnostic
µP2
CM 1
µP1
1oo2
1oo2
µP2
CM 2
2oo4
1oo2D
Actuator
Actuator
FIG. 5.8g
Typical quad system.
•
•
•
•
•
•
•
Part 1: General requirements
Part 2: Requirements for safety-related systems
Part 3: Software requirements
Part 4: Definitions and abbreviations
Part 5: Examples of methods for the determination of
safety integrity levels (SILs)
Part 6: Guidelines on the applications
Part 7: Overview of techniques and measures
The standard is generic and can be used directly by industry, as a standalone standard, and by international standards
organizations as a basis for the development of industryspecific standards, such as for the machinery sector, the process sector, or the nuclear sector. The IEC 61511 standard is
more specific to the process industries.
IEC 61511: Safety Standard for Process Industries
systems with diagnostics. Both pairs of active processors operate
synchronously with the same user program. A hardware comparator and a separate fail-safe watchdog monitor the operation
of each pair of processors to diagnose and resolve anomalies
(Figure 5.8g).
At present HIMA and Honeywell are the two major suppliers of quad systems. The safety and availability of quad,
TMR, and duplex systems are comparable. It is the quality
of diagnostics and the system implementation that determines
their relative performance.
In recent years, the increased awareness of safety, the
impact of various regulatory agencies, and the publication of
safety standards have led to the rapid growth in demand for
safety systems. Many DCS- and PLC-based control system
suppliers are competing for a share of this market.
SAFETY STANDARDS
The IEC 61508 safety standard published by the International
Electrotechnical Commission (IEC) is applicable to a wide
range of industries and applications. The standard is intended
both as the basis for the preparation of more specific standards and for standalone use. A more specific international
safety standard for process industries (IEC 61511) has also
been published.
Since the publication of IEC 61508 and IEC 61511 standards, interest in rigorous safety analysis and in applying
certified safety instrumented systems has increased. These
standards give guidance on good practice and offer recommendations, but do not absolve its users of responsibility for
safety. The standards not only deal with technical issues but
also include planning, documentation, and assessment of all
activities. Thus, the standards deal with the management of
safety throughout the entire life of a system.
© 2006 by Béla Lipták
While IEC 61508 has seven parts, the IEC 61511 standard
has only three parts:
•
•
•
Part 1: Framework, definitions, system, hardware, and
software requirements
Part 2: Guidelines on the application
Part 3: Guidance for the determination of the required
safety integrity levels
IEC 61511 Part 1 is primarily normative, while Parts 2
and 3 are informative. Part 1 is structured to adhere to a safety
life cycle model similar to that in the IEC 61508 standard.
The hazard and risk analysis utilizes the notion of protection
layers and specifies the safety integrity level concept developed by the IEC 61508 standard. It also lists key issues that
need to be addressed when developing a safety requirement
specification. Issues like separation, common cause, response
to fault detection, hardware reliability, and proven-in-use are
also addressed in this part (Table 5.8h).
In this part of the standard, software safety requirement specifications are included, addressing such items as
TABLE 5.8h
Main Differences Between IEC 61508 and IEC 61511 Standards
IEC 61508
IEC 61511
Generic safety standard for
broad range of applications
Sector-specific safety standard for
the process industries
Applies to all safety-related
systems and external risk
reduction facilities
Applies only to safety-instrumented
systems
Primarily for manufacturers and
suppliers of safety systems and
devices
Primarily for system designers,
integrators, and users of safety
systems
5.8 Programmable Safety Systems
architecture, relationship to hardware, safety instrument
functions, safety integrity level, software validation planning, support tools, testing, integration, and modification.
In addition, a section is dedicated to factory acceptance
testing requirements, and another section lists the installation and commissioning requirements.
Part 2 of the standard provides “how to” guidance on the
specification, design, installation, operation, and maintenance
of safety instrumented functions and related safety instrumented system as defined in Part 1 of the standard.
Part 3 of the standard provides guidance for development
of process hazard and risk analysis. It provides information on:
•
•
•
The underlying concepts of risk and the relationship
of risk to safety integrity
The determination of tolerable risk
A number of different methods that enable the safety
integrity levels for the safety instrumented functions
to be determined
It also illustrates methods from different countries that
have been proven-in-use. It further illustrates good engineering practices across cultural and technological differences,
providing the end user with effective methods from which to
select.
ANSI/ISA-84.01 Standard
The original ANSI/ISA-84.01 standard was published in 1966;
as such, it predates the IEC 61508 safety standard. However,
it is being abandoned in favor of the IEC 61511 international
standard. A new ISA standard was released in 2004, which
was nearly identical to the IEC 61511 safety standard. There
is, however, a grandfather clause in the new version that allows
the continued use of safety systems following the original
version of the standard.
The safety standards give guidance on good practice and
offer recommendations, but do not absolve its users of
responsibility for safety. The standard recognizes that safety
cannot be based on retrospective proof, but must be demonstrated in advance, and there cannot be a perfectly safe system. Therefore, the standards not only deal with technical
issues, but also include planning, documentation, and assessment of all activities. Thus, the standard deals with the management of safety throughout the entire life of a system. The
standards bring safety management to system management
and safety engineering to software engineering.
Safety Integrity Levels Safety integrity is defined as the likelihood of a safety instrumented system satisfactorily performing
the required safety functions under all stated conditions, within
a stated period. A safety integrity level (SIL) is defined as a
discrete level for specifying the safety integrity requirements
of safety functions. Whereas a safety integrity level is derived
from an assessment of risk, it is not a measure of risk. It is a
© 2006 by Béla Lipták
997
TABLE 5.8i
Safety Integrity Levels (SIL)
Safety Integrity
Level (SIL)
Probability of
Failure on Demand
Mode of Operation
1
≥10 to <10
2
>10 to <10
−2
−1
−3
−2
−4
−3
−5
−4
3
>10 to <10
4
≥10 to <10
Probability of
Failure on Continuous
Mode of Operation
−6
−5
−7
−6
−8
−7
−9
−8
≥10 to <10
>10 to <10
>10 to <10
≥10 to <10
Notes:
1. Demand Mode: Where actions are taken in response to
process or other conditions (no more than once per year)
2. Continuous Mode: Functions, which implement continuous control to maintain functional safety
measure of the intended reliability of a system or function
(Table 5.8i).
Safety Life Cycle Safety life cycle is a method or procedure
that provides the way to specify, design, implement, and
maintain safety systems in order to achieve overall safety in
a documented and verified way. All major safety standards,
such as ANSI/ISA-84-01-1996, IEC 61508, and IEC 61511,
have specified safety life cycles, which show considerable
similarities, differing only in the details. The safety life cycle
specified by the IEC 61511 standard shows a systematic
approach to safety starting from hazard and risk analysis to
implementation of safety system and finally to its decommissioning (Figure 5.8j).
Perform Hazard and Risk Analysis: Determine hazards
and hazardous events, the sequence of events leading to hazardous condition, the associated process risks, the requirements of risk reduction, and the safety functions required.
Allocate Safety Functions to Protection Layers: Allocate
safety functions to protection layers and safety systems.
Specify Requirements for Safety System: Specify the requirements for each safety system and their safety integrity levels.
Design and Engineer Safety System: Design system to
meet the safety requirements.
Design and Develop Other Means of Risk Reduction:
Means of protection other than programmable safety systems
include mechanical systems, process control systems, and
manual systems. They are not specified in any detail in the
standard (Figure 5.8k).
Install, Commission, and Validate the Safety Protections:
Install and validate that the safety system meets all the safety
requirements of the safety integrity levels.
Operate and Maintain: Ensure that the safety system
functions are maintained during operation and maintenance.
Modify and Update: Make corrections, enhancements,
and adaptations to the safety system to ensure that the safety
requirements are maintained.
PLCs and Other Logic Devices
Perform hazard and risk analysis
Allocate safety functions to protection layers
Specify requirements
for safety system
Design and engineer
safety system
Design and develop other
means of risk reduction
Install comission and validate the safety protections
Verify safety system
Plan and structure safety life cycle
Manage functional safety, safety assessment, and safety audit
998
Operate and maintain
Modify and update
Perform decommissioning of safety system
FIG. 5.8j
The safety life cycle.
Perform Decommissioning of Safety System: Conduct
review and obtain required authorization before decommissioning of a safety system. Ensure that the required safety
functions remain operational during decommissioning.
Manage Functional Safety, Safety Assessment, and Safety
Audit: Identify the management activities that are required
to ensure the functional safety objectives are met.
Plan and Structure Safety Life Cycle: Define safety life
cycle in terms of inputs, outputs, and verification activities.
Verify Safety System: Demonstrate by review, analysis,
or testing that the required outputs satisfy the defined requirements for each phase of the safety life cycle.
Like all models, the safety life cycle is also an approximation. While the life cycle phases are listed sequentially, in
reality, there are significant iterations between these phases.
Requirements of some of the functions, such as hazard
and risk analysis, allocation of safety functions to protection
layers, and designing and developing other means of risk
Community
Emergency Response
Emergency broadcasting
Medical alert
Plant
Emergency Response
Evacuation procedures
Mitigation
Mechanical mitigation system
Safety system for mitigation
Prevention
Mechanical protection system
Safety system
Control and Monitoring
Basic process control system
Monitoring system
Operator supervision
Process
FIG. 5.8k
The protection layers.
© 2006 by Béla Lipták
5.8 Programmable Safety Systems
reduction, are not specified in any detail in the standard.
Certain functions, such as managing functional safety, planning and structuring safety life cycle, and verifying safety
requirements at each phase, are carried out continuously during the whole life cycle and are shown as vertical boxes in
the figure.
MANAGEMENT CONSIDERATIONS
The standards should be recognized as defining requirements
for safety management rather than merely for system development. Not all safety life cycle phases will be relevant to
every application, and it is the responsibility of management
to define what requirements are applicable in each case. The
standards do not prescribe exactly what should be done in
any particular case, but only offer advice and guidance to the
management. Therefore, management is still responsible for
taking appropriate actions and for justifying them.
Management responsibilities include rigorous safety planning, which includes the choice of safety life cycle phases to
be used and the activities to be carried out within those phases.
However, the users should realize that safety systems by themselves do not achieve safety. People working within a strong
safety culture achieve greater safety, and it is management’s
responsibility to foster and maintain such a culture (Table 5.8l).
HAZARD AND RISK ANALYSIS
The standard requires that safety requirements should be determined by analyzing the risks posed by the totality of a manufacturing system and its control system. The analysis consists
of three stages: hazard identification, hazard analysis, and risk
assessment.
A hazard is defined as a potential source of harm. A
manufacturing system and its control system may pose many
hazards, each carrying its own risk. In determining the necessary overall risk reduction, the risk posed by each hazard
must be considered. The importance of hazard identification
cannot be overemphasized, because the risks associated with
unidentified hazards cannot be reduced.
Hazard identification is unlikely to be effective if carried
out by an individual; therefore, it is preferable to have a team
whose members are chosen to bring complementary viewpoints to the process. A well-managed team with defined
objectives is more effective in performing hazard analysis
than a single individual.
TABLE 5.8l
Management Responsibilities
• Put organization structure with necessary authority
• Define applicable requirements
• Provide documentation infrastructure
• Foster safety culture
© 2006 by Béla Lipták
999
IEC 61508 and 61511 are performance-based standards;
as such, they do not mandate any specific safety system architecture or risk assessment procedures. However, they provide
guidance in the areas of risk assessment and risk reduction.
Following are some of the risk assessment and SIL determination concepts as outlined in the IEC 61511 standard Part 3.
Detailed descriptions of these techniques are beyond the scope
of this section. Readers are advised to refer to the IEC 61511
standard or the textbooks listed in the References section.
As Low as Reasonably Practicable (ALARP)
The ALARP principle may be applied during the determination of tolerable risk and safety integrity levels. However, it
is not in itself a method for determining safety integrity
levels. Tolerable risk implies that it is not possible to achieve
absolute safety. A level of risk may be considered tolerable,
in the light of the benefit gained in taking the risk, provided
it is as low as reasonably practicable.
The ALARP triangle is divided into three regions with
the width at any point indicating the magnitude of the risk
(Figure 5.8m). Risk class I represent risks that cannot be
justified except in extraordinary circumstances. Risk class III
represents risk that is so low as to be negligible and is thus
acceptable without any further risk avoidance measures. Risk
class II in the middle represents risk that can only be tolerated
if measures have been taken to reduce it to as low as reasonably practicable. This means that the cost of mitigating the
risk is disproportionate to the benefits gained.
The concept of ALARP can be used when qualitative or
quantitative risk targets are adopted. In order to apply the
ALARP principle, it is necessary to define the three regions in
terms of the probability and consequence of an incident. This
definition would take place by discussion and agreement
between the interested parties, such as those producing the risks,
those exposed to the risks, and safety regulatory authorities.
Table 5.8n is an example of the three risk classes for a
number of consequences and frequencies. After determining
the tolerable risk target, it is then possible to determine the
safety integrity levels of safety-instrumented functions.
Required Safety Integrity Level
The IEC 61511 standard Part 3 specifies a number of ways
of establishing the required safety integrity levels for a specific application. The methods selected for a specific application depends on many factors, such as:
•
•
•
•
•
Application complexity
Guidelines from regulatory authorities
Nature of the risk and the risk reduction requirements
Experience and skills of the persons available to
undertake the work
Information available on the parameters relevant to the
risk
1000
PLCs and Other Logic Devices
Unacceptable region
Risk class I
Tolerable region
Risk class II
Broadly acceptable region
Risk class III
Risk class I: Risk cannot be justified except in extraordinary circumstances
Risk class II: Risk is tolerable only if:
—Further risk reduction is impracticable or its cost is grossly disproportionate
to the improvements gained
—Society desires the benefit of the activity given the associated risk
Risk class III: Level of residual risk regarded as negligible and further measures to reduce
not usually required
Note: There is no relationship between risk class and SIL
FIG. 5.8m
Tolerable risk and ALARP.
More than one method may be used in an application. A
qualitative method may be used first, followed by a more
rigorous quantitative method, if needed. Qualitative methods
outlined in the standard include:
•
•
•
•
•
•
Failure mode and effects analysis
Cause-consequence analysis
Hazard and operability analysis is one of the more widely
used techniques. It identifies and evaluates hazards in process
plants and nonhazardous operability problems that compromise its ability to achieve design productivity. Table 5.8o is
an example of the results of a HAZOP analysis.
Safety reviews
Checklists
What if analysis
Hazard and operability (HAZOP)
TABLE 5.8n
Example of Risk Classification of Incidents
Probability
Catastrophic
Critical
Marginal
Negligible
Frequent
I
Probable
I
I
I
II
I
II
II
Occasional
Remote
I
II
II
II
II
II
II
III
Improbable
Incredible
II
III
III
III
II
III
III
III
The probability of occurrence are defined as:
Frequent: Many times in the system’s lifetime
Probable: Several times in the system’s lifetime
Occasional: Once in the system’s lifetime
Remote: Unlikely during the system’s lifetime
Improbable: Very unlikely
Incredible: Absolutely improbable
© 2006 by Béla Lipták
The consequences are defined as:
Catastrophic: Multiple loss of life
Critical: Loss of a single life
Marginal: Major injuries to one or more person
Negligible: Minor injuries
Note: The risk classes are application dependent
5.8 Programmable Safety Systems
1001
TABLE 5.8o
Example of a HAZOP Report
Item
Reactor
Deviation
Cause
Consequence
Safeguards
Recommendations
High level
Failure of control system
High pressure
Operator
High pressure
• High level
• External fire
Release to environment
– Alarm, protection layer
– Fire deluge system
Evaluate conditions for release
to environment
Low flow
Failure of control system
Excess pressure
Operator
Open pressure release valve manually
Semi-Quantitative Risk Analysis Techniques
SAFETY SYSTEM CERTIFICATION
An estimate of the process risk can be made by a semiquantitative risk analysis procedure that identifies and quantifies the risks associated with potential process accidents or
hazardous events. The results can be used to identify necessary safety functions and their associated SIL in order to
reduce the process risk to an accepted level. Following are
the main steps of this technique, where the first four steps
can be performed during the HAZOP study:
Safety system certifications objectively assess the reliability
and availability of critical control and safety shutdown systems
and related products. Following are some of its advantages:
•
•
•
•
•
•
•
Identify process hazards
Identify safety layer composition
Identify initiating events
Develop hazardous event scenarios for every initiating
event
Ascertain the frequency of occurrence of the initiating
events and the reliability of existing safety systems
Quantify the frequency of occurrence of significant
hazardous events
Integrate the results for risks associated with each
hazardous event
The above exercise leads to a better understanding of
hazards and risks associated with a process and leads to the
identification of safety functions needed to reduce risks to
acceptable levels.
Risk Graphs
The use of a risk graph is a method for evaluating safety
integrity levels, which is illustrated in Figure 5.8p.
This method focuses on the evaluation of risk from the
point of view of a person being exposed to the incident impact
zone. In a risk graph there are four parameters to characterize
a potential hazardous event: consequence, frequency of exposure, possibility of escape, and likelihood of events. In assessing the consequence severity, the following are considered:
•
•
•
Potential for injury or fatality
Possibility of the exposed person recovering and
returning to normal activities
The effects of injury: acute or chronic
The resulting safety integrity levels are shown in vertical
columns.
© 2006 by Béla Lipták
•
•
•
•
•
Allows making informed decisions when choosing a
product for a specific application
Allows products and systems certified against standards
Allows installing certified products and achieves recognized levels of process safety
Gives the manufacturers of safety systems the opportunity to improve their products
Gives suppliers of safety systems competitive advantage
through documented product quality and reliability
Safety regulations came after the start of industrialization
when steam engines and boiler explosions caused many deaths.
For over 127 years, TUVs have been in the forefront of inspection and certification of safety related systems in Germany.
The TUV certification process is very exhaustive and covers everything from the formulation and documentation of the
original design concepts to the manufactured product and its
suitability for a defined application. TUV is not a single entity,
but consists of a number of independent regional organizations. Among them, TUV Rheinland, TUV Product Services
(a part of TUV Suddeutschland), and TUVIT (part of
RWTUV) are most active in certifying safety-related systems.
A research project started in the early 1980s by the TUVs
on computer-based safety systems resulted in a document
that led to the German safety standard DIN/VDE 0801. Until
recently, the TUVs certified systems were based on the DIN
standard (AK Class 1 to 7). They are now certifying systems
based on IEC 61508 standards.
Every supplier that pursues this market has systems certified by one of the TUVs. This condition has been viewed
favorably by both users and suppliers of safety systems, where
users wanted reassurance of having a system certified by a
qualified agency, and suppliers were willing to pay the necessary fees in order to differentiate themselves from competitors.
It should be emphasized, however, that some of the certified equipment has extensive restrictions. These restrictions
effectively represent requirements not met by the manufacturer. When this happens, the user must compensate by adding externally wired equipment or user-programmed logic.
1002
PLCs and Other Logic Devices
W3
W2
W1
a
a
a
P1
1
a
a
P2
1
1
a
P1
2
1
1
P2
3
2
1
3
3
2
4
3
3
b
b
b
C1
F1
C2
Potential
hazardous event
F2
C3
F1
F2
C4
a = No special safety requirement
b = A single safety system is not sufficient
1, 2, 3, 4 = Safety integrity level
Consequence of event:
C1 = Minor injury
C2 = Serious permanent injury to one or more persons, death to one person
C3 = Death of several people
C4 = Very many people killed
Frequency of exposure:
F1 = Rare to more often exposure in the hazardous zone
F2 = Frequent to permanent exposure
Possibility of escape:
P1 = Possible under certain conditions
P2 = Almost impossible
Probability of occurrence:
W1 = Slight probability (less than 0.3 pa)
W2 = Medium probability (greater than 0.3 pa but below 3 pa)
W3 = High probability (3 pa or above)
FIG. 5.8p
Example of a risk graph.
This extra work and extra expense should be estimated before
selecting the equipment.
Other organizations involved in safety system certification include INERIS, Factory Mutual, UL, BASEEFA, and
many other national organizations. INERIS is a French
research organization with close links with French Ministries
of the Environment and Industry. It has been involved in
safety system certification since its inception in 1992.
INERIS has little presence outside France, and its clients are
predominantly French manufacturers.
Factory Mutual, whose headquarters are in Norwood,
MA, has a long history in product testing and approval. The
company services its clients through offices around the globe
and interlaboratory agreements with testing facilities in North
America, Europe, Asia, Australia, and Latin America.
In late 1997, Factory Mutual and TUV Product Services
signed a collaborative agreement enabling safety system
© 2006 by Béla Lipták
manufacturers to obtain global certification of their products
at either laboratory. The two labs are also working together
to develop common interpretation and certification procedures for the IEC 61508 standard.
As the two organizations have name recognition in the
different regions of the world, safety certification from either
organization will be more widely accepted than before. The
two organizations will be able to work in parallel, when
required, to reduce the time required for the certification
process and time to market. Users with manufacturing facilities around the world will be able to install safety systems
in more countries without recertification.
It is essential that users consider only those systems that
have been certified by a TUV or a similar organization for
safety applications. To get full details of specific restrictions
a user should demand a copy of the safety certification report
and safety manual from its prospective supplier.
5.8 Programmable Safety Systems
MAJOR TRENDS
As users are getting more knowledgeable about safety issues,
they are performing more thorough safety analysis to determine their needs for each application more accurately. They
are looking for reduction of risks by increasing their focus on
overall safety. They would like their safety systems to satisfy
their needs in a more cost-effective way by closer integration
of safety with control systems. They are looking for a flexible
architecture and with more scalability; increased functionality
for modifying alarm limits based on process conditions; and
orderly shutdown procedures in case of emergency.
Overall Safety
The main cause of an SIS failure is not the failure of logic,
but the failure of field devices. There has been a significant
advance in the development of the architecture of logic solvers with voting circuits and advanced diagnostics. However,
they do not address over 90% of the causes for failure, which
are due to the failure of field devices. What is needed is an
integrated safety approach, where field devices are well integrated with the programmable safety systems.
Today, a protective system should be able to check the health
of the process inputs and outputs (I/O). In fact, it needs to incorporate the I/O components in its overall design. They include:
•
•
•
Sensor validation
Environment condition monitoring, such as temperature and humidity that can cause sensor degradation
Impulse line blockage monitoring
Failures of electronic components are frequently due to
environmental conditions. Many electronic device failures
are due to elevated humidity and temperature, which need to
be monitored closely. Sensor calibration is also becoming an
integral part of a safety system. Use of protocols, such as
HART, Profibus, and Foundation Fieldbus, allows for remote
monitoring, diagnostics, and validation.
Intelligent valves and digital valve positioners can also contribute to improved safety. With valves, the most frequent safety
problems is when the valve does not respond to the trip demand,
which is often caused by stem seizure or packing failure. The
newer control valve designs, such as TUV certified valves, have
reduced the probability of these and are available on the marketplace. The SIS-based valve design includes the feature of
testing for limited valve movement during normal operation.
Separation from the Control System
It has long been the practice of many users to keep controllers
used for safety completely independent of those used for
control and optimization. In the past, controllers used for
safety came from specialized manufacturers that added extensive diagnostics and received TUV safety certification. There
© 2006 by Béla Lipták
1003
was no choice but to use completely different systems for
control and safety. Some users even mandated the purchase
of control and safety systems from different manufacturers.
There are many other reasons to place the safety and
control functions in different control systems. They include
•
•
•
Independent failures: Minimizing the risk of simultaneous failure of a control system along with the SIS
Security: Changes in a control system not causing any
change or corruption in the associated SIS
Special requirements for safety controllers: Special
features, like diagnostics, certified fail-safe response,
special software error checking, protected data storage, and fault tolerance
The IEC 61508 safety standard is somewhat ambiguous
on this issue; it generally recommends separation but does
not mandate it. In contrast, the IEC 61513 standard for the
nuclear industries mandates physical separation of control
and safety functions.
Today, a number of users in process industries are finding
logical reasons for using the same systems for control and
safety functions, because that will reduce the integration problems caused by the different programming procedures, languages, installation requirements, and maintenance. There is
always the risk caused by communication problems resulting
from integration of different software languages and procedures. It is preferred by the users to have the same service and
support requirements for both the control and safety functions.
Control system and SIS suppliers now offer similar systems for both functions, including their HMI, configuration
procedures, programming languages, and maintenance procedures. The systems may be physically separate but are similar
and are provided with a common operator interface. They may
communicate with each other, but are provided with adequate
protection from corruption of one by the other (Table 5.8q).
Flexibility and Scalability
The installed base of systems for critical control or safety
shutdown is largely either TMR (2oo3) or duplex (1oo2D)
systems. However, other architectures, such as quad (2oo4D),
hybrid 2oo4/1oo2, and other combinations, are also available.
Increasingly, suppliers are offering configuration flexibility,
where the user has the choice of combining two or more safety
controllers to reduce failure rate and increase availability.
TABLE 5.8q
Advantages of Closer Integration with Control Systems
• Common data mapping
• Increased security
• Similar engineering tools
• Significant reduction in integration efforts
1004
PLCs and Other Logic Devices
Safety controllers are also becoming more scalable. They
are getting smaller, where one controller handles a limited
number of I/O, but a number of these controllers working
together can handle a much larger application. This is a saving
for the users, as they no longer have to purchase large and
expensive systems for their smaller applications.
TABLE 5.8s
Supplier Selection Criteria
• Knowledge & Experience in HAZOP Analysis
• Knowledge of Regulatory Requirements
• Industry Application Expertise
• Local Support
Function Blocks
A state-of-the-art safety system provides facilities for simple
sequencing (usually without looping) to allow orderly shutdown of a process on detection of a failure condition.
Although orderly shutdown in case of some alarm conditions
is often controlled by the basic control system, also incorporating it in the safety system reduces the risks.
Rich function blocks make it easier to configure functions, such as trip levels, deviation percentage, pretrip alarm,
and degradation behavior. They make it easier to bypass
specified alarms during start-up. Traditionally, cause-andeffect matrices (CEMs) are implemented in ladder logic. Rich
functions blocks make their applications easier and support
more intuitive presentations at run time.
SAFETY SYSTEM SELECTION
Before embarking on the selection procedure, a user should
do a study to determine the safety protection requirements
for the application. The requirements should conform to
safety standards and meet the guidelines of regulatory agencies such as OSHA and EPA. Outside help from a third-party
consultant or an established safety system supplier is strongly
recommended if the necessary experience in safety study and
risk reduction procedures does not exist in-house.
Conventional control systems provide the first line of
defense against hazardous conditions. Incorporating alarming
and effective shutdown procedures in the basic control systems
can considerably reduce the risks. Further reduction or elimination of a number of risks is possible by adding protection
measures such as hardware interlocks, relief valves, and
improved operator access for manual intervention. In many
situations, containment systems such as dikes and firewalls
can considerably reduce the effects of an accident. Programmable safety systems are needed if these actions do not reduce
the risks to an acceptable level.
Once the need for a programmable safety system is established, the user should also take into account the requirements
of the certifying organization. These requirements specify the
TABLE 5.8r
System Selection Criteria
• TUV Certification and Restrictions
• Required Speed of Response
• Product Maturity and Installed Base
• Ease of Integration to Your Control System
© 2006 by Béla Lipták
allowable operating conditions and requirements for redundant
I/O and for initiating shutdowns in case of a processor failure.
Speed of response can also be an important consideration
for some applications, and it must be considered along with
the response time of all the field instruments (Table 5.8r).
In making a safety system evaluation, the user should
take into account its installed base and product maturity. The
ease of integration of the safety system with the control
system is also an important consideration. Providing the same
interface and the same configuration software for the two
systems is also recommended, because it will help reduce the
learning efforts of engineers and operators. The control system should be able to monitor the status of the safety system
and to monitor real-time data in order for the two systems to
work in a unified fashion.
When selecting suppliers, their knowledge and experience
in safety analysis and regulatory requirements should be considered, including experience in applying safety systems to similar applications. Finally, one should also consider the availability of local support and of spare parts (Table 5.8s).
ACKNOWLEDGMENTS
The help and suggestions made by Dr. William M. Goble of
Exida are acknowledged.
ACRONYMS
ALARP
ANSI
CEM
DCS
DIN
EPA
HAZOP
IEC
I/O
ISA
OSHA
SIL
SIS
TMR
TUV
As Low As Reasonably Practicable
American National Standards Institute
Cause-and-Effect Matrix
Distributed Control System
Deutsches Institut Normung (German Standards
Institute)
Environmental Protection Agency
Hazard and Operability
International Electrotechnical Commission
Input/output
Instrumentation, Systems, and Automation
Society
Occupational Safety and Health Administration
Safety Integrity Level
Safety Instrumented System
Triple Modular Redundant
Technischer Uberwachungs Verin (Technical
Inspection Association)
5.8 Programmable Safety Systems
1005
References
Bibliography
1.
ARC Report, Critical Control and Safety Shutdown System Strategies,
Dedham, MA: ARC Advisory Group, 1999.
Goble, W. M., Control System Safety Evaluation and Reliability, Research
Triangle Park, NC: ISA, 1998.
Gruhn, P. and Cheddie, H. L., Safety Shutdown Systems: Design, Analysis,
and Justification, Research Triangle Park, NC: ISA, 1998.
Marzal, E. M. and Schrapf, E. W., Safety Integrity Level Selection, Research
Triangle Park, NC: ISA, 2002.
2.
3.
IEC 61508 Parts 1 to 7, “International Standard, Functional Safety of
Electrical/Electronic/Programmable Electronic Safety-Related Systems,”
Geneva, Switzerland: International Electrotechnical Commission, 2000.
IEC 61511 Parts 1, 2, and 3, “International Standard, Functional Safety:
Safety Instrumented Systems for the Process Industry Sector,” Geneva,
Switzerland: International Electrotechnical Commission, 2003.
ANSI/ISA-84.00.01—2004, “Standard, Functional Safety: Safety
Instrumented System for the Process Industry Sector,” Research Triangle Park, NC: ISA, 2003.
© 2006 by Béla Lipták