The Whole-Loop Safety Difference

The Whole-Loop Safety Difference

Article for internet site Emerson Norway Systems

Introduction

The purpose of this article is to tell about the latest best practices for implementing functional safety and how Emerson products and service are able to contribute.

The origins of Functional Safety

The topic “Functional Safety” and often in this context used abbreviation “SIL” lead us back to an accident which has happened in the year 1976 in Seveso, Italy. As a result of this incident the extremely acid substance dioxin was released due to an uncontrolled overheating reaction. The lacking of warning system or an automated cooling system resulted in large scale evacuation, over 200 people suffering serious health problems, large scale animal slaughter and enormous cleaning up cost. As a consequence of this accident it was decided to tighten up legislation and ordinances aimed at protecting humans, living organisms and the environment.

What is a SIS?

A safety instrumented system (SIS) is defined as “A set of component such as sensors, logic solvers and final control elements arranged for the purpose of taking the process to a safe state when predetermined conditions are violated”. An SIS consist of every component of the loop, this includes also the software required to make it function.

A SIS is different from a control system and must be kept separate from it. The safety community refers to a control system as a basic process control system, or BPCS. Safety systems have different and more stringent requirements for user management, change control and testing.

There are many ways to influence safety and an important and technical advance is functional safety. One of the most important methods today is use risk reduction.

SEVESO and IEC61511

In the EU and Norway, most facilities where hazardous products are processed or stored have to comply with the SEVESO directive. One of the significant requirements placed on the user, is the need to develop and maintain a safety report. It expects the plant operator to plan and manage all aspects of process safety. It requires that a complete risk assessment is carried out to identify the extent of threat to people and the environment.

The IEC have evolved a range of standards to help with compliance to SEVESO. IEC61511 is the standard specific to the process industry and the use of instrumented safety. The requirements of the SEVESO safety report link closely to major activities defined in IEC61511, therefore IEC61511 is regarded as industry best practice and the way of chemical and O&G operators meeting the legal obligations of SEVESO.

It was major disasters in the oil&gas, chemical and petrochemical industries (e.g. Piper Alpha, Bhopal, Flixborourgh) and research like this that prompted several new standards for functional safety. IEC 61508 and IEC 61511 are the two that will be referred in this document. In 2004 the S84 committee of ISA formally adopted the EIC 61511 standard for use in the USA. The two standards are identical except for a grandfather clause, that the S84 committee added to the American version. The SIS user community has formally collected best practices in safety applications aligned with IEC 61508. The result of this work is the new IEC 61511 standard.

IEC 61511 is the Globally Accepted Standard for Best Practices. End users follow IEC 61511 (a subset of IEC 61508 for the process industries) to ensure that they have a plant that is designed to be tolerably safe throughout its lifetime. The standard addresses all elements of the life of the SIS. It is a performance-based standard: the end user is responsible for designing and implementing a safety system that ensures a tolerable level of risk throughout the lifetime of the plant.

The above diagram shows the relationship of the various activities for the complete life cycle of a safety system.

Emerson can provide, pressure transmitters, valve controllers and logic solver certified to meet IEC 61508, services according to IEC 61511, software that simplifies adherence to IEC 61511 for regulatory compliance, IEC 61508 type data on non-certified devices to help process manufacturers build prior use cases.

Lower cost by risk based versus prescriptive approach

The other driving force behind the adaption of IEC 61511 is shown on the pie chart, based on Shell data. They compared the costs of implementing their normal prescriptive standards with using IEC 61511 and also assessed how much risk reduction they had achieved. In 49% of cases they had reduced they risk more than they needed, which meant the investment was higher than really necessary towards the risk assessment. In 4% of the loops the risk was still insufficient reduced.

IEC 61511 is designed to give the right level of safety at the lowest cost through the life of the plant.

SIL Ratings

A safety instrumented function (SIF) is a safety loop consisting of sensor(s) and final control element(s), with dedicated functionality that protects against a specific hazard (e.g. rupture of a reactor by releasing pressure). The required risk reduction associated with the hazard determines the safety integrity level (SIL) of the SIF. SILs are rated from 1 to 4, with 4 being most hazardous; it is very unusual to see a SIL 4 application in the process industry, and a programmable SIS can not be used to implement a SIL 4 SIF. A high SIL rating means the application is very dangerous and requires a high degree of risk reduction; a failure would result in several deaths and widespread physical and environmental damages. A low SIL rating (e.g. SIL 1) is about a hundred times less risky, but failure might still result in injuries and physical loss.

SIL Rating / Proportion of all Safety Loops / Cost to implement the SIF
1 / Most / Low to medium
2 / Some / Medium to high
3 / Very few / Very high
4 / None in programmable systems / Highest

Risk reduction

IEC 61511 helps users to define how much risk reduction is needed for each safety function. If the risk associated with a process hazard is greater than the level of risk that the plant operator can tolerate, then the risk must be reduced. In the Process Hazard Analysis phase of a safety project, the engineers will decide how much risk reduction is needed for each hazard. Each SIF will be assigned a required risk reduction factor (RRF). The level of the required risk reduction is split into broad levels, know as safety integrity levels (SILs), as shown in the next table with Risk Reduction Factor and Safety Integrity Levels.

Safety Integrety Level (SIL) / Target Risk Reduction (RRF) / Target Average Probability of Failure on Demand (PFDavg)
4 / > 10,000 to ≤ 100,000 / < 1/10,000 to 1/100,000
3 / > 1,000 to ≤ 10,000 / < 1/1,000 to 1/10,000
2 / > 100 to ≤ 1,000 / < 1/100 to 1/1,000
1 / > 10 to ≤ 100 / < 1/10 to 1/100

The IEC61511 focuses on the concept of the safety lifecycle. This is the method used to break down the life of a hazardous facility and its safety system, into identifiable phases and activities. This allows the standard to indentify measures for each activity with together create a structured and auditable progression from process design to commissioning. Quantifying risk and decision on safety targets should only be undertaken by the plant operator and his process designer as they alone fully understand the process and how it will be managed. From then on focus turns to the solutions. This is where the supplier should have the skills to provide a solution which is best for the end user. To combine these two distinct requirements will compromise the commercial integrity of the specifier/supplier relationship and eliminate the important independence that these tasks require to ensure a safe outcome.

The Emerson solution is to offer our customers totally integrated services. Throughout a project, Emerson project management will ensure all activities are coordinated. Emerson will co-operate with any nominated 3rd party engaged to assist with the analysis phase.
The Emerson SIS Consultancy is an independent group that is dedicated to supporting SIS projects with IEC61511 specific services. It comprises dedicated personnel with appropriate competencies to ensure that the process needs result in a compliant and auditable solution.
The Emerson execution centre and SureService will build, install, commission and maintain the system, under to the same project management structure. The SIS consultants, project execution centers and SureService all implement the TUV certified IEC61511 compliant Safety Management System, its services and procedures.

The Whole-loop safety Difference

The Health and Safety executive in the UK studied the root cause of failures in control and safety systems. They discovered that over 85% of all failures were engineering related. As a consequence, it is not sufficient just to have safety certified hardware; the complete lifecycle of the safety system has to be considered.

Analyses of the Offshore Reliability Database (OREDA) show that 92% of hardware failures happen in the field and only 8% happen in the logic solver. Given that less than 15% of all failures are hardware-related, this means that no more than 15% x 8% = 1.2% of all failures are caused by the logic solver.

The industry is therefore asking for an SIS that can detect and react to problems in the field; a SIS that monitor the health of the process connection.

When thinking about your approach to process safety, it is important to consider the entire safety loop, since the majority of failures occur outside the logic solver. More than 90% of safety instrumented function failures occur in the sensors and final control elements. That is why DeltaV SIS, part of the Emerson smart SIS, takes a different approach to safety. It diagnoses the complete safety function including the DeltaV SIS logic solver, sensor and final control element. This whole-loop, smart SIS approach uses digital intelligence and diagnostics to enable more automated safety loop testing and other features, to increase system availability while reducing life cycle cost and easing regulatory compliance. For example, automated partial-stroke testing of safety valves can improve the safety level, reduce the number of risky personnel trips into the field, and increase the mandatory proof test interval. Most safety valves are open and have a tendency to stick or face other malfunction as they inactive the whole period between the proof test intervals. You get increased confidence that the valve will perform on demand. The diagnostic coverage comes up to 70% of the valve assembly with partial stroke test.

Traditional safety system architecture

Regardless of the architecture of technology (1oo2D, 2oo3 etc) in the traditional architecture the safety systems is still a bottleneck. If the safety PLC fails, then all the safety loops will fail. Techniques like dual redundant, triple redundant have been designed over the years to mitigate this risk. In this solution the processor capabilities has a important impact on the execution time of the safety loop, in the past one was forced to accept the response time and often have to invest in very fast closing shutdown valves to get an acceptable reaction time. The response time of the safety PLC, is often the result of the size of the application and the capacity of the central CPU. Emerson has designed a safety system which fundamentally addresses this bottleneck. By building the safety with multiple Logic solvers which contains each one safety instrumented functions (SIFs). Missing one Logic Solver will have a limited result one the complete safety system as only one SIF will be disfunctional.

The DeltaV SIS Logic Solver contains both the input and output channels and the CPU’s performing the safety logic.

For larger applications it is possible to have multiple Logic Solvers performing the logic.

DeltaV SIS response time
Typically the terminal-to-terminal response time for a given SIF completely allocated to a single (set of) SLSs will be between 125 and 175 ms. In DeltaV SIS the scan rate of a SLS can be set from 50ms to 200 ms individually.
In DeltaV SIS the maximum response time will be little influenced by the installed number I/O or the configuration as each logic solver has his own processors.

SLS 1508 logic solver

Key capabilities of the DeltaV SIS logic solver include:

  • 16 channels per logic solver in any combination of HART AI, HART two-state output, DI, DO
  • Line fault detection on all I/O
  • Separate I/O processor and redundant CPUs
  • 50msec execution
  • Downloadable on-line
  • Flexible architecture
  • -40º to 70ºC temperature rating
  • ISA G3 (corrosive environment rating)
  • NAMUR NE21 electromagnetic compatibility rating

Intuitive software and powerful function blocks

A full palette of TŰV-certified smart function blocks designed specially for DeltaV SIS functions is available. Special blocks with for example by-pass management reduce what used to be pages of ladder to engineer, test and commission into a simple drag-and-drop specification action.

Other capabilities making the DeltaV SIS software intuitive include:

  • Built-in sequence of events handler with automatic first-out trapping
  • Built-in bypass management
  • Built-in override management
  • Off-line simulation
  • Built-in state engine per EEMUA 191 standard
  • Operator interface

Integrated yet Separate

The DeltaV SIS system has a completely separate hardware and operating system design from the DeltaV controller and I/O subsystem and is not in any way dependent on the standard DeltaV controller to perform its safety function. The design provided separation described in the IEC 61508 international safety standard.

The engineering and operating environments are fully integrated to reduce training cost, simplify installation, provide faster and more reliable communications reduce overall project integration time, provide better handling of status information and improve fault handling. This integrated yet separate approach helps you more easily achieve IEC 61511 safety compliance.

All operations, engineering and maintenance functions for the two systems are integrated including:
  • Alarm handling
  • Configuration
  • time synchronization
  • user security
  • device health monitoring
This integrated approach eliminates time consuming and difficult to maintain data mapping and handshaking logic that is common in existing solutions. Operators have one common operating environment for both DeltaV BPCS and DeltaV SIS.

Flexible architecture for any size

Unlike other approaches, the modular logic solver hardware scales in steps of 16 configurable I/O. This means you automatically add memory and CPU, so running out of memory or CPU power are no longer concerns. The architecture of DeltaV SIS allows you to concentrate on the design of each SIF-each logic solver is a container for a small number of SIFs and there can be no unplanned interaction between them.

Given this scalability, DeltaV SIS is ideally suited for all safety applications up to SIL3: small burner management applications, large ESD and fire and gas applications.

Other important advantages of DeltaV SIS

Other important advantages of DeltaV SIS:
  • Certification for use in SIL 1, 2, and 3 applications
  • Non-intrusive simulation for comprehensive testing of safety logic before deployment
  • Automated partial stroke test
  • Standard library meeting SIL 3, with advanced TŰV approved function blocks
  • Flexible, modular architecture for any size
  • Easy regulatory compliance
  • Certificated for use in Marine and Offshore applications
  • Advanced Cyber Security solution
  • Advanced access management
  • Installation in hazardous Zone II is allowed
  • Easy integration with existing BPCS
  • Complete service offering: consultancy, implementation, after sales support

For more information please contact Knut Glenna 9284 5429 or Ben van Rijn 9047 5612

Page 1 of 10

Top View