Programmable electronic emergency shutdown and fire and gas protection systems are widely used to reduce the risks of adverse events to acceptable levels. The debate about the integrity of different system architectures has been going on since they were first introduced in the 1970s. The current debate about the trend towards integration of safety and control functionality is just as passionate!
Some will find cause to argue against integration on the grounds that the high levels of integrity demanded by the industry are not met. This author argues that, by using competent/certified development engineers responding to input from experienced/certified systems architects, the new embedded ‘safety and control’ architecture can outperform traditional safety technologies.
The existing international standard covering programmable electronic safety systems, IEC 61508, is based on the findings of an IEC committee that was set up in 1995 to produce a truly international standard. This aimed to bring together the DIN standards that were gaining recognition in Europe, the Middle East and Asia with the newly emerging SP84 standard in the USA.
The committee recognised the strength of both the existing DIN and ISA standards in addressing the integrity of the programmable system and set about bringing them together into a single consistent guidance document. The intention was to extend the scope to cover the complete safety loop, including field devices, and to cover the full life cycle from design concepts through operations and maintenance to final decommissioning. IEC 61508 was fully approved in 2000.
IEC61508-2 recognises that safety and non-safety functions can reside in the same system where ‘functional separation’ is maintained. If it can be shown that the implementation of the safety and non-safety applications are independent, ensuring that any action - including failure - of a non safety-related function cannot cause a dangerous failure of any safety-related functions.
Physical separation into different systems from different suppliers, with different communications and different programming tools is no longer necessary to meet the requirements of the standards. Modern development techniques, involving the use of high integrity computation and firewalls, allow higher levels of integrity to be designed in from the outset. If the new design builds on experience from the previous generations, high confidence levels can be achieved.
It is often asked whether new standards mean safer products. The answer has to be yes! The new standard, in addition to explicit definition of the way reliability figures are calculated and used, defines the procedures under which high integrity software is structured, coded, tested, complied with and processed.
The Functional Management procedure, under which a modern system is developed, provides greater confidence to the user that the design is sound and totally auditable. If anything does go wrong it can be traced and corrected with the upgrade being fully tested against the Safety Requirement specification and implemented according to the standard. The standard not only relates to the product being developed, but also defines the processes under which a safety system is designed in the first place plus the way the specific application is implemented.
A system developed from the outset under an IEC61508 certificate will attract greater confidence in the market than one that pre-dates the standard. The IEC61508 standard not only defines the integrity characteristics of the complete safety function (end-to-end) but also how it should be implemented, operated, maintained and tested for the full life cycle of the system (design through to decommissioning). A process application implemented on a fully compliant system by competent engineers using compliant procedures must ensure that risks are reduced to an absolute minimum.
Getting to this point has been a process of continual evolution. Programmable electronic systems have been used for control and monitoring application in the process industries since the 1970s and today the use of computers, PLCs and DCS to control and protect processes is commonplace. Initially the use of programmable systems was confined to control and monitoring functions with solid-state, pneumatic, relay or hard electronic safety back up providing any protection considered necessary.
As confidence in the new programmable technology grew and the tremendous advantages and flexibility became clear, the industry started to look to the regulators for some guidance on how these systems should be used, especially for safety applications. The regulations have developed from that point to the present date where IEC61508 extends the standard requirements beyond programmable electronic systems to include the complete control loop.
High Integrity Control requires two main characteristics – High Availability (reliability) and Fail Safe Action (deterministic failure action). These two requirements remain core components of today’s systems.
Availability is a measure of reliability (how long will it run before going wrong) and can be assessed from the reliability data produced for each component part or from statistical field returns data. Fail Safe Action is a system’s ability to shut down in a pre-determined way under any failure mode. True Fail Safe action was quite easy to achieve in relays and even hardwired electronics, but became more difficult when software based programmable systems were introduced.
Early dual redundant and TMR (triplicated) systems used duplication and triplication of the electronics to enhance both Availability (by adding fault tolerance) and Fail Safe action (by adding voting). The architectures were often presented as fulfilling both requirements, but unfortunately, they are mutually exclusive. A redundant system that uses its duplication for voting is not fault tolerant and likewise if duplication is used to achieve fault tolerance it does not enhance the determinism of the system.
Today’s generation of integrated safety and control system separates these two features by addressing Fail Safe action by rigorous ‘failure modes and effects’ analysis during the design stages and electronic design that is effectively covered 100% by diagnostics. Availability (which is inherently extremely high in modern electronics) can then be increased by conventional fault tolerant structures.
Process systems are now selected on their ability to ‘manage assets’ in an efficient and cost-effective way. Asset management and optimisation requires the collection, management, storage and analysis of vast amounts of data collected from sources such as direct measurement, fieldbus links to field devices plus vibration and health monitoring devices. This data is then used to make decisions that will improve process efficiency, reduce waste, minimise maintenance time, reduce carbon emissions or whatever happens to be the primary issue at the time.
On-line Functional Safety Management (FSM) tools, that form part of the Asset Management suite, analyse and document data collected on all aspects of every safety function. It can store the detail of the SIL (Safety Integrity Level) assessment for future review, recalculate test cycles against changing duty and update the database with new, more accurate reliability data as it becomes available. Analysis of actual trip and alarm data enables the safety requirements and performance of each safety function to be used in the optimisation calculation. More importantly, they are recorded, documented and presented in a way that references the clauses of the standard, making compliance easy for the regulator to audit. An automated FSM system enables you to sleep easy.
Experience is important. It is essential that we continue to build on what we already know and develop better methods, understanding and higher levels of professionalism. We cannot afford mistakes that are costly in terms of human lives and property.
- Roger Prew is a safety consultant at ABB