Edward R. Sederlund, process automation product manager at Dow Chemical Company thinks the new specs promote better safety systems. “We believe the ISA and IEC specs ensure greater consistency in how safety systems are designed, installed, and maintained to ensure adequate fault tolerance and that common cause failures will not deactivate the protective features.” Furthermore, he says combining the technical specifications provided by ISA and IEC with the more consistent risk assessment methodology known as Layers of Protection Analysis (LOPA) provides a greater level of consistency in ensuring that more layers of protection are in place.
Janiec says the new IEC specs will, in general, help to make systems better, more reliable, easier to handle, and safer. But, he says, that safety starts with using certified equipment, and designing the loop so that it meets the required SIL. All the components in the loop must be considered in the SIL calculation. This includes sensors, actuators, pipes, and vessels. When the new IEC spec is used by everyone involved in the safety area, the result should be a better-designed safety loop.
Just how and where you combine or separate is open to discussion. Says Andrew Dennant, Delta V SIS development manager at Emerson Process Control, “61511 requires complete separation between the control system and the safety system. It talks about the functional separation of control and safety.” While you can have control and safety in the same chassis, they can’t be sharing sensors or shutdown valves, or writing into the safety system from the control system. According to Dennant, one of the things that 61508 did was to stop focusing on just the safety PLC or the logic solver, and start looking at the whole loop.
New Specs Breed New Products
The interpretation of the new specs has created a corresponding wave of new safety products from control vendors. In most cases, users can take advantage of the integration that these products offer or use them separately as SIS and BPCS. Integration levels vary from supplier to supplier but include, at the minimum, read-only communications from SIS to BPCS; housing for two separate processors, each with its own power supply in the same rack or chassis with a communications path; and the same processor actually running SIS and BPCS.
In any of the three architectures, it’s extremely important that communications doesn’t interfere with the SIS. With the new Yokogawa system, the safety system is independent hardware, but there is a common communications bus. This design has been very thoroughly scrutinized and tested to make sure that communications faults can not affect the safety function.
Emerson took the approach of using a different OS in the SIS than in the standard Delta V products so there would be no common cause of failure. Another advantage to this approach is that engineers can upgrade the control system without having to touch the SIS.
Engineers may want to put both physical processors in the same box, but Siemens’ Fialkowski says that if they do this, they, should be willing to settle for a slightly lower protection rating than could be achieved with two separate boxes. Siemens currently offers dedicated safety and control processors, but some of its customers, according to Fialkowski, are telling him that because the SIS has some control functionality, customers are opting to buy the safety box to do control and another safety box to do safety. This helps them cut back on spare parts.
Different Design Philosophies
SISs and BPCSs have opposite design philosophies. Foxboro’s Steinitz notes that, by nature the safety system is designed to shut the plant down, so if you’re looking for control to maximize uptime, putting that control in the safety system is not the right thing to do. The safety system will not maximize uptime; it will maximize safety. According to Steinitz, safety vendors get around uptime by using 2-out-of-3 redundancy, providing availability and diagnostics. But to fine-tune a DCS for safety would require tradeoffs and probably a redesign.
Indeed, according to Connie Chick, GE Fanuc Automation’s controller and I/O business manager, “We see many more specs for TÃœV, SIL3 related to applications that do not involve loss of life or environmental hazards—they’re spec’d to maximize the uptime. If you go to a SIL3 system, the plant is going to have higher uptime.” In general, when specialized systems are applied for the purpose of safety, the goal is not always protecting the bottom line. Instead, the goal is achieving the delicate balance between safety and productivity. Chick warns, “How user representatives evaluate and rank hazards and risk can result in either an over-protected process that shuts down too â€˜easily,’ or an under-protected process that shuts down too late, or perhaps never.”
According to Fialkowski, some younger engineers are deciding to combine control and safety into one box, but none of the old school will have it. These younger engineers are not entrenched in the architecture wars of years ago where everyone was told that SISs must be totally separate and disconnected from the BPCS. For many years, several controls vendors including Siemens, Yokogawa, Invensys, and Honeywell have seen the benefits of operationally-integrated systems and have been engineering systems that satisfy the integration needs of their customers, providing common engineering tools and HMIs.
ABB already has a safety-certified product that also allows the safety processor to do control tasks. Tanner says that while the regular applications do not interfere with the safety application, the system does use separate I/O. Users do have the ability to separate the tasks when necessary.
Dow Chemical Company, an ABB customer, found that its philosophy matched ABB’s, and ABB had the product. Says Edward R. Sederlund, “Dow has extensive experience implementing combined process automation and safety (logical separation) on the same physical hardware platform with our legacy MOD 5 proprietary system that is certified SIL 3. Dow worked with ABB to provide a similar capability that we practiced in our MOD 5 in ABB’s recent SIL 2 system. The ABB offering can be implemented as a separate safety system (physical separation) or a combined process automation and safety system (logical separation).”