By Andrew Bond, Editor, Industrial Automation Insider
If you thought that the comparative silence over the past few months meant that the arguments over integrated Safety Instrumented Systems (SISs) were over and that the more traditional safety system vendors were now going to meekly roll up their tents and steal away, think again. The TMR (Triple Modular Redundant) faction, led by Invensys’ Triconex business unit, may have shifted its ground, but it certainly doesn’t believe it’s beaten yet; indeed, if anything, it reckons the tide is running back in its favor.
As evidence, Invensys points to the results of a survey it recently conducted among chemical, oil and gas process plant operating companies which found that 78% of more than 200 respondents adhered to strict separation of safety and control for safety protection, 74% indicated that Independent Protection Layers (IPLs) were critical, and 66% cited common cause as a major concern. On the other hand only 8% were not concerned about ‘diversity,’ while 89% said that their ability to choose best in class for both safety and control was important.
That formed the basis of the message delivered by Premier Consulting Services (PCS) senior safety consultant Robin McCrea-Steele when he briefed journalists in a series of one-on-one meetings as he passed through London last month on his way back from running a TÜV course in Mumbai, India.
PCS likes to present itself as an independent, no-axe-to-grind consultancy. How valid that claim is only its clients can judge. Suffice it to say, however, that it is part of Invensys and, while its consultants’ business cards make no mention of the Triconex connection, it shares the same 15345 Barranca Parkway address in Irvine, Calif., as the TMR system vendor.
McCrea-Steele’s original intention had been to give UK journalists a preview of the paper he had planned to present at the TÜV Symposium scheduled to take place in Galveston, Texas, in the last week of April. Unfortunately, however, TÜV seems to have lost its nerve when it had only 40% of the planned registration level by the end of March, and perhaps failing to appreciate that US events typically receive a significant proportion of their total bookings in the last two weeks, pulled the plug on the event.
“TÜV cancelled way too early,” said McCrea-Steel, who was quick to reject our suggestion that the lack of bookings might reflect a lack of interest in process safety issues in the US. “Quite to the contrary, there is a growing awareness and interest in all these safety topics,” he said.
Meanwhile, what had he planned to say? When his colleague Bob Adamski led the first counter attack against Emerson’s, ABB’s and Yokogawa’s then recently announced integrated SIS offerings back in 2005, the principal focus of the attack had been their 1oo2D architecture, which Adamski described as “old technology” which would, he suggested “lead to more nuisance trips.” This time around McCrea–Steele’s argument seems rather more subtle and takes as its prime target the use of a common hardware platform which, he suggests, undermines the whole concept of defense in depth and of independent protection layers (IPLs), which requires that control and safety should be completely independent. If the basic process control system (BPCS), as the DCS is referred to in safety jargon, and the SIS are based on the same hardware platform; were designed by the same team; and use the same HMI and configuration tools, then, he argues, it is impossible to prove that they cannot give rise to common cause or systematic failures. “The problem is in the interpretation of the standards,” said McCrae-Steele. “IEC 61511-1 clause 9.5 doesn’t say that you need physical separation or diversity but other clauses imply otherwise.”
So how come TÜV feels able to certify these systems? Because, says McCrae-Steele, “TÜV certifies the safety system in isolation. The certification will validate the non-interference of failures in the DCS affecting the SIS safety functions, but if the SIS is embedded in the control system, that eliminates the credit that could have been taken for a DCS as an IPL.”
To back up his argument, he cites the Spectral Design 2006 report for Suncor Energy on Emerson’s DeltaV SIS, specifically quoting the paragraphs which, while acknowledging that “the BPCS and SIS are in fact two separate systems, even when installed on the same carrier,” went on to argue that “In order to gain any credit for independence in this case, it must be demonstrated that a failure of a BPCS or common component will not induce a failure on any SIS component. This requirement could not adequately be satisfied at this time due to the fact that common communication traces are used by both the BPCS and SIS equipment, on the same carrier.”
What McCrae-Steele didn’t say to us and neglects to mention in his paper, however, is that Spectral Design nevertheless felt able to say at the end of its report that “The general conclusion of this study is that the DeltaV SIS is suitable for use in Suncor’s operating, maintenance and business environments,” while the Executive Summary states that “The DeltaV SIS will adequately perform safety functions and should be considered for use by Suncor.”
In essence what McCrae–Steele is arguing is that if you’re using a BPCS and an SIS based on the same hardware platform, as would be the case if ABB’s system 800xA HI, Yokogawa’s ProSafe RS and, arguably to a lesser extent, DeltaV SIS were used with their respective DCSs, then you shouldn’t be able to count them as separate IPLs since the layer of protection analysis (LOPA) assumes that the role of the BPCS is to reduce the number of demands on the SIS. That in turn implies that an unsafe condition can only occur if the BPCS and the SIS fail separately and simultaneously.