Itās not easy to keep process applications safe, but it can be even harder to find help to do it right. In this environment, safety depends on asking the right questions.
In his āSIL 201ā presentation on July 17 at the 2007 North American Foxboro User Group conference in Boston, Luis Duran, described many of the hidden costs and side effects associated with safety instrumented systems (SISs), especially those embedded with distributed control systems (DCSs). Duran is product marketing director for Triconex.
āBeware skipping over the fine print and use restrictions, or you could be in for some nasty and costly surprises come implementation, start-up and commissioning time.ā Invensysā Luis Duran warned users to carefully evaluate
a safety instrumented systemās TUV
report before signing on the dotted line.
Duran covered some of the safety-related questions that he says users need to ask their DCS vendors, even though many suppliers donāt want to answer them. āWhen vendors hear these questions, many of them start to dance around a lot,ā he said.
How do you justify one month of lab-testing as good enough?
To put it another way, if a safety system is good enough for the lab, does that mean itās good enough for your plant? āThe truth is, what most vendors call āgood enough,ā might not be,ā said Duran. āAsk your vendor exactly where, under what circumstances, and for how long they prove their systems āin use.ā For many vendors, āprovenā means they tested their system on a test bed, under ideal lab conditions, for one month at best, which are conditions that hardly represent the harsh real-automation-world.ā
What does the fine print in your TĆV report really say?
There are hidden costs in the fine print. āItās extremely important to assess your SIS entire TĆV report before you sign the PO,ā adds Duran. āYou may find your vendorās numerous āuse restrictions.ā ā For example, one TĆV statement says: āBoth controllers of a redundant pair must succeed in de-energizing outputs when a demand to trip occurs. A dangerous undetected failure results in a system failure for the pair whether the dangerous undetected failure occurs in one or both controllers.ā Duran stated that the translation of this should be, āBeware skipping over the fine print and use restrictions, or you could be in for some nasty and costly surprises come implementation, start-up and commissioning time.ā
Does your TĆV certification actually mean I'll hit my production targets?
Not necessarily. āTĆV certification alone doesnāt mean youāll hit your uptime and productivity goals,ā said Duran. āTĆV certification says nothing about how vulnerable a system is to spurious trips. Those āuse restrictionsā in your vendorās TĆV report tell you that their systemsāeven if certified to SIL 3āare built on an architecture thatās prone to spurious trips. These trips can negatively impact your uptime and ability to hit production targets, while also increasing risk. All of which costs you.ā
Whatās the downside to an embedded one-size-fits-all solution?
Users must ask what costs truly come with a DCS-embedded system. The argument in favor of buying a combined safety and control system from one vendor is that itās a perfectly safe way to save money. However, using an embedded SIS/BPCS architecture actually eliminates a layer of protection because the SIS and DCS are literally embedded together, unprotected, and catching what that other has got, explained Duran. āThis means your DCS-embedded system greatly increases your risk, which requires more documentation, more field instrument redundancy, more testing, and more maintenance. All of this adds up to more costs,ā he says.
Why do hackers love DCS-embedded safety systems so much?
The industry is greatly concerned about cyber attacks, and your SIS vendor should be too. In a recent column, Control magazine reported that: āThree cyber security researchers from the U.S. Department of Energyās Idaho NationalĀ Laboratory demonstrated how to use a laptop via the Internet to hack through two firewalls, get onto a process control network, read the internals of a device controller, and turn on a pump, all without being detected.ā Duran adds this scenario is especially scary if a vendorās SIS system comes embedded with its DCS. āWithout those independent layers of protection, DCS-embedded systems are easy prey for hackers,ā added Duran. āAs a result, vendors such as Triconex have received the Achilles Certification, which is a series of cyber security tests performed by Wurldtech Securities Inc. This certification is a testament of the robustness and security of the Tricon Safety System platform against cyber attacks.ā
What makes your instrumentation so intelligent and supposedly safer?
What vendors call āintelligentā field instrumentation is really just added instrumentation, so users need to beware of the claim that ādiagnostics on the instrumentation will make the plant safer,ā according to Duran. āField-device diagnostics are great for asset management. However, they do not increase safety.ā he said. āInstrument diagnostics alone are insufficient to ensure safety. In order to write a diagnostic routine, you must anticipate the failure youāre testing for. By definition then, diagnostics canāt detect unforeseen modes of failure.ā
Do you allow risk-free, cost-free, easy-to-use online modifications?
This may seem like a minor question, but your vendorās answer can lead to major added costs. Many SIS vendors donāt allow you to make system modifications online. Many require multiple manual steps that take longer and increase opportunity for costly and risky human error. āIf your vendor claims to provide online modifications, be sure to ask exactly how that process works,ā added Duran. āIs it risk-free and hassle-free? Does it affect the process control?"
If your system is so simple, why do I need to hire your maintenance guys?
If an SIS is so easy to use, why does its vendor want to lock you into an expensive maintenance contract? Is it because the vendor designed a proprietary system that no one but its specialized, expensive maintenance personnel can maintain? And, every time you call for maintenance, will there be an added cost to your installation?
You say you do critical applications; why should I believe you?
Users may prefer to rely on one single source for all applications, and not just safety instrumented systems, but critical control applications as well. DCS vendors relatively new to SIS donāt have the experience to handle various critical applications, or the platform capable of performing them. āDonāt trust your safety and critical control needs to people without the experience to back it up,ā concluded Duran. āFew companies have the experience to be true single source for all your safety and critical control applications.ā
Leaders relevant to this article: