Low-key launch for ABB’s SIL 3 integrated SIS

Feb. 27, 2009
Four years after the original launch, the long awaited SIL 3 version has arrived, heralded not with fanfares and separate North American and European press launches at prestige locations, but by a two-page press release announcing that, “its controller received its SIL 3 certification from TÜV in November 2008,” dropping silently into the mail box in late January 2009.

When, back in January 2005, ABB launched its new integrated SIS (Safety Instrumented System), much fun was had at the expense of Emerson, whose DeltaV SIS, which had been launched almost exactly a year before, was still awaiting the TÜV certificate, which eventually arrived the following August. At the same time, Yokogawa’s new ProSafe RS, also launched that month, was equally certificateless, although its did arrive in a matter of weeks. In contrast, ABB principal safety consultant Roger Prew was able to say at the U.K. launch of System 800xA HI (for High Integrity) in February 2005 that “It’s certified, and we can supply it today” (INSIDER, March 2005). And if some of those present had the temerity to point out that the certification was only to SIL 2, whereas both Emerson and Yokogawa were going straight for SIL 3, then they were assured that that would be little more than a formality. “It’s the next thing on the list,” said Prew, which made it all the more surprising that, by the time of ABB’s Automation World user conference in Florida in March 2007, the SIL 3 version was still not available.

Had the project been abandoned? Not at all, Mark Taft, Process Automation Global Control System group vice president, assured us in March 2007. A team in Sweden was at that very moment putting the final touches to the SIL 3 solution and, while he didn’t actually say so, we were given the very strong impression that an announcement would be made within 12 months.

Perhaps it’s not surprising therefore that, four years after the original launch, the long awaited SIL 3 version has arrived, heralded not with fanfares and separate North American and European press launches at prestige locations, but by a two-page press release announcing that, “its controller received its SIL 3 certification from TÜV in November 2008,” dropping silently into the mail box in late January 2009.

Common Hardware Platform

Like Yokogawa’s solution, but in contrast to Emerson’s, System 800xA HI is based on the same AC800M controller used in the System 800xA DCS or, in safety jargon, Basic Process Control System (BPCS). However, unlike the Yokogawa solution, it incorporates a second “diverse co-processor,” which was the key to its achieving the original SIL 2 rating. At the time of the original launch back in 2005, ABB was claiming that, because TÜV had been involved from the outset, not just in the development of the SIS, but of the BPCS as well, they were confident of an easy and rapid progression from SIL 2 to SIL 3. That confidence had been further enhanced by the fact that, because the original I/O used in System 800xA had not enjoyed that input from TÜV, new I/O had been developed from scratch for the SIS, and this was already rated SIL 3 and certified as such by TÜV at the time of the original launch.

The use of a common hardware platform and the implied possibility of common-mode failures between the SIS and the BPCS was one of the major criticisms from the more traditional end of the safety community of both the ABB and Yokogawa offerings. If anything even more controversial, however, was implementing common engineering tools, HMI, historian, audit trail, and asset and device management applications across both the SIS and BPCS, all aimed at reducing both operational and engineering overhead while maintaining overall integrity and availability.

Much of the thinking underlying both the original development of System 800xA and of the SIS was based on Dow Chemicals’ experience with its own proprietary systems prior to its signing a 10-year supply agreement with ABB in 2001. Dow had pioneered the concept of combining process control and safety on a common platform and made it a key plank of the agreement with ABB, the most fundamental requirement of which had been that the control system should never be the cause of a plant shutdown. System 800xA HI continued that approach, providing the flexibility to host safety and control applications in the same controller but maintaining logical separation between the two.

Diversity

ABB is claiming the highest hardware commonality on the market for the latest release, although it might have to argue the point with Yokogawa. New to the latest version are the use of embedded hardware and software diversity in the logic solver and I/O subsystem and diverse execution paths to detect any potential random failures. Additional SIL 3 libraries are provided for shut-down applications, as are combined non-SIL, SIL 2 and SIL 3 applications offering increased safety protection and process efficiency. ABB plans to offer a variety of possible configurations, including in addition to embedded safety and control, stand-alone operation, as well as functionally integrated while maintaining physical separation of control and safety functions. “This next generation safety system offering is a continuation of our ongoing commitment to help our customers operate more safely and efficiently, to protect their vital assets while they improve their productivity and maximize uptime,” Kristian Olsson, who manages ABB’s Safety Centre of Excellence, was quoted as saying. “The latest version … provides the highest level of safety and process integration available in the marketplace; it harnesses the benefits of the 800xA environment to ensure significant savings across all stages of the system lifecycle. It complements ABB’s robust portfolio of leading-edge safety solutions, products and services.”

Shifting the Balance

Despite its low key announcement, this latest version of System 800xA HI significantly shifts the balance in the on-going debate between advocates and opponents of the new generation of integrated safety systems. While the ABB solution remained restricted to SIL 2, it could be safely dismissed as offering no threat to traditional TMR (Triple Modular Redundant) offerings, a view which was further encouraged by ABB having its own TMR solution. Now, however, with Emerson, Yokogawa and ABB all offering a fully integrated solution up to SIL 3, there are signs of the strict separation advocates beginning to waver.

Honeywell, already firmly on the integrated side of the argument with the latest release of Safety Manager, is understood to be contemplating the eventual development of a common platform solution based on Experion’s C300 controller, while Rockwell recently revealed plans for closer integration of ICS Triplex systems, including the recently announced AADvance, into PlantPAx. Such developments can only increase the pressure on Invensys Process Systems (IPS) to resolve the dilemma posed by Triconex. Having staunchly held the separated flag aloft and robustly attacked successive integrated offerings ever since Emerson’s original announcement of DeltaV SIS five years ago, IPS could soon find itself the only mainstream DCS vendor without a fully integrated SIS offering.

So why did it take quite so long for ABB to introduce the SIL 3 version of System 800xA HI? Not, so Roger Prew told INSIDER in a telephone conversation shortly after the announcement, because of any particular difficulties with the development. On the contrary, “It wasn’t an enormous development challenge. In fact, it was relatively simple, but ABB has been extraordinarily cautious, and that has been rather frustrating for some of us.” Of course, there were other priorities, not least of which was System 800xA version 5. SIL 3 has been released as part of a service pack for version 5 and will be included in the next major release of 800xA, allowing Prew to claim, somewhat tongue in cheek, that “It really was the next thing on the list!”

Is It Worth It?

Underlying the caution, he says, has been the ongoing debate about whether there should be any SIL 3 loops at all in the process industries, with the Scandinavian and European elements within ABB being particularly sceptical. In the event, however, the fact that the competition was offering SIL 3 solutions and that users were installing them proved compelling. At the same time, the company had wanted to make sure that it had got the SIL 2 product absolutely right.

That reassurance came from, at the last count, some 600 systems installed, a figure which is probably now approaching 1000 and, by way of comparison, is an order of magnitude greater than the number of conventional ABB safety systems installed over the same period. “That’s because it’s brought in the general automation world, whereas the previous generation systems are largely confined to oil & gas,” says Prew.

As had been predicted back in 2005, the changes required to achieve SIL 3 were remarkably few, Prew adds. “The processor is exactly the same,” although minor changes to the safety manager module were required. Nevertheless “the numbers are extremely good”, he says, quoting an MTBF of some 300 years and overall performance which more than meets the requirements of SIL 3 and, for some criteria, extends to SIL 4.

As to the broader argument over the wisdom of integration and commonality, Prew believes that the key lies in the procedures. “If you comply fully with 61508, then the problems over commonality go away.” Moreover, he adds, “the common mode argument is a red herring. The last generation of TMR systems uses three common processors and, in any case, was designed before 61508, so has difficulty in complying with it. Even the nuclear industry is now moving towards acceptance of 61508.” All of which leads him to conclude that the drift is definitely towards greater integration, “and we’re seeing value from that. Maintenance and life-cycle costs are much lower.”