Safety critical

According to one of those well-honed sayings from control suppliers, if basic process control is about making product, then advanced process control is about making profit - by allowing the process to operate closer to its design limits and produce more product.

But there is a third aspect to control, without which many plants would not be allowed to operate at all. This is the safety instrumented system (SIS), or emergency shutdown system (ESD). Irrespective of profit, these systems simply have to work in the event of a dangerous failure in the basic process control system.

Not all plants require safety systems, but such systems nevertheless account for $1.75bn of a total global process automation market worth $22.2bn. And, at 7% compound annual growth over the next five years, demand is growing at nearly twice the rate of basic process control systems, according to figures from Emerson Process Management.

Not surprisingly, the main markets for safety systems are oil and gas (35%), refining (35%) and chemicals (17%). In terms of types of safety systems, again not surprisingly, emergency shutdown systems dominate demand at 65%, with burner management (18%) and fire and gas systems (12%) making up the bulk of other systems.Apart from having to work when called upon, safety systems are characterised by an increasingly high level of regulation designed to offer the necessary guarantees that they will do just that. Both suppliers, through IEC 61508, and end-users, through IEC 61511, have to ensure that their safety systems comply with internationally recognised standards. As Duncan Schleiss, Emerson's v-p for marketing for process systems, puts it: 'There's no excuse not to do safety by the book anymore'.

Schleiss was speaking in London at the recent world launch of Emerson's PlantWeb Smart SIS architecture, which extends the PlantWeb concept - at the hub of the company's hugely successful DeltaV process automation system - into the safety arena. Not that Emerson is exactly new to the safety market. As Schleiss explains, many of the group's valves, transmitters and sensors are often to be found in safety systems engineered and supplied by specialist safety companies such as Triconex. And the traffic is not at all one way - Emerson has its own engineers certified to integrate Triconex systems into its own projects when required.

Part of Invensys Systems, Triconex has just been voted, for the seventh successive year, the best manufacturer of safety and emergency shutdown systems by the readers of Control magazine in the US. Winning the poll by a margin of three to one, Triconex has established its reputation on the success of the TMR (triple modular redundancy) architecture used in safety controllers such as its Tricon and Trident fault-tolerant control systems, in addition to the company's '20 years of safety system engineering expertise, and a relentless focus on solving user problems related to safety and critical control,' according to v-p and general manager Tracey Sledge.

With more than 5000 installations, Triconex claims to be the 'largest TMR supplier in the world', although Honeywell claims it is the leading provider of 'process safety management solutions', also with over 5000 systems installed worldwide. Exactly who has market leadership has been something of a bone of contention between the two companies for some time now, but Honeywell says it received over $70million in safety-related orders last year, with demand growing among its traditional base in the oil and gas, petrochemical, power, chemical and oil refining sectors.

Its latest safety offering is Safety Manager PKS, a safety system that can be embedded within Honeywell's Experion PKS (Process Knowledge System) process management system. According to ARC industry analyst Asish Ghosh, 'Safety Manager PKS is based on Honeywell's field-proven Quadruple Modular Redundant (QMR), diagnostic-based technology with a 2oo4d [two out of four with diagnostics] architecture. It provides tight integration with Experion PKS to offer a unified safety system architecture, allowing improvements in both safety and availability of a process.'

At the launch of Emerson's Smart SIS, Duncan Schleiss rhetorically asked which was more important, safety or availability? The answer, of course, is both. 'The key', he said, 'is to meet safety requirements while maintaining maximum plant availability.' Yes, the plant should shut down if danger threatens, but not unnecessarily because of some failing in the safety system itself. That thinking is what lies behind conventional safety system architectures, where the level of redundancy employed effectively dictates the number of options available to the system's control logic to ignore or act on an apparent failure within the system.

Of course, if the safety system's controller itself fails then all bets are off. This, says Emerson's systems business development manager Raoul Mercer, is why so much emphasis has been given to the logic solver part of a safety system. But, according to figures from OREDA (the offshore reliability database), only around 8% of SIS loop failures can be attributed to failings in logic solvers. More significant by far are failings in the final element of the safety loop, the shutdown valve itself (making up half of all SIS failures), and the transmitter (42% of failures).

A common question asked of safety vendors, says Mercer, is: 'what type of architecture is this? TMR (2oo3 - two out of three voter)? 1oo2?' Emerson can answer for its new Smart SIS logic solver that, technically, it's 2oo4d, with 1oo2d for the I/O. But that answer is in very small print in the publicity material because, argues Mercer, 'this [emphasis on the logic solver] is traditional thinking, and does not apply to the whole safety loop where all components must be continuously monitored and tested. We've been concentrating on the logic solver so much that we've been missing the game. We need to consider the whole system'. Which is what Emerson says it has done with the PlantWeb Smart SIS safety management architecture.

At its heart is a new DeltaV Safety System that integrates intelligent safety-certified sensors and final control elements with modular logic solvers to provide a safety control system that is completely separate from the basic process control system - one of the prime requirements of IEC 61508. According to Schleiss, 'the DeltaV Safety System provides easy implementation with a palette of certified function blocks... all of the advances [of DeltaV] like plug-and-play hardware, drag-and-drop and explorer-based software are available in the safety system software.'

Although the DeltaV SIS can communicate with a DeltaV basic process control system (BPCS) over the latter's Ethernet, this is essentially on a 'read-only' basis. The safety system's power supplies, communication channels (between components of the safety system), hardware and operating systems remain architecturally independent. That said, however, the integration of non-safety-critical functions between the SIS and BPCS in this way means that both systems can be configured and operated with common software. For non-DeltaV users, DeltaV SIS connects with other BPCSs via OPC.

Within the safety system itself, communications between the field sensors, logic solver and final control elements is via the HART protocol. Although the internationally recognised certifying body TÃœV has just approved the Foundation Fieldbus for safety system applications, Emerson has opted for HART because, as Duncan Schleiss says, 'safety people are not risk takers - they still prefer HART to fieldbus.'

The new logic solver module, the DeltaV SLS 1508, can handle 16 I/O and has 24Vdc redundant power supply. It also has an internal redundant CPU processor and line fault detection on all I/O. By linking modules together using a redundant fibre optic SISnet network, that can span several kilometres, the Smart SIS can be expanded from a simple 16 I/O application up to 16 000 I/O.

While each module is rated for use in all safety applications up to SIL 3 (Safety Integrity Level 3), the more cautious customers can increase availability by opting for a dedicated redundancy link between logic solver pairs. Mercer emphasises that this level of redundancy is not needed for safety purposes, but merely for availability in the event of a failure of a single server.

The DeltaV SLS 1508 is currently in the final stages of TÃœV testing for certification to IEC 61508, with approval expected - 'with a very high degree of confidence' on Emerson's part, says Schleiss - before the end of the year.

No such reservations affect the other parts of the Smart SIS, however. At the sensor level, Emerson has already gained IEC 61508 certification for the Rosemount 3144P temperature and 3051S pressure transmitter ranges. Existing users of either can now simply convert them for use in a SIL 2 or SIL 3 safety system by replacing the standard electronics with a safety-certified assembly. Emerson says that by using the same transmitters in both basic process control and safety systems, users can eliminate duplicate training, maintenance and inventory costs.

Similarly, the final control element - the emergency shutdown valve itself, responsible for half of all failures in safety systems, remember - now benefits from the Fisher Fieldvue DVC6000 digital valve controller, TÃœV-certified for SIL 1, 2 and 3.

In traditional safety systems, these valves - which can remain static for long periods and not operate when actually needed - have to be regularly tested. This can involve bypass valves, or annual plant shutdowns to enable full stroking of the valves. All these procedures are labour-intensive and costly. They increase the risk to the personnel involved and depend on manual actions to interrupt and then restore the safety loops to operation. What the DVC6000 offers, though, is the ability to automate testing and eliminate manual intervention.

Using Emerson's AMS Device Manager with ValveLink software, the Smart SIS system can schedule partial stroke testing of the valve, collecting diagnostic data for predictive maintenance and generating alerts if the valve does not perform as expected. Dubbed the SIL-PAC ESD solution, this end of the safety system comprises the DVC6000 and any of Emerson's Bettis, Hytork or El-O-Matic actuators, combined with any manufacturer's valve to provide an integrated and tested unit.

So, Emerson has clearly shifted its focus away from the logic solver and on to the safety system as a whole. As the company's Koen Leekens concluded the launch: 'we own the loop. Previously people would focus on just one element, but with AMS we can look at the whole thing.'