SAFE CONTROL of critical systems

The UK COMAH (Control of Major Accident Hazards) Regulations will require all on-shore hazardous plant operators to produce a `safety report' for their operation starting on 3 February 1999 (see News Analysis, page 12). Based upon the European Seveso II directive, COMAH will more clearly reflect the recent emphasis of safety management systems for assuring that high safety integrity is achieved on hazardous plants. A two-year grace period will allow progressive implementation of this regulation, but the pressure will be on from the beginning of next year.

But just what is a safety report? In very broad terms, it is the documented justification that all measures have been taken to reduce risk to an absolute minimum. This is not simply a paper exercise. It will require significant effort, and in some cases, significant changes to be implemented.

Whilst the existing CIMAH (Control of Industrial Major Accident Hazards) Regulations place a duty upon the site to take all necessary steps to ensure that accidents do not occur, this will be the first time that all potentially hazardous sites will be audited. The process of auditing a plant and its control systems in this way is familiar to engineers and plant operators offshore, since this technique has been mandatory for offshore installations for many years. However, for land-based installations it represents a marked change.

The HSE (Health and Safety Executive) has recognised the significant extra work involved and is already recruiting and training additional inspectors. The fact that the Directive applies equally to the protection of people and the environment means there will have to be co-ordination between the HSE, the Environment Agency and the Scottish Environment Protection Agency.

Control systems safety will play a large part in this process, since most hazardous plant is automated to some degree. This raises the issue of how to assess control systems safety performance, and for this the HSE is likely to turn to the as yet draft standard IEC61508, Functional Safety of Programmable Electronic Systems.

The latest draft of IEC61508 classifies systems according to a scale of Safety Integrity Levels (SILs) ranging from 0-4, in which level 0 indicates low hazard and level 4 is applied to the most hazardous processes. For a rating of SIL 1 or above, some form of independent safety control system will be required in addition to the regular real-time process control system to comply with the provisions of COMAH. As a first approximation, any significant risk to people or the environment will trigger a rating of SIL 1 or higher. I think it is safe to say that we are going to see a lot more independent safety systems on-shore than at present, and that means extra costs. A way to reduce those costs would be very welcome - the following is one approach.

Consider traditional safety systems architecture: it is totally different from regular control systems. For many years hard-wired relays were used for their predictable fault modes. However, although inherently fail-safe, the fault-tolerance of relay-based systems can leave a lot to be desired, generating many false trips with the possibility of attendant costly plant downtime and spoiled batches of product.

The reliability of regular programmable electronic systems such as PLCs and DCS is vastly better, but their predictability is not so good, resulting in the paradox that, although far fewer failures occur, the number of `fail dangerous' conditions is potentially higher. This has led to the design of specialist safety architectures for programmable electronic safety systems; most notably, Triple Modular Redundancy. There is no doubt that TMR is relatively safe, but it is an architecture that is far too costly and cumbersome for regular control applications. Specialist architecture has led to specialist suppliers, and that has led inexorably to a situation where integrating a regular control system with a safety system involves custom communications protocols between devices from different suppliers.

There are extremely few systems available which use the same native communications. Normally, communication is accomplished using a recognised industrial protocol, typically Modbus. Data transfer rates are normally limited to 9600 bits per second on an RS232C or RS422/485 physical layer, meaning that it is often not deterministic enough for real time control uses. Where there is a requirement to build a custom communications protocol this adds to the complexity, and can lead to further elements of human error being introduced into the system. It is also then difficult to guarantee that the data paths are secure, and that critical data will not be corrupted in any way.

This is the situation the systems integrator, and eventually the end user, faces when trying to integrate a control system from one vendor and a safety system from another. Costs are incurred in understanding the communications protocols of both systems, creating drivers, specific message code and almost always extra hardware to cope with two systems that use totally different communications technologies. The terms `bridge' or `gateway' are often used here. For `bridge' read money.

Moore Process Automation Solutions, however, has gone about things in a different way to most. In short, Moore's Quadlog - `the safety PLC' - is based on addition of high diagnostics and fail-safe capability to the company's APACS+ process automation system. In an integrated system, control and safety functions are separated out into APACS+ nodes and Quadlog controller nodes respectively.

Of course, it is unsafe for the safety system to use information derived from the regular control system for safety purposes, but the reverse is perfectly acceptable provided that suitable data security is in place. In Quadlog this is achieved by means of communications `firewalls' where specific areas of data can be fully protected against being overwritten. Information monitored for safety purposes can be shared cost-effectively with the control system for real-time control purposes. Similarly, configuration tools are shared. No great capital cost saving, but speed and efficiency of configuration and documentation is greatly improved by employing one tool instead of two. Quadlog controllers run the exact code that was implemented graphically by the user. This code is not compiled in any way, giving the assurance that the latest configuration is always present in the controller (including all code comments), something which will be key to proving software integrity under the new COMAH directive.

How does this resolve the communications problem? Because the Quadlog and APACS+ systems share the same underlying protocol and physical medium, communications between them are inherent. The addressing systems are the same, the protocols are the same, and most importantly, they use identical real-time databases. For safety reasons, the physical controller and I/O modules used in Quadlog are very different from APACS+. Quadlog modules have superior diagnostics for the reasons mentioned previously, and output cards include features for fail-safe action and wiring checks.

However, many parts that are not configurable or do not present any potential for common cause failure are identical. Examples of these include racks, power supplies, communications cables and field termination assemblies. Not only is this an economic advantage, but it significantly reduces the training required for maintenance personnel.

This is where significant business benefits start to emerge. Configuration efficiency is important because, as the prices of control hardware continues to fall, and the cost of good, experienced configuration engineering continues to rise, configuration is rapidly emerging as the single most costly element in implementing an automation scheme.

The same applies to maintenance. Firstly, if control and safety systems use the same tools, that makes for efficiency here as for initial configuration. However, at the maintenance level, plant downtime starts to enter into the equation. Faster maintenance means less downtime, especially relevant to the fine chemical and pharmaceutical industries where costs are high and product values are large. There is also a capital cost and availability issue. If the two systems share many parts, spares holdings are reduced and the likelihood of having the right spare is increased.

Another benefit arises from a common look and feel to the operator interface. Operator training need is reduced, but perhaps more importantly, the day that the safety system has something very important and urgent to say to the operator, the message can be delivered through the day to day, familiar interface, not via a separate HMI that is only used in emergency situations. In short, safer operation.

Safety and availability of 1oo2D architecture for safety systems is essentially the same as for TMR. This is well illustrated by TaV granting AK6 certification, (the highest achieved by any programmable system) to the Quadlog 1oo2D system. The 1oo2D architecture for safety systems is more cost effective than TMR for an equivalent installation and sharing information with a control system makes it even more so. The capital saving is desirable, but bigger advantages still derive from the commonality of the underlying architecture of a control system and a safety system with the same pedigree. Reduced configuration time, lower maintenance costs and higher availability can all be achieved if the two systems dovetail together in an orderly manner.