Safety standards

Up until this year, the guidance given by the Health & Safety Executive on the design of safety related systems was based on the PES (programmable electronic systems) standard, parts 1 and 2.

This has now been replaced by the international standard IEC 61508, 'Functional safety of electrical/ electronic/programmable electronic safety-related systems', although the HSE has yet to amend its guidelines.

Nevertheless, according to safety specialist MTL (Measurement Technology Ltd), the broad acceptance of the new standard is giving safety equipment suppliers and users a common framework in which to design products and systems for safety-related applications. Suppliers such as MTL are now providing products certified to IEC 61508 for use in functional safety systems. The data provided with these products allows the user to integrate them into safety systems to the standard, and then state with confidence that the system meets the safety requirements.

MTL has now gone a stage further and published a comprehensive 16-page Application Note 'AN9025 - An introduction to functional safety and IEC 61508', which gives a good introduction to the standard, with practical illustrations (see panel overleaf) of how it can be applied.

Another attempt at making the standard more understandable came at a recent seminar held at the IChemE in Rugby by process engineering consultants Rowan House. According to technical director Clive de Salis, the earlier PES standard was incomplete in two areas: the guidelines did not cover the maintenance of the safety control system after installation and commissioning, and there was only limited detail as to how an application required a safety system.

'IEC 61508 goes further than PES 1&2,' explained de Salis, 'and gives guidance on both maintenance and testing after installation and gives specific and clear methods for deciding if a control loop has a safety requirement.' The most important change over PES 1&2, in his view, is that IEC 61508 gives specific methods for determining the Safety Integrity Level (SIL) required for each safety loop.

Within the standard, the SIL rating is a number from 0 to 4. A SIL rating of 0 means a control loop has no special safety requirement and standard control components can be used. But, as de Salis pointed out, to determine whether a loop has a safety requirement, all control loops will need to be assessed by one of the recognised methods. If this analysis shows that some loops have a SIL rating of between 1 and 4, then the designer and supplier of the control system are required to use equipment certified for that rating or better for those loops.

'A good rule of thumb,' he said, 'is that if failure of the control loop might put personnel or the environment at risk, the loop will have a SIL rating between 1 and 4.' However, because the actual assessment methods take into account factors such as the user's established experience of the process as well as the likelihood of personnel being present, a loop might still be SIL 0 even though there is an identifiable risk.

'The SIL rating assessment also takes into account the structure and complexity of the control loop,' explained de Salis. 'At the design stage of a new process control system it will be this aspect that will most often cause an individual control loop to be reassessed. This is because each time the structure and content of a loop is changed — either by a process modification or by a supplier's request - the loop should be reassessed to determine if the same SIL rating still applies.

'The SIL rating applies to the whole of the safety loop, not just the PLC or process controller. It applies from the input devices (transmitters, switches and so on) to the output device (control valve, pump or whatever). The requirement for PLCs and process controllers is commonly misunderstood. The PLC or controller in a SIL-rated safety loop needs to be certified as a complete unit. The SIL rating does not just apply to their input and output cards but rather to the whole controller. This is understandable since the modification of software in the controller has the potential to affect the performance of the control loop.'

As mentioned earlier, IEC 61508 doesn't stop at the installation and commissioning of a safety loop. Its requirements of maintaining, testing and proving the operation and availability of the safety loop continue throughout its working life. And here, according to de Salis, 'lies a little potential trap for the end user who has to maintain the loop.'

This revolves around the fact that a manufacturer of a control component is free to tell the test house - certifying the component to the new standard - the recommended frequency of maintenance and testing for that component. So some components might end up having a requirement to test them several times a year in order to meet the SIL rating.

Because of this, de Salis suggested that 'it will always pay for you [the end user] to specify to the designer and supplier of the safety loop the minimum allowable retest period.' If not, you may find that 'you've been supplied with a low-cost component that has a high frequency of testing and maintenance.'

He said that most of the testing authorities can provide information about certified products, and 'since the HSE in the UK puts the onus on the end user to be satisfied that the installation is right, then it pays to check the latest available information', he advised.

Standard application

Many delegates at the seminar expressed concern as to exactly how the HSE is applying IEC 61508. As one put it: 'it is neither a regulation nor a code of best practice. Some inspectors seem to be using it as a de facto regulation and some seem to be applying it retrospectively on installations where they have already given safe use, on relay systems in particular. Can anyone give an indication of how the HSE will be approaching it?'

Picking up that particular gauntlet, Felix Redmill of Newcastle University, who has closely followed the development of IEC 61508 and runs training courses on the standard, commented: 'The HSE does not demand use of this standard, nor does it give particular credit if you say you use it. The HSE has a duty to look for best practice and adequacy in reducing risks 'as far as is reasonably practicable'. [But] if you use this standard it may be persuasive in suggesting to them that you value best practice, since the standard's principles are best practice.'

Sidebar: Combining the requirements of IEC 61508 with Hazop studies

At its seminar at the IChemE, Rowan House introduced the latest version of its hazard and operability (Hazop) management software package, HAZ 1508. As its name suggests, the package now allows the existing Hazop safety studies - required of all chemical, oil and gas, pharmaceutical and other processes - to be undertaken simultaneously with a safety loop assessment under IEC 61508.

Developed jointly by Rowan House and Swedish software house MCH Konsulting, the software enables the end user to calibrate the risk analysis and computations to determine automatically the initial Safety Integrity Level (SIL) factors during a Hazop study meeting. This should lead to 'major time savings', says Rowan House, by homing in on the safety critical loops and encouraging process designers to include additional safety measures.

Available as both a desktop package and on a central server using standard Ethernet, this latest multilingual version of HAZ 1508 has been tested on systems from all the main PC and server suppliers. Server compatibility has been checked with a wide variety of operating systems and the server version can run up to six Hazop studies simultaneously.

Sidebar 2: A practical standard As part of its introduction to IEC 61508, MTL Instruments provides a worked example of how the standard may be applied in a practical case. In this case, the installation is a pressure vessel, used in a batch process on a weekly cycle.

The vessel is brought to the prescribed pressure in a controlled manner - the perceived hazard being that the control system might fail, subjecting the vessel to overpressure. Although the final safeguard is a bursting disc that discharges to atmosphere, its operation would not be desirable on environmental and public relations grounds.

In the event of over-pressurisation, therefore, the proposed safety function dumps the contents of the vessel into another storage vessel for disposal.

A smart pressure transmitter with a 4-20mA signal senses the pressure and transfers the 4-20mA signal to two MTL 4403 trip amplifiers. These ampliifiers are configured 1oo2 (one out of two), so that the safety function is achieved - the dump valve is opened - if either one is tripped. The valve actuator is then driven through an MTL 4024-SR isolator.

The case study explains how the 'tolerable risk' and the 'Equipment Under Control (EUC) risk' are defined within the context of IEC 61508, from which the required 'average probability of failure on demand (PFDavg)' can be calculated. This is then used to derive the Safety Integrity Levels (SIL) of the safety-related protection system.

The pressure transmitter, for example, is shown to have at least a SIL 2 requirement. In practice, the design of the safety function is usually iterative - a solution is proposed and then analysed to see whether it meets (or exceeds) the requirements; if not, it is modified accordingly.

Although the MTL 4403 trip amplifiers used in this application do not currently have IEC 61508 certification, MTL believes their use is justified from the available failure rate data, and by the 1oo2 (one out of two) configuration, which greatly increases the reliability. A full proof test, to ensure that the relays of each MTL 4403 trip at the correct current, would probably have to be performed offline. MTL therefore says a one-year proof test interval would be appropriate here.

MTL products that do now have third-party certification to IEC 61508 are key modules from the company's MTL 4000 and MTL 5000 series intrinsically safe isolator ranges and its MTL 4840 Hart multiplexers.

The Hart product is seen by MTL as being of particular importance to end-users. A common method of using Hart is to multiplex the digital signals from field devices on to the primary analogue field wiring, then demultiplex the signals and present them to a maintenance software package for monitoring and diagnostics.

However, when calculating the SIL for such systems, an uncertified multiplexer is seen as an intrusion into the loop, which adversely affects the SIL rating. But by using the new certified MTL 4840 users can still exploit the benefits of Hart without compromising the SIL ratings of the loops involved.

Sidebar: Taking safety to a higher level

Dr Richard Piggin of Pilz Automation Technology describes how an offshore safety-critical system was design, installed and approved in under two weeks, with due conformity to IEC 61508.

The complexity of large safety systems necessitates lengthy lead times from design to operational capability, and the same problem can occur when upgrades are required. This is particularly so where high integrity systems are concerned - such as those conforming to the requirements of IEC 61508 (SIL 3 rating).

Potential process improvements could be delayed, simply because of the time required to implement large-scale system alterations where high integrity control is involved. Such improvements therefore generally need to be implemented during a planned maintenance shutdown. But there is an alternative, faster solution, providing almost immediate process enhancements at lower cost and exceedingly rapid payback.

Separating the high integrity functions of systems such as HIPPS (high integrity pressure protection systems) or ESD (emergency shutdown systems) from the existing safety system allows functional changes or process improvements to be made without the need to make more complex alterations to the existing safety system. The resulting high integrity system is relatively less complex, enabling shorter implementation and approval timescales.

A less obvious benefit of separating the higher SIL functions (or loops) from the existing safety system is the different safety study requirement and associated activities necessary to meet IEC 61508 (or the more specific process-related IEC 61511 when this standard is completed) across the entire safety system.

The approach taken by Performance Automation for a particular HIPPS operator offshore was to remove the SIL 3 safety-related functions from the existing large system and to place them within a Pilz PSS (programmable safety system) safety controller. This had the effect of reducing the anticipated lead-time from months to a matter of days.

In this project, the time constraint was the length of the shutdown period. Remarkably, the system design, installation, commissioning and approval were all achieved within 14 days.

The PSS safety controllers are divided into two sections, failsafe and standard. The failsafe section processes all the safety-related functions and has a three-channel diverse structure, with inputs and outputs being separately processed by each channel. Failsafe inputs and outputs can be local to the processor or serial via SafetyBUS p (an open bus for the serial transfer of safety-related data) - and they are only valid if all three channels reach the same result.

The standard section of the controller can read data from the failsafe section, but cannot write to it. This prevents standard section program errors from affecting the failsafe section.