Experience is vital
29 Jan 2007
In 2005 an explosion at the Texas City oil refinery killed 15 people on site and injured 100 more. This tragedy happened despite the oil and gas industries being highly regulated, with modern safety controls in place and with competent professionals employed.
Lessons learned from this sort of tragic experience are enormously costly. Industry, therefore, needs high levels of competence based on sound experience to develop new technologies that improve the safety of hazardous processes.
Today there is passionate debate about the integration of safety & control functionality. Some argue against integration on the grounds that the high levels of integrity demanded by the industry are not met. But with certified development engineers responding to input from certified systems architects based on over 20 years' company experience, the new embedded "safety & control" architecture can outperform traditional safety technologies.
The existing international standard covering programmable electronic safety systems, IEC 61508, is based on the findings of an IEC committee. This was set up in 1995 to bring together the DIN standards that were gaining recognition in Europe, Middle East and Asia with the newly emerging SP84 standard in the US.
The committee aimed to extend the scope to cover the complete safety loop, including field devices, and to cover the full life cycle from design concepts through operations and maintenance to decommissioning. IEC 61508 was fully approved in 2000.
IEC 61508-2 recognises that safety and non-safety functions can reside in the same system where "functional separation" is maintained, if the implementation of the safety and non-safety applications are independent. Physical separation into different systems from different suppliers, with different communications and different programming tools, is no longer necessary to meet the standards.
Modern development techniques, involving high integrity computation and firewalls, allow higher levels of integrity to be designed in from the outset. If the new design builds on experience from the previous generations, high confidence levels can be achieved.
But, do new standards mean safer products? The answer has to be yes. The new standard, in addition to explicit definition of the way reliability figures are calculated and used, defines the procedures under which high integrity software is structured, coded, tested, complied and processed.
The Functional Management procedure under which a modern system is developed provides greater confidence to the user that the design is sound and totally auditable. If anything does go wrong it can be traced and corrected, with the upgrade being fully tested against the Safety Requirement specification and implemented according to the standard. The standard also defines the processes under which a safety system is designed in the first place, plus the way the specific application is implemented.
A system developed from the outset under an IEC 61508 certificate will attract greater market confidence than one that pre-dates the standard. Systems that have been designed to comply with the safety standards add extra integrity to the control & safety system operation, counteracting any possible downside due to common mode issues.
IEC 61508 defines the integrity characteristics of the complete safety function as well as how it should be implemented, operated, maintained and tested for the life cycle of the system. A process application implemented on a fully compliant system by competent engineers using compliant procedures must cut risk to an absolute minimum.
Getting to this point has required continual evolution. Programmable electronic systems have been used in process applications for decades and today the use of computers, PLCs and DCS to control and protect processes is commonplace.
As confidence in the new programmable technology grew and the advantages and flexibility became clear, industry looked to the regulators for guidance on how these systems should be used, especially for safety applications.
Regulations have now developed to where IEC 61508 extends the standard requirements beyond programmable electronic systems to include the complete control loop. It includes field equipment and establishes fundamental requirements for the processes and competencies needed to design, implement, support and maintain such systems during their complete lifecycle.
High Integrity Control requires two main characteristics - High Availability (reliability) and Fail Safe Action (deterministic failure action) — that remain core components of today's systems.
Availability is a measure of reliability and can be assessed from the reliability data produced for each component part or from statistical field returns data. Fail Safe Action is a system's ability to shut down in a pre-determined way under any failure mode. True Fail Safe Action was quite easy to achieve in relays and even hardwired electronics, but became more difficult when software-based programmable systems were introduced.
Early dual redundant and TMR systems used duplication and triplication of the electronics to enhance both Availability (by adding fault tolerance) and Fail Safe action (by adding voting). The architectures were often presented as fulfilling both requirements, but, unfortunately, they are mutually exclusive. A redundant system that uses its duplication for voting is NOT fault tolerant. Likewise, if duplication is used to achieve fault tolerance it does not enhance the determinism of the system.
Today's integrated safety and control systems separates these two features by addressing Fail Safe action by rigorous "failure modes and effects" analysis during the design stages and electronic design that is effectively covered 100% by diagnostics. Availability can then by increased by conventional fault tolerant structures.
Process systems are now selected on their ability to "manage assets" efficiently and cost-effectively. Asset management and optimisation requires the collection, management, storage and analysis of vast amounts of data from sources such as direct measurement, fieldbus links to field devices, plus vibration and health monitoring devices. This data is then used to make decisions to, for example, improve process efficiency, reduce waste, minimise maintenance time, reduce emissions.
Asset management
The latest systems can integrate information from many different sources and in many formats. Organising that data in different ways, depending on the most relevant factors, puts the systems at the leading edge of asset management technology.
Safety is just another asset that needs management. It is equally valid to monitor a shut-down valve to determine its servicing requirements as it is to collect trip and alarm data to ensure compliance with safety standards.
On-line Functional Safety Management (FSM) tools, which are part of the Asset Management suite, analyse and document data on all aspects of every safety function. They can store the detail of the SIL assessment for future review, recalculate test cycles against changing duty and update the database with more accurate reliability data as it becomes available. Analysis of actual trip and alarm data enables the safety requirements and performance of each safety function to be used in the optimisation calculation. More importantly, they are recorded and documented in a way that references the clauses of the standard, making compliance easy to audit.
Experience is important. It is essential that we continue to build on what we already know and develop better methods and understanding and increase professionalism. We cannot afford mistakes like Texas City.
Lessons learned from this sort of tragic experience are enormously costly. Industry, therefore, needs high levels of competence based on sound experience to develop new technologies that improve the safety of hazardous processes.
Today there is passionate debate about the integration of safety & control functionality. Some argue against integration on the grounds that the high levels of integrity demanded by the industry are not met. But with certified development engineers responding to input from certified systems architects based on over 20 years' company experience, the new embedded "safety & control" architecture can outperform traditional safety technologies.
The existing international standard covering programmable electronic safety systems, IEC 61508, is based on the findings of an IEC committee. This was set up in 1995 to bring together the DIN standards that were gaining recognition in Europe, Middle East and Asia with the newly emerging SP84 standard in the US.
The committee aimed to extend the scope to cover the complete safety loop, including field devices, and to cover the full life cycle from design concepts through operations and maintenance to decommissioning. IEC 61508 was fully approved in 2000.
IEC 61508-2 recognises that safety and non-safety functions can reside in the same system where "functional separation" is maintained, if the implementation of the safety and non-safety applications are independent. Physical separation into different systems from different suppliers, with different communications and different programming tools, is no longer necessary to meet the standards.
Modern development techniques, involving high integrity computation and firewalls, allow higher levels of integrity to be designed in from the outset. If the new design builds on experience from the previous generations, high confidence levels can be achieved.
But, do new standards mean safer products? The answer has to be yes. The new standard, in addition to explicit definition of the way reliability figures are calculated and used, defines the procedures under which high integrity software is structured, coded, tested, complied and processed.
The Functional Management procedure under which a modern system is developed provides greater confidence to the user that the design is sound and totally auditable. If anything does go wrong it can be traced and corrected, with the upgrade being fully tested against the Safety Requirement specification and implemented according to the standard. The standard also defines the processes under which a safety system is designed in the first place, plus the way the specific application is implemented.
A system developed from the outset under an IEC 61508 certificate will attract greater market confidence than one that pre-dates the standard. Systems that have been designed to comply with the safety standards add extra integrity to the control & safety system operation, counteracting any possible downside due to common mode issues.
IEC 61508 defines the integrity characteristics of the complete safety function as well as how it should be implemented, operated, maintained and tested for the life cycle of the system. A process application implemented on a fully compliant system by competent engineers using compliant procedures must cut risk to an absolute minimum.
Getting to this point has required continual evolution. Programmable electronic systems have been used in process applications for decades and today the use of computers, PLCs and DCS to control and protect processes is commonplace.
As confidence in the new programmable technology grew and the advantages and flexibility became clear, industry looked to the regulators for guidance on how these systems should be used, especially for safety applications.
Regulations have now developed to where IEC 61508 extends the standard requirements beyond programmable electronic systems to include the complete control loop. It includes field equipment and establishes fundamental requirements for the processes and competencies needed to design, implement, support and maintain such systems during their complete lifecycle.
High Integrity Control requires two main characteristics - High Availability (reliability) and Fail Safe Action (deterministic failure action) — that remain core components of today's systems.
Availability is a measure of reliability and can be assessed from the reliability data produced for each component part or from statistical field returns data. Fail Safe Action is a system's ability to shut down in a pre-determined way under any failure mode. True Fail Safe Action was quite easy to achieve in relays and even hardwired electronics, but became more difficult when software-based programmable systems were introduced.
Early dual redundant and TMR systems used duplication and triplication of the electronics to enhance both Availability (by adding fault tolerance) and Fail Safe action (by adding voting). The architectures were often presented as fulfilling both requirements, but, unfortunately, they are mutually exclusive. A redundant system that uses its duplication for voting is NOT fault tolerant. Likewise, if duplication is used to achieve fault tolerance it does not enhance the determinism of the system.
Today's integrated safety and control systems separates these two features by addressing Fail Safe action by rigorous "failure modes and effects" analysis during the design stages and electronic design that is effectively covered 100% by diagnostics. Availability can then by increased by conventional fault tolerant structures.
Process systems are now selected on their ability to "manage assets" efficiently and cost-effectively. Asset management and optimisation requires the collection, management, storage and analysis of vast amounts of data from sources such as direct measurement, fieldbus links to field devices, plus vibration and health monitoring devices. This data is then used to make decisions to, for example, improve process efficiency, reduce waste, minimise maintenance time, reduce emissions.
Asset management
The latest systems can integrate information from many different sources and in many formats. Organising that data in different ways, depending on the most relevant factors, puts the systems at the leading edge of asset management technology.
Safety is just another asset that needs management. It is equally valid to monitor a shut-down valve to determine its servicing requirements as it is to collect trip and alarm data to ensure compliance with safety standards.
On-line Functional Safety Management (FSM) tools, which are part of the Asset Management suite, analyse and document data on all aspects of every safety function. They can store the detail of the SIL assessment for future review, recalculate test cycles against changing duty and update the database with more accurate reliability data as it becomes available. Analysis of actual trip and alarm data enables the safety requirements and performance of each safety function to be used in the optimisation calculation. More importantly, they are recorded and documented in a way that references the clauses of the standard, making compliance easy to audit.
Experience is important. It is essential that we continue to build on what we already know and develop better methods and understanding and increase professionalism. We cannot afford mistakes like Texas City.
