Safety, cost and principles
16 May 2007
Patrick Raleigh reports on a vendor dust-up that is clouding the issues behind the integration of plant safety and control systems
Process safety has traditionally been based on independent layers of protection. If a control system fails or a process becomes unstable, alarms are generated that alert the operator to bring things back to safety. If this system fails, the automatic safety instrumented system (SIS) brings everything back to the safe area, so two layers have to fail for a hazard to happen.
Safety systems have usually been an 'add-on' to distributed control systems (DCS). For many years the main automation vendors sourced their SIS systems from independent suppliers, including Triconex — now part of Invensys. More recently, though, vendors have moved to supplying their own SIS technology, which they have integrated to varying degrees with their control systems.
But Robin McCrea-Steele, senior safety consultant at Invensys' Premier Consulting Services unit, believes this integration of safety and control could undermine the safety of many process facilities. Some operators are being sleepwalked into adopting "DCS embedded SIS" technology, he further warned in a 26 March interview in London.
Previously, DCS vendors such as ABB, Emerson and Yokogawa have been outside of the safety arena, but are now "trying to get on this bandwagon," claimed McCrea-Steel. This, he said, is part of a more general push to sell more of their DCS products into the marketplace under a single-source supplier approach.
The Invensys man noted the many advantages of tight integration and seamless functionality between the safety system and the control system. But, he said, this can be achieved by integrating them at the information, configuration, HMI and asset management levels rather than by putting them all onto one hardware platform.
"This is where the line needs to be drawn as far as you can co-mingle safety and control," said McCrea-Steel. "Using the control system as a safety system involves mixing two layers in such a way that you can have common cause and systematic errors, which means they can fail simultaneously.
Scott Hillman, manager of marketing for Honeywell Process Solutions (HPS) Safety Systems, takes issue with McCrea-Steele's use of the term 'embedded SIS' in the context of this debate.
"People in the industry are talking about 'integrated'. Nobody is using the word 'embedded'. If that's from Invensys it's interesting, because that's twisting what other people are saying," Hillman commented, in a 19 April telephone interview.
Moreover, Hillman believes that only one vendor — ABB, with its 800 XA HI — is actually using common hardware for the safety controller and process controller.
For its part, ABB stoutly defends the 800xA HI and points out that it meets IEC industry standards. "The inherent integrity design caters for common mode issues," said Roger Prew, safety consultant at ABB, in a written statement. "Essentially all fault conditions are analysed and understood and the effects determined and catered for in a safe way."
Prew went on to quote Dow Chemical Co. as saying that '"the DCS can be used as part of the risk reduction strategy and a DCS implemented in 800xA HI carries more credit than a conventional one."'
The ABB man added: "Dow believes that the increased integrity of using high integrity hardware for DCS outweighs any possible disadvantage of common mode faults … Common mode is an argument that was relevant to the last generation of safety systems, but not the latest."
At HPS, Hillman concurs with McCrea-Steele's point on common cause failures and the need to have a specific level of separation. But, he said, "the Invensys guys are really focused on selling their particular layers of protection but the SIS is only one of many layers of protection that are part of the overall protection system."
Honeywell's position is that you need a system that provides both an independent layer of protection and integration.
"Its about how much integration, where you apply it and how to do it from the customer's perspective … You need a degree of integration so that operators can operate their plant and both the operators and the control systems react [to process upsets] accordingly. Any more than that and it is too much integration probably," commented Hillman
The new generation of safety systems that are integrated with DCS architecture, facilitate more effective alarm management, according to Martin Ward, managing director of Yokogawa UK. This, he stated, means "seamless monitoring and prediction of critical conditions, opening the path back to normal conditions while securing safety-loop integrity … Operators are advised in advance of critical conditions via a common HMI, allowing effective decisions to be made to avoid or minimise the effects of an emergency."
Integrated safety systems do meet the key IEC61508 and 61511 safety standards and carry the appropriate SIL (safety integrity level) ratings for industrial applications. However, these standards remain open to interpretation about the need for physical separation between safety and control.
TuV, for example, certifies the hardware and the software in isolation and verifies that the communications between the safety system and the control system do not affect SIS functionality. However, it also says that an assessment should be done to consider the potential for common cause failure between protection layers.
"Some engineers may take a phrase out of context and believe that you do not need a physical independence … It is down to the user to analyse this for their application," said McCrea-Steele. If an operator takes credit for the control and safety systems as independent when in fact they are not, "then he is making a big mistake."
Without true separation, you need certification to a higher SIL rating, which means more cost as you need more redundancy in the field, more complex management of chains and maintenance. continued McCrea-Steele.
As Hillman of HPS explains it, the SIL rating basically covers system reliability and the test interval. "A lot of the hidden cost there is your test interval. People shy away from solutions like general purpose PLCs that can do SIL 2 or SIL 3 because they have to do proof-testing every six months."
According to McCrea-Steel, the one selling point for co-mingling safety and control is that it is less expensive.
But, insisted the Invensys consultant, DCS embedded SIS " is really not proven. It's a lot of marketing hype." He went on to make an analogy with the Katrina hurricane, where, he said, engineers put cost savings ahead of safety on the levies 30 years ago only for a disaster to happen decades later.
For Hillman at HPS: "This is a conservative market and people have the right to be concerned about that type of integration and what is the appropriate amount. A lot of the major customers are looking at it and saying we are not ready for that yet."
All the vendors, including Invensys, offer some level of integration or interfacing to the host DCS, Hillman concluded. The issue is "how much cost is associated with one or the other, or both?"
Safety systems have usually been an 'add-on' to distributed control systems (DCS). For many years the main automation vendors sourced their SIS systems from independent suppliers, including Triconex — now part of Invensys. More recently, though, vendors have moved to supplying their own SIS technology, which they have integrated to varying degrees with their control systems.
But Robin McCrea-Steele, senior safety consultant at Invensys' Premier Consulting Services unit, believes this integration of safety and control could undermine the safety of many process facilities. Some operators are being sleepwalked into adopting "DCS embedded SIS" technology, he further warned in a 26 March interview in London.
Previously, DCS vendors such as ABB, Emerson and Yokogawa have been outside of the safety arena, but are now "trying to get on this bandwagon," claimed McCrea-Steel. This, he said, is part of a more general push to sell more of their DCS products into the marketplace under a single-source supplier approach.
The Invensys man noted the many advantages of tight integration and seamless functionality between the safety system and the control system. But, he said, this can be achieved by integrating them at the information, configuration, HMI and asset management levels rather than by putting them all onto one hardware platform.
"This is where the line needs to be drawn as far as you can co-mingle safety and control," said McCrea-Steel. "Using the control system as a safety system involves mixing two layers in such a way that you can have common cause and systematic errors, which means they can fail simultaneously.
Scott Hillman, manager of marketing for Honeywell Process Solutions (HPS) Safety Systems, takes issue with McCrea-Steele's use of the term 'embedded SIS' in the context of this debate.
"People in the industry are talking about 'integrated'. Nobody is using the word 'embedded'. If that's from Invensys it's interesting, because that's twisting what other people are saying," Hillman commented, in a 19 April telephone interview.
Moreover, Hillman believes that only one vendor — ABB, with its 800 XA HI — is actually using common hardware for the safety controller and process controller.
For its part, ABB stoutly defends the 800xA HI and points out that it meets IEC industry standards. "The inherent integrity design caters for common mode issues," said Roger Prew, safety consultant at ABB, in a written statement. "Essentially all fault conditions are analysed and understood and the effects determined and catered for in a safe way."
Prew went on to quote Dow Chemical Co. as saying that '"the DCS can be used as part of the risk reduction strategy and a DCS implemented in 800xA HI carries more credit than a conventional one."'
The ABB man added: "Dow believes that the increased integrity of using high integrity hardware for DCS outweighs any possible disadvantage of common mode faults … Common mode is an argument that was relevant to the last generation of safety systems, but not the latest."
At HPS, Hillman concurs with McCrea-Steele's point on common cause failures and the need to have a specific level of separation. But, he said, "the Invensys guys are really focused on selling their particular layers of protection but the SIS is only one of many layers of protection that are part of the overall protection system."
Honeywell's position is that you need a system that provides both an independent layer of protection and integration.
"Its about how much integration, where you apply it and how to do it from the customer's perspective … You need a degree of integration so that operators can operate their plant and both the operators and the control systems react [to process upsets] accordingly. Any more than that and it is too much integration probably," commented Hillman
The new generation of safety systems that are integrated with DCS architecture, facilitate more effective alarm management, according to Martin Ward, managing director of Yokogawa UK. This, he stated, means "seamless monitoring and prediction of critical conditions, opening the path back to normal conditions while securing safety-loop integrity … Operators are advised in advance of critical conditions via a common HMI, allowing effective decisions to be made to avoid or minimise the effects of an emergency."
Integrated safety systems do meet the key IEC61508 and 61511 safety standards and carry the appropriate SIL (safety integrity level) ratings for industrial applications. However, these standards remain open to interpretation about the need for physical separation between safety and control.
TuV, for example, certifies the hardware and the software in isolation and verifies that the communications between the safety system and the control system do not affect SIS functionality. However, it also says that an assessment should be done to consider the potential for common cause failure between protection layers.
"Some engineers may take a phrase out of context and believe that you do not need a physical independence … It is down to the user to analyse this for their application," said McCrea-Steele. If an operator takes credit for the control and safety systems as independent when in fact they are not, "then he is making a big mistake."
Without true separation, you need certification to a higher SIL rating, which means more cost as you need more redundancy in the field, more complex management of chains and maintenance. continued McCrea-Steele.
As Hillman of HPS explains it, the SIL rating basically covers system reliability and the test interval. "A lot of the hidden cost there is your test interval. People shy away from solutions like general purpose PLCs that can do SIL 2 or SIL 3 because they have to do proof-testing every six months."
According to McCrea-Steel, the one selling point for co-mingling safety and control is that it is less expensive.
But, insisted the Invensys consultant, DCS embedded SIS " is really not proven. It's a lot of marketing hype." He went on to make an analogy with the Katrina hurricane, where, he said, engineers put cost savings ahead of safety on the levies 30 years ago only for a disaster to happen decades later.
For Hillman at HPS: "This is a conservative market and people have the right to be concerned about that type of integration and what is the appropriate amount. A lot of the major customers are looking at it and saying we are not ready for that yet."
All the vendors, including Invensys, offer some level of integration or interfacing to the host DCS, Hillman concluded. The issue is "how much cost is associated with one or the other, or both?"
