Safety first: regulatory challenge

A kaleidoscope of ever-changing rules and regulations is complicating the task of keeping process plant personnel and equipment safe.

But the ‘duty of care’ still sits with those charged with managing complex and often hazardous equipment in the process industries.

The degree of rigor to drive out systematic errors varies from one industry to another, and increases as the target SIL rises.

Pilz Automation Technolgy’s David Collier

“It is very difficult for end users to stay up to date with changes to regulations and standards,” says David Collier, a machinery safety expert for Pilz Automation Technology.

“Many wear different hats and they can’t be expected to know it all. They are trying to keep their processes running, and spinning multiple plates including productivity, quality, environment and safety. They have limited time for is keeping up with industry standards.”

With most of its UK business in the machine sector, Pilz is seeing an increasing amount of business from process environments, says Collier.

“Here a key concern is functional safety, which is mainly concerned with protecting processes from going dangerously out of control.”

Another shift in the industry that has added complexity to their task is the increasing use of software within safety control systems.

“If you go back ten years or more, most safety control systems on machines were hardwired into safety relays,” says Collier.

When machine or process safety depends purely on a hardwired system, you could simply calculate numerically how reliable and safe a system would be.

“Now there is a move towards using safety controllers and safety PLCs so safety-related control is being implemented through safety-related application software as well as hardwiring.”

Potential safety issues can arise with safety related application software because human error in the design phase can be difficult to identify, he says.

“We are seeing clients wanting to use software in safety applications with limited know-how and experience for developing application code. This means faults can quite easily be designed into the code.”

According to Collier, the numerical calculation of safety for hardware (the result being a probability of failure on demand relating to a target Safety Integrity Level or SIL) is called ‘verification’.

“Although the market is hung up on how you verify that the hardware in safety related controls meets a particular SIL, not enough is said about how to validate the safety-related application software – and we believe this is a topic worth broaching.”

He says the way to avoid problems is to follow a systematic design process, described in standards such as IEC 61508 as the V-model, that involves various stages with a very clearly defined path of what want a system and related piece of software to do.

“We modularise it as much as we can so we can test it separately. We call this factory acceptance testing to identify dangerous mistakes that could have been made at desk,” he says.

This allows them to drive out all unrevealed errors before a system is installed, commissioned and tested.

“The degree of rigor to drive out systematic errors varies from one industry to another, and increases as the target SIL rises,” he says.

“Sometimes if we are developing safety related application code where a high target SIL 3 is required, we might involve a third party to do a functional safety assessment of our safety activities.

When process personnel decide to appoint a supplier of safety-related components such as software-driven safety controllers or PLCs, he recommends caution.

“Always look at a supplier not based on cost of components but how they can support you in the design and validation part of the process, particularly with software driven components. Assess your partner carefully. You need them to be with you throughout the lifecycle of use of the equipment and not just at the point of sale.”

Radio silence

Another industry trend causing headaches in the process sector is the addition of wireless functionality to all manner of process industry devices. Phil Evans, the business line manager for telecoms at TÜV SÜD says he has seen an increase in the number of noncompliant products in their labs, which previously wouldn’t have had a problem.

“The cause is the rising trend for manufacturers to add wireless modules into everything from domestic fridges to industrial machinery,” he says.

The issue, says Evans, is that while these wireless modules are being sold to manufacturers as compliant, once they are integrated into a final product the regulatory requirements change, and the product must now also comply with the R&TTE Directive for radio equipment, as well as any other applicable EU Directives.

The most common wireless technologies currently being integrated into devices is Bluetooth or WiFi.

“This is because over the past five years or so the price of a Bluetooth wireless module has fallen from around £20 per unit to just a few pounds.

All a manufacturer has to do is put power into it and add an antenna, and data connection and wireless communication is achievable,” says Evans.

Even big manufacturers already following safety and machinery regulations are forgetting that they have to follow the R&TTE directive if there is a wireless module added to their products, he adds.

The reason for this is that the R&TTE directive looks at the radio transmitter to ensure it is stable on the frequency it is meant to work on, and make sure output power isn’t higher than it should be, plus many more requirements to prevent the transmitter from interrupting any devices close by.

Another wireless standard with potential safety ramifications for the industry has been harmonised by the European Telecommunications Standard Institute (ETSI) this year.

The EN300328 V1.8.1 standard includes an amendment to the existing rules for all devices using the publicly available radio band that includes WiFi and Bluetooth.

Wireless communication technologies are now prevalent around many industrial installations.

Gambica, the trade body that serves the instrumentation, control and automation sectors, warned last year that the standard, which requires wireless devices to wait for periods before transmitting, could create a blackout for industrial continuous monitoring devices.

“Unfortunately, this has thrown the wireless community into plant equipment & safety feature something of a turmoil, not because of more onerous testing procedures, but principally because of the way the draft standard specifies that wireless devices should operate,” says Tony Ingham of Sensor Technology.

“There is a legitimate fear that this change in operation could lead to wireless failures in industrial installations.” In practice, any cross-plant wireless communication systems, wireless sensor monitoring systems and wireless LAN installations will all come under the scope of the new harmonised standard, says Ingham.

Fortunately, there are still a number of devices that employ RF technology which do not fall within the scope of the standard.

It does not apply to any equipment with an EIRP (effective isotropically radiated power) output of less than 10mW, or to equipment that operates in a non-adaptive mode.

“However, users of wireless devices will have to look very carefully at the devices they employ and the standard they adhere to in order to ensure compliance,” he says.