Safety Process PDF

Safety in the process industry : yesterday, today,
tomorrow : proceedings : 's-Hertogenbosch, September

24, 1996
Citation for published version (APA):
Technische Universiteit Eindhoven (TUE). Dispuut dQ (1996). Safety in the process industry : yesterday, today,
tomorrow : proceedings : 's-Hertogenbosch, September 24, 1996. Eindhoven: Technische Universiteit
Eindhoven.
Document status and date:

Published: 01/01/1996
Document Version:
Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)
Please check the document version of this publication:
• A submitted manuscript is the version of the article upon submission and before peer-review. There can be
important differences between the submitted version and the official published version of record. People
interested in the research are advised to contact the author for the final version of the publication, or visit the
DOI to the publisher's website.
• The final author version and the galley proof are versions of the publication after peer review.
• The final published version features the final layout of the paper including the volume, issue and page
numbers.
Link to publication
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
• Users may download and print one copy of any publication from the public portal for the purpose of private study or research.
• You may not further distribute the material or use it for any profit-making activity or commercial gain
• You may freely distribute the URL identifying the publication in the public portal.
If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please
follow below link for the End User Agreement:
www.tue.nl/taverne
Take down policy

If you believe that this document breaches copyright please contact us at:
openaccess@tue.nl
providing details and we will investigate your claim.
Download date: 07. thg 10. 2019

Safety in the Process Industry
Yesterday, Today, Tomorrow
PROCEEDINGS
In this book the lectures are gathered from the symposium "Safety in the Process
Industry", which is held at the 24th of September in 's-Hertogenbosch.
The symposium is organized by the study association ' dispuut dQ' and members of the
group 'Reliability of Mechanical Equipment' from the faculty Mechanical Engineering at
the Eindhoven University of Technology.
Preface
In today's complex society risk prevention is a must. In preventing risk a number of measures
can be taken. The lowest level of prevention is locally in the plants. Of course this is important
and this is the theme of this symposium. Other preventive actions can be taken on a higher
level for example in spatial planning, where the distance between production and customer can
be reduced thus preventing transportation riks. Also, the search for and development of new,
less dangerous products or processes, can play an important role in risk reduction.
In the Dutch province of Noord-Brabant, the largest industrial production region in the
Netherlands, a more integrated way of risk management is encouraged.
Mr. F.J.M. Houben

Queen's Commissioner of the province Noord-Brabant
's-Hertogenbosch, The Netherlands
~ gti
industrial automation
Honeywell
HOLECI+I
1
GASTECI
(~AEA KEMA~
STCJRK®
2
The symposium committee would like to thank the following companies
for making the symposium possible:
GTI Industrial Automation BV Apeldoorn

Factory Mutual Research Corp. Boston
AEA Technology Netherlands BV Den Haag
Tebodin BV Den Haag
Shell International B V Den Haag
DuPont de Nemours (Nederland) BV Dordrecht
ICI Holland BV Rozenburg
Lever Vlaardingen BV Vlaardingen
KemaNV Arnhem
Holec Holland NV Hengelo
Stork NV Naarden
GastecNV Apeldoorn
Dow Benelux NV Terneuzen
Stork Limburg Geleen
Gasunie Groningen
Honeywell B V Amsterdam
Honeywell Safety Management Systems BV Den Bosch
Econosto Rotterdam
Siemens AG Ni.irnberg
DSM Heer\en
3
Testing and certification of electronic controls
GASTEC: a professional and

flexible partner
GASTEC has extensive know-how and

experience in the oreo of fault behaviour of
electronics and knows the international
standards. GASTEC cooperates with well-
known American test institutes like
Underwriters Loborolories and International
Approval Services on approval testing ond
product surveillance. This international
cooperation means that GASTEC con
direcriy test appliances for the North
Amer ican market.
Troditionolly GASTEC has o lot of customers

from the gas related industry. Nowadays
also principals from the chemical and
process industry find their way to GASTEC.
Do you want to know what GASTEC
International standards like IEC 113 1, can do for you?
IEC 1508 and EN 50082, ore used for For further information and advice about
assessing electronic safety and control Controls please do not hesilale to call
equipment to ensure an international basis Mr Hans Kussendroger,
GASTEC,
for the test reports. phone: +31 555 393 550.
centre for gas technology in the
Neriutrlonds, has subsidiaries in
England , Italy and Bulgaria .
Thi• way, GASTEC con toke
core of o brood international
certi~cotion servics. Next to
boing Non~ed Body for the Go•
Appliances Directive end Boiler
Efficiency Directive, the Dutch
government appointed GASTEC
Competent Body for the EMC.
Directive.
GASTEC NV
Centre of Gas Technology
P.O. Box 137
7300 AC Apeldoarn
The Netherlands
Wilmersdorf 50,
Apoldoorn
Tel. +31 555 393 393
Fox +31 555 393 494
E-mail postOgastec .nl
ACCESSIBLE KNOWLEDGE
ACCESSIBLE PEOPLE
Contents
Preface
Mr. F.J.M. Houben ...... ... · o • • o · •••••• 0 •• o · . o· •• • 0 •• o · . o · •• · o •• 0 •• o · • • · o •• 0 •• • • • • • • • •••• ••• 0 •• 0 • • ••• • o • ••••• 1
SjJonsors .. .. ............ ... .... ..... .. .. ...... .. ... 0 ... . 0 •• 0 . .. .. . . .. . 0 . . . . . .. .. .. . . 0 ...... .. . .. .. . ....... . .... . .. . .. 0 ••• •• •• 3
Symposium committee 1996 .. .. ... ........ ....... ... ... ... ........ ... .... .... .. ... ..... .. .... .... ..... ..... .. .. . 7
Proceedings
Introduction
Prof.Dr.Ir. A. C. Brombacher.. .......... .. .... ........ .. ........ ...... .......... .............. .. ........ 9
Aspects of TOV type certification and safety-related application ofprogrammable
electronic systems
Dipi.-Ing. R.I.Faller..... ... ... ... ..... ............ ... ...... ......... ... .. ... .. ......... ...... .. .... ... ... .. . 17
PLC 's in safety related applications
Ir. K. Kemps .. .... .. .. ..... ........ ... ..... .. ..... ... ..... ... ....... .. .. .. .... ........ .................. 0 ... ... 39
lhe importance offield instrumentation in safety instrument systems
Ing. L. Korteweg ........ .... .. .... .. ....... .... ... ..... .. ..... .. .... ..... ... .... .... .... .... 0 0 ........... . .. 59
Reliability for safety and plant life management
Ir. C.M. Pietersen .. .... .. ...... .... .. .. .... .... .......... ....... ........... .... .................. ..... .... 127
Commissioning of a type approved PLC
Dipi.-Phys. E. Pofahl ... .. .... .... .... ..... .. .... .... ....... .... ..... ... .......... ...... .. ......... ..... .. 137
Improving management of technological risk: reliability certification of saf ety
systems
P. Stavrianidis MSc ..... ........ .. .... ........... .... .. ............. ... ... ... .. .. o • • o . . . . . . . . . . . . . o· · · · · · · 159
Eliminating the unexpected- the dedicated safety processor
Ing. R.J. Tiezema ...... .. ...... ... .... ............. ... ....... .... .. ... .... ... ... ...... ...... ............ .. . 179
A corporate perspective of industrial safety
Ir. F. van Woerden .. .. .. ...... .... .... .......... ......... ...... .. .. ....... ........ .. ...... .. .. .. .......... 203
lhe Seveso-II directive- a brief overview of contents and consequences for major
hazards plants
Drs. G.C.M. Lommers ........ .. ............ .............. ........ .. ... .. .... ... .... 0 ........ . .. ... .. ... 217
The study association "dispuut dQ" ...... .. ... .. .. ... .. .... .. ........ ...... ......... .. .... .. ...... .... .. . 241
"Reliability of Mechanical Equipment" .... .... ............. ................ ........... .. .. ...... .. .... 243
5
Symposium committee 1996
J.C. Barel sponsors & visitors

R.P.A. den Boer symposium chairman
Prof.Dr.Ir. A.C. Brombacher technical chairman
S.A.E. Ebben public relations
Jr. M.J.M. Houtermans speakers
Jr. M.E .P.L. Kuylaars facilities
Jr. M.P .M.A. Limpens treasurer
Ir. A.T. van der Meulen t •> secretary
Prof.Ir. J.K. Nieuwenhuizen advisor
Ir. J.L. Rouvroye workshop & speakers
Jng. J.M.W.M. Schoonen facilities
• Unexpectedly Tido van der Meulen passed away at August 26, 1996. After all his contributions to the
symposium and the pleasant coorporation with us we are sad and bewildered.
7
For more than a century Econosto speciali-
zes in valves and related equipment (both
DIN and ANSI). Thanks to a large stock
{over a million individual items) and a well
organized expedition, our customers never
have to wait for their orders. However,
Econosto s service goes beyond stockholding et:OnOSTO
and expedition. Our specialists are trained to
Econosto Nederland B. V.
assist customers in any way they can. We Valves & Instrumentation
Cypresbaan 63
also offer training courses for our customers. 2908 LT Capelle a/d IJssel
P.O. Box 84164
Further services include our 'day-store', 3009 CD Rotterdam
Tel.: 010 - 284 11 00
repair facilities and of course our own Fax: 010 - 284 14 74
engineering department. Additional injonna-

Subsid i ary of
tionfrom: RO Y /IL E CO N OSTO N V
Introduction
by
Prof.Dr.Ir. A.C. Brombacher

Reliability of Mechanical Equipment
Eindhoven University of Technology
9
Function:
• Professor in "Engineering Reliability of Mechanical Equipment" at EUT
• Senior Scientist Philips Research Development Support reliability group (section
CFT).
Experience:
Aarnout Brombacher has experience in industrial reliability analysis projects and the
development of reliability analysis software, has authored and co-authored several papers
on these subjects and has written a book with the title "Reliability by Design". Since July
I st I993 he has been appointed professor in "Engineering Reliability of Mechanical
Equipment" at Eindhoven University of Technology. Main task of his job at Philips is
research on, as well as application of new methods and techniques for reliability
engineering and reliability automation, especially for the early phases of the development
process.
Organisations:
• Member ofthe NVvB (Dutch association of reliability engineers)
• Member of American Society ofMechanical Engineers
• Member of NAP (Dutch association of companies m the process and process
equipment industry)
• Voting member of the: ISA-SP84 working group for writing a national US Safety
Instrumented Standard
II
Introduction
(Petro-)chemical processes and oil & gas production sites can hann people and
envirorunent when running out of control. Protection and Fire & Gas systems are
expensive both initial investments as maintenance. The 'safety quality', essential system
size and validation techniques of specially the instrumented protection systems are today
the subject of discussion and investigation.
• In the first place the social communities do not accept risks for life and envirorunent
from industrial activities. They know there will be always a certain risk, but it has to be
as low as possible. The latest is the source of a lot of problems and uncertainty,
because what will be an acceptable risk and who will make that decision?
• In the second place the industries do not like to invest heavily in protection systems,
because they consider the costs not productive and disturbing the balance of being
competitive when not all the industrial players have to meet the same Plant Safety
Requirements.
The last couple of years have shown an increasing interest in the area of safety in process
industry. Reasons for this increased interest are, for example, accidents like Chemobyl,
Seveso and Bhopal where failures of industrial processes have affected the health (and
lives) oflarge groups of people.
These accidents have resulted in strong demands from the public opinion to analyse the
potential risks of certain processes before a plant is built. Potential hazards in process
equipment can have enonnous consequences on safety and investments and different
analysis techniques point to totally different solutions. On the other hand the owners of
plants have to maintain a balance between investments and pay-off of these investments in
tenns of safety.
13
Purpose of this symposium is:
• to present an overview ofthe different aspects of safety of industrial process systems
• to compare different methods (qualitative and quantitative) for the assessment of safety
of industrial process systems
• to discuss what methods (and related tools) to use in what situations
• to give guidelines in assessment and certification procedures
The papers presented in this symposium represent viewpoints, both from government,
academia, certifYing bodies, suppliers to the process industry and from the process
industry itself.

(Symposium Chairman)
Reliability ofMechanical Equipment
Eindhoven University ofTechnology
14
SURLYN DACRON DuPont. een van 's werelds
grootste maatschappijen op het
NYLON MYLAR gebied van wetenschap en nieuwe
toepassingen sinds 200 jaar,
VITON · is thans een belangrijke leverancier
NOME X
van produkten en technologieen die
ons dagelijks Ieven beschermen en
ANTRON CORIAN verbeteren
SILVERSTONE CROMALIN ·
QUALLOFIL TEFLON
ALLY -~~
GLEAN '/:)ee1rYTREL
LYCRA KEVLAR'
TYVEK DELRIN Du Pont de Netr<llrs (Nederlard) BV

Postbus 145 3300AC Oorotecht
Baanhoekweg 22 3313LA Oordret:ht
CORDURA Tel. 078- 2 1 89 II Fax 078- 16 37 37
Aspects of TUV type certification
and safety-related application of
programmable electronic systems
by
Dipl.-Ing. R.I. Faller

TOV Product Service GmbH
Department Elektrotechnik, Mascllinen, Automatisierung-IQSE
17
Dipl.-Ing. R.I. Faller
Function:
Manager of the Department 'Eiektrotechnik, Maschinen, Automatisierung- IQSE', TOv
Product Service GmbH
Experience:
• Development engineer at MAN, division "New Technology". Main field of activity:
Development of an electronic tracking system for busses in public transport.
• Expert resp. general manager at Institute for Quality and Safety in Electronics ofTOv
Bayern e.V.
• Project leader for safety approvals, e.g. of PLC's, protection systems in
(Petro)chemical industry as well of electronic control systems in medical, traffic and
conveyor techniques.
Organisations:
• Chairman of the committee GK 914 "Computers in safety related systems" of DKE
(German Electrotechnical Commission)
• Collaboration in international standardization groups like CEN TC 58 WG 6 and IEC
TC72WG8
19
TlJV
PRODUCT SERVICE
Aspects of TOV Type Certification

and Safety-Related Application of
Programmable Electronic Systems
Rainer Faller
TOV Product Service GmbH
Department Elektrotechnik, Maschinen, Automatisierung - IQSE
Internet: www.tuvps.com and Faller@tuvps.com
August 24, 1996

Revision 0.4
Table of contents ........................................................................................................... Page

1 Certification of Safety-Related Programmable Electronic Systems ................................... 22
2 Type certification following IEC 1508 versus type certification following German
standards ..........................................................................................................................22
2.1 Other important requirements for safety-related Programmable Electronic
Systems ......................................................................................................................23
2.2 Impact of IEC 1508 on TOV type testing and certification ....... ... ................................. 25
2.3 Deterministic and Probabilistic Fault Investigations .................................................... 28
2.4 Impact of IEC 1508 and similar standards on the market of safety-related
systems and field instruments ....................................................................................31
3 Pre-tested building blocks .................................................................................................33
4 ISO 9001 and Product Type Certification .......................................................................... 35
5 Conclusion and Outlook ....................................................................................................37
TUV PRODUCT SERVICE GMBH 21 Presentation Eindhoven

Electrotechnology, Machinery. Automation- IQSE Department
RidlerstraBe 31 Rainer Faller
D-80339 MOnchen September 03, 1996
Phone: +49/89/5791-1801; Fax: -1396
TDV
PRODUCT SERVICE
1 Certification of Safety-Related Programmable Electronic Systems

Flexibility and ease of use of software-based systems in the process control field have led
to increased use of these systems not only for non-critical process control but also for
safety critical applications. The general trend towards more complex automation and
towards controlling processes close to operational limits requires fast and complex reactions
to potentially hazardous situations. These demands can often not be met by the operator in
a timely and reliable way making automated or semi-automated demand sequences con-
trolled by a programmable system necessary. On the other hand current regulatory re-
quirements, liability risks and general public opinion force operating companies to decrease
the risk potential to much lower limits than in the past.
The burden put on a programmable electronic system (PES) in critical safety functions
makes it necessary to evaluate the appropriateness of a system to safely and reliably exe-
cute its function on demand. The instrumentation and control design is accomplished by
application engineers whose primary function is the overall application design. The evalua-
tion of the level of safety performance a specific device can provide poses a major or even
unsolvable problem for many plant designers. Recent developments carry this problem
even further. Smart field instruments, field busses and networked PES's make it even more
difficult to select suitable system components and configurations for a given project.
The certification of PES's using a knowledgeable independent third-party provides one step
in this evaluation process. Using both national and international standards ensures a set of
safety requirements that is generic, generally agreed upon and mainly unambiguous. The
involvement of a third-party protects against vendor, user or regulatory bias. The third-party
must be open to demonstrate its qualification to end-users and must be interested to
improve its certification program through close interaction with the end-users.
2 Type certification following IEC 1508 versus type certification

following German standards
IEC 1508 is the first international standard that specifies a complete and consistent set of
requirements to cover functional safety. It covers the whole safety-related system, not only
parts of it. It specifies high-level procedural requirements on quality management and thus
completes ISO 9000 series. It also specifies in-depth technical requirements for hardware
and software design and development and qualitv engineering. And it does not stop at
development but it addresses maintenance anu product care too. IEC 1508 is more
complete than the German set of standards on functional safety.
IEC 1508 is the first international standard that clearly describes that all parties involved
need to contribute to the safe functionality of an application. It defines possible interfaces
between PES vendors and end-users such as engineering companies and operating
companies.
The life cycle given by IEC 1508 will help to complete and improve ISO 9001 and ISO 9000-
3 activities effectively. ISO 9001 gives the framework and IEC 1508 defines the content.
To be meaningfully applied to safety industry, ISO 9001 and ISO 9000-3 need this level of
detail. It is the first time a standard defines what quality engineering measures are appro-
priate for what level of required safety.
IEC 1508 also specifies that the persons responsibly involved in a safety project need to
have demonstrable experience. This is of extreme importance as the safety-related appli-
cations will become more complex. Our lives are sometimes in the hands of the operating
companies, the engineering companies, the vendors and the inspection bodies. And it is
TOV PRODUCT SERVICE GMBH 22 Presentation Eindhoven
Eleclrotechnology, Machinery. Automation -lOSE Department
RidlerstraC!.e 31 Rainer Faller
D-ao339 MOnchen September 03, 1996
Phone: •49/6915791-1801 ; Fax: -1396
TDV
PRODUCT SERVICE
getting harder for them as competition is often taking money and availability first and safety
later. Thus we need very experienced operators and engineers who can efficiently address
both requests.
2.1 Other important requirements for safety-related Programmable Electronic

Systems
Beyond the complexity of functional safety one shall not forget that functional safety is only
one part of the complete safety building. Safety certification must cover all generic safety
aspects of the certified product. Thus a certification incorporating functional safety will well
exceed other test procedures for completeness. TOV addresses the following verification &
validation segments for safety-related electronics:
1 Functional Safety including
1.1 Safety of the hardware and software
1.2 Safety indications in the user manuals
2 Basic Safety including
2.1 Electrical shock and fire hazard
2.2 Susceptibility to Environmental Stress
3 Electromagnetic Compatibility
( susceptibility and noise )
4 Quality engineering in production, field observation and revision handling
( particularly important for software-based systems )
5 Resistance against aggressive media
This test will only be executed if applicable, i.e., mainly for field instruments.
Figure 1: Important Standards for Safety Related Programmable Electronic Systems sum-
marises the most important standards to be fulfilled for a safety certification.

Electrotechnology, Machinery, Automation- lOSE Department
0~339 MOnchen September 03, 1996
Phone: +4918915791-1801; Fax: -1396
TOV
PRODUCT SERYICf
EU-Directives: Machines, Gas I Fuel, Medical, Seveso, EMC, Low Voltage

German Laws: Geratesicherheit, lmmissionsschutz, Wasserhaushalt
USA Acts: CFR §29 OSHA 1910, Clear Water Act, FDA GMP, ( NEC)
(-- - -- - -r ----------------------------------,
:
1 IEC 1508 part 1
I IEC 1508
1part 2 and 3
I
l DIN v 19250
DIN V 19251
I ' - - - - - - - - - ; D I N v VDE 0801
1-
II
+amendment A1
(End-user
responsibility) UL 1998 I
Functional Safety
I:
t... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -_-_-_-_-_-_-_----~ - ,
Ii I
m EN 50082-2
EN50081 -2
I I IEC 801-x
EN55011 : NE21
1
:
1 1
~ EMC-Oireclive ~--------I
,-------------------------------\
1
IEC 1010 or
IEC 1131-2 or
1 1
IEC 68-2-x
I
EN 60204 1 1
I
1 Basic safety I Low Voltage Directive
... ---- ---- - ---------------------------------

PfEN 954 I
I
ISAS84-1
NFPA85C
I
NFPA8502
~
EN298
I
I
P<EN 1954
pr£N 50158 I
LH PfEN 50128
PfEN 50129
I Application standard$
Figure 1: Important Standards for Safety Related Programmable Electronic Systems

The room for interpretation left by IEC 1508 will still require more harmonisation. Otherwise
the depth of consideration will be as diverse as today. The English FRESCO initiative is an
important first step. The certification and test bodies will have to be accredited for all the
relevant safety standards, which already is the case with TOV Product Service IQSE.
To address all these requirements, TOV Product Service IQSE has established a develop-
ment-concurrent test procedure that guarantees close interaction with the development
team and the quality engineering persons involved in the PE development. Due to the
development costs, it is unacceptably risky for a manufacturer to complete the development
of a PES and then to submit it for type certification. A single deficiency during specification
would result in extremely expensive modifications after development.
The development-concurrent procedure relies heavily on the world-wide accepted V-model,
shown in Figure 2: Development-Concurrent Testing and Certification. It provides the
Phone: +49/8915791-1601 ; Fax: -1396
TOV
PRODUCT SERVICE
developer and QE specialists with an easy-to-grasp process flow with a strong interaction
between the development process and the verification & validation. So, it supplies a simple
proof of traceability.
Safety requirements definrtkJn ...-- -

( Hazard Analyt;ls )
Project and V&V plan
System safely specification

Allocation of safety functions
Definition ot verification
procedures
Static + dynamic S/tN analysis

(OOA. SOl, RT -SA)
SIW dynamic test definition measures
Circuit diagrams + FMEA

H!Wtestspecitication
Figure 2: Development-Concurrent Testing and Certification
2.2 Impact of IEC 1508 on TOV type testing and certification

IEC 1508 has not yet been released as standard but already has considerable influence on
our type evaluation activities. Many companies specify IEC 1508 as the target to be met for
their future products. Neither the unfinished status nor the status as generic standard stops
safety experts from considering IEC 1508 as the future safety standard for programmable
electronic systems. This is probably not what the intention of IEC 1508 was but one could
have foreseen that movement after the success of the German generic standard on
functional safety of programmable electronic systems DIN V VDE 0801. Considering the
experience of DIN V VDE 0801, one can also foresee that IEC 1508 will enter all fields of
safety-critical applications long before the application standards will be modified to include
clear normative references to IEC 1508.
However the learning curve for new manufacturers and new test houses will be steep. As
the matter of functional safety of PES is rather new and complex, the German standard
DIN V VDE 0801 was written partly as standard partly as guidance. That was to make the
learning curve smoother and to give newcomers .prescriptions" for safe designs. IEC 1508
however has been written as a pure safety standard. Even the informative annexes do not
Electrotechnology, Machinery, Automation - lOSE Department
Phone: +4918915791-1801 ; Fax: -1396
TDV
PRODUCT SERVICE
help very much if one needs to make a decision for the set of techniques appropriate for his
development. Thus the manufacturers who are new in the field of safety-related PE(S) will
need more training, or will take the decision to not enter the safety field. To a certain extent
this has already been initiated by DIN V VDE 0801 . The market will convert to more
specialised companies completely committed to safety.
Type evaluation and certification according to IEC 1508 will be different from the German
approach following DIN V 19250 and DIN V VDE 0801 . The today's TOV type certification
approach stems from the German procedure for plant assessment as shown in Figure 3:
Inspection of safety-critical plant installations in Germany.
Training
I '"
'-- - - - - - - - - - - I
TOV Type
Certification
,..- - -- - - - - - -
I ..}
I ,..
I
requirements 1
Pre-tested ' ,.. ,..
Figure 3: Inspection of safety-critical plant installations in Gennany
In Germany plants that bear a high consequence of potential hazards are inspected by
independent application experts from .,Gewerbeaufsichtsamt" - organization similar to OSHA
in the USA or HSE in GB - and TOV. That covers plants that fall under the German
..Storfallverordnung" - German conversion of the European Seveso Directive - and large
furnaces and steam production facilities. They assess the process, the mechanics and the

Ridlerstral1e 31 Rainer Faller
D-ro339 M Onchen September 03, 1996
Phone: +49/89/5791-1801 ; Fax: -1396
TOV
PRODUCT IBIVICE
safety instrumented loops. Thus the TOV type certification could be limited to PES related
system considerations such as:
• Safety-related input and output configurations
• Safety-related and non-safety-related communication
• Safety procedures for the design and programming of a safety-related application
program
• Special mode of operation such as maintenance override and on-line modification of the
application program
The gap that might have occurred by the clear allocation of tasks has been bridged by the
regular training for the application experts and by the TOV type testing divisions supporting
the application experts in the assessment of difficult safety instrumented loop configura-
tions.
IEC 1508 will force the TOV type certification to consider much more the system aspect.
The consequences are manifold:
• The whole safety instrumented loop will have to be considered including possible and
recommendable configurations of field instruments
• The required quality and safety management of the engineering companies will have to
be described more thoroughly
• The vendor will have to describe what to consider for his PES during each phase of the
life cycle of the complete installation. This has already been a strong recommendation
for the vendor's safety manual but now it is a requirement
These are significant improvements for applications where the German or Durch plant
assessment procedure can not be assumed.
The emphasis of IEC 1508 on procedural aspects of quality engineering might help to
increase the quality of existing ISO 9001 certified quality management systems. Most often
the development departments were not audited with sufficient knowledge about the
requirements and procedures in the development of safety-related products. Also the
required competence both at the development team and at the quality engineering team
might help the manufacturer in the end to compile high expertise at their teams. However it
will require comparable technical competence at the quality engineering team as at the
development team. This might give problems to small companies.
There is also a considerable likelihood that IEC 1508 opens the door for some less positive
or even negative changes. The hardware requirements for SIL1 are less than the present
German requirements. We consider it a significant reduction in safety.
IEC 1508 initiates a procedural change of the type testing and certification. The involve-
ment of the test house in Germany is presently much more intensive than it seems to be in
other parts of the world. Following IEC 1508 the analysis and test work necessary for the
safety demonstration will not be executed anymore by the test house but by the manufac-
turer. The test house will concentrate on assessment. Today TOV advises such an
assessment strategy only to experienced manufacturers as it might have controversial
results. Positively a more detailed planning in advance of each development and V&V step
(Verification & Validation) and more clear specifications of all work packages will take place
at the manufacturer. Also the detailed safety knowledge being developed by the develop-
ment team will be more thorough. Today the test house helps considerably in the interpre-
tation of standards and in the detailed definition of test specifications. Negatively the
quality of the type certification might decrease. As assessment can never enter the
development in very much technical detail, the safety of the product relies more on the
Eleclrotechnology, Machinery, Automation - IQSE Department
0-80339 MOnchen September 03, 1996
Phone: +49/8915791 -1801 ; Fax: -1396
TDV
PRODUCT SERVICE
competence of the manufacturer than with the German emphasis on deep technical analy-
ses. Our experience with standards as ISO 9001 that rely heavily on assessment and audit
is not favourable. Missing expertise at the manufacturers and strong competition between
inexperienced test houses reduces the depth of the audit to the lowest possible common
sense and create a .gold rush mentality". Who will control the quality of the assessment
and certification?
Due to the assessment strategy IEC 1508 asks for much more documentation. In my
opinion much more documentation will improve the traceability for the assessment but not
the product. With the today's need for a shorter time to market the efforts for much more
documentation will take away resources from the design verification.
2.3 Deterministic and Probabilistic Fault Investigations

German safety investigation methods are strongly determined by a deterministic fault
philosophy that requires that:
1. No single fault may lead to a safety critical situation
and for higher safety requirements
2. No combination of two or even three faults which do not result in a safety critical
situation by themselves may lead to a safety critical situation.
On the other multi-national operating companies and manufacturers mainly use probabilistic
evaluations. Beyond historical reasons, probabilistic results have the advantage that they
can be directly related to the financial fault effect in case of production and equipment loss.
After lengthy discussion it is now understood by experts from the leading countries in
safety-related automation that each one approach has significant lacks of its own that make
it impossible to be accepted independently. Results from probabilistic evaluations may vary
dramatically, depending on the method of calculation and the basic failure rates whereas
the deterministic fault investigation has its foundation in probabilistic reasoning. IEC 1508
clearly specifies that only a graduated combination of deterministic and probabilistic proce-
dures will provide the safety integrity required.
IEC 1508 defines requirements for the Probability of the Failure-on-Demand.
Table 1: IEC 1508 ,Target Failure Measures"
Safety Integrity Level corresponding Gennan Probability of Failure-on-Demand

(SIL) Requirements Class (AK)
1 2-3 >=10-2 to <10_,
2 4 >=1 o-3 to <1 o·2

3 5-6 >=10-4 to <10"3
4 7 >=1 o·5 to <1 o-4
Since 1992, TOV Product Service IQSE has been standing for the combination of both
approaches. The procedure is shown in Figure 4: Combination of deterministic and
statistical procedures.

Eledn:Jtechnology, Machinery, Automation · IQSE Department
RldleBintBe 31 Rainer Faller
0-80339 MOnchen September 03, 1996
Phone: +49189/5791 -1801 : Fax: -1396
TOV
PRODUCT SERVICE
r-------------------------------------,
1 Combination of qualitative and quantitative evaluations of PES I Quantitative evaluation of
I I instrumented protective loop
I I
I I
+ hardwar no dangerous single fauh of PES I
e FMEA sys1em
structure Initiator
seW-lest software seW-test
interval
Actuator
Probabil Probability of
hardware Part count Alri Fault tree analysis transfhon Markov models Failur~Demr~ of PES Failure on Demand
Markov models
method (FTA) rates Probabili)Y ht Revealed Failure rat
Revealed Failu of PES
I I
1I
L- _ - - - - - - - - __ - - - - - - ______rega~t~. ~~~~---- _ _ _1 ~ _ _ _ _
repair time, life time, manual test interval, test duration
stl'lJcture of instrumented protect.ive loop, coverage rate
Figure 4: Combination of deterministic and statistical procedures
Many people forget that IEC 1508 specifies both ,fault count" and probabilistic require-
ments. TOV IQSE developed a procedure for their combination to make the merge of both
views as smooth and cost effective as possible. The procedure is shown in the figure
.,Combination of qualitative and quantitative evaluations developed by TOV PS IQSE".
Using FMEA (Failure Mode and Effects Analysis), FTA (Fault Tree Analysis) and Markov
models, a considerably more accurate model of system reliability is achieved than by the
usual reliability calculations. The method provides justifiable numerical values for the test-
coverage due to the thorough knowledge of the automatic checking and the fault reactions
derived from FMEA and software analysis. Also the influence of application-related time
constraints such as Process-Safety-Time and interval and duration of manual and automatic
checks will be included. Thus it can be used to demonstrate the safety improvement by
automatic checks and to give guidance on how frequent manual test shall be executed.
This procedure has already been extended together with SHELL for their internal evaluation
of instrumented protective loops.
The structure of a Markov model will be demonstrated with Figure 5: Simplified Markov
model of a 2oo2 system. Human errors in operation and maintenance I repair are not
modeled. The shown Markov model assumes that the operator immediately initiates a repair
action after a revealed failure and that the automatic diagnostics or manual tests of the
channels do not take a significant amount of time - i.e. test duration = 0.

Electrolechnology, Machinery, ALII.omation - IQSE Department
RidlerstraBe 31 Rainer Falter
Phone: +49/89/5791-1601; Fax: -1396
TOV
PRODUCT SERVICE
Figure 5: Simplified Markov model of a 2oo2 system
Abbreviations
States State transitions
ok (both) channels are ok J..L ( repair time )"1
·~ test interval )"
1
r revealed failure of one channel
d detectable failure of one channel 'ti~e ( life time of the system )"
1
u unrevealed failure of one channel A. failure rate

A.. rate of unrevealed failures
A. rate of self-annunciating failures
c coverage rate of the automatic
diagnostics or manual testing
The Markov model can be transformed to a set of first order differential equations. Using
1
numeric matrix calculation one can calculate the probability to be in a particular state. The
sum of the probabilities of all states within the area of . (yet) unrevealed critical failures"
1
Usually the mathematical evaluation of Markov models require constant failure rates. However
numerical evaluation methods are described that allow for failure rates that change over time [L2].
Electrotechnology, Machinery, Alltomation- lOSE Department
Ridlerstral!.e 31 Rainer Faller
Phone: +49/89/5791-1801 ; Fax: -1 396
TOV
PRODUCT IEIMCE
represents the Probability of Failure-on-Demand (PFD). The probability of the state within
the area of .revealed failures" represents the Probability of Nuisance Trips.
By its definition of probabilistic target values, IEC 1508 goes considerably farther than the
German risk classification standard DIN V 19250. The definition of periodic maintenance
actions and intervals will be determined by probabilistic evaluations. This will result in more
precise and cost effective procedures.
2.4 Impact of IEC 1508 and similar standards on the market of safety-related
systems and field instruments
The publication of the German standards DIN V 19250 and DIN V VDE 0801 did change
the way end-users buy and use systems in safety-related applications. Formerly one often
saw combinations of dedicated electronics or relay logic with conventional control systems.
These combinations were trimmed to give safety to a particular application. This has pretty
much gone. End-users buy more and more off-the-shelf safety-devices such as safety-
PLC's with a large range of possible applications. In the mid '80s multi-national petro-
chemical companies started to investigate intensively on programmable protective systems.
In their invitations for bids they ask today for programmable systems certified by TOV
against the currently available functional safety standards. Also the standardisation
committee of the German chemical industry NAMUR published in 1993 a guideline for the
application of process control systems (NE 31 .Proze~leittechnik"). Therein programmable
systems are required to have TOV certification. Even the German nuclear industry now
considers and uses safety-PLC's - designed for the process industry - at medium criticality
levels.
Considerable commercial benefits drive the trend towards off-the-shelf safety devices. The
operating companies save investment and engineering costs by general purpose PES
designs and functional safety certification. The development and certification costs will be
split into many applications. The vendors can develop, sell and install many devices with
identical specification. The evolution over the past years triggered by the German standard
DIN V VDE 0801 has shown that even the device costs for complex, safety-related
computer systems dropped dramatically because of this standardization effect. Also the
safety level and the safety-related specification of programmable electronic systems
became comparable. Thus the vendors and engineering companies can concentrate more
on their particular safety and availability requirements of each of the individual applications.
The discussion whether off-the-shelf programmable electronics or home-made solutions will
be used has been decided in favor of off-the-shelf safety-systems - either solid state
systems or safety-PLC's. The decision is simple today, as the market offers a very
complete set of solutions. However the system approach of IEC 1508, DIN V 19251 and
ISA S84.01 emphasizes that also (smart) field instrumentation must comply with the safety
requirements. To increase the plant safety and availability, while reducing manpower,
better and more automated testing shall be provided by the field instrumentation by means
of:
• a high level of self-diagnostics
and
• a high level of measurement diagnostics
and
• transmitting diagnostics results to the Safety Instrumented System
The operating companies argue for single field-element configuration in SIL 1 and SIL 2.
The process hazard analyses of multi-national and German operating companies show that

Eleclrotechnology. Machinery, Automation- IQSE Department
RldlerstraBe 31 Rlllner Faller
D-80339 MQnchen September 03, 1996
Phone: +49/89/5791-1 601; Fax: -1396
TOV
PfiDDUCT SERVICE
a large share of safety instrumented loops are SIL 2. SIL 3 will not often be required for
safety loops and the end-users prefer to configure a SIL 3 loop by using field instruments of
SIL 2 level in a 1oo2, 1oo2D2 or 2oo3 configuration. For SIL 2 additional fault detection
means might be needed by the safety-related logic solver or by measurement diagnostics in
the process control system. The vendors and TOV will have to show that two SIL 2
compliant field instruments using field proven measurement technolgy fulfill the SIL 3
requirements.
For field-instruments the fault analysis must cover much more than electronics. The most
critical failure modes of field-instruments are not within the electronics but at the process
interface as clogging of the sense lines and corrosion or physical damage.
After intensive discussions with operating companies TOV Product Service IQSE went from
a single testing and certification scheme for intelligent field instruments to two schemes that
complete each other. The simpler scheme considers only the sensing and processing elec-
tronics including the safety of the (fieldbus) communication. As non of the present fieldbus
protocols includes all safety provisions required additional safety shells around the protocols
are needed today. The safety of the mechanics and the process connection is subject to
the measurement diagnostics and to the field-proven design of the initiator. Measurement
diagnostics are provided by different software packages of field instruments and DCS
vendors. Measurement diagnostics can also be achieved by application-oriented functional
diversity (e.g., diverse measurement of temperature and pressure or of flow and level).
The more comprehensive scheme covers the fault possibilities of the mechanics and of the
process connection. For this it is necessary to compile the appropriate failure mode for
each individual design. TOV uses the procedure defined by DIN 25448. This procedure
refines the complete device I system into sub-units. Then one determines by physical
reasoning and by data books such as the Reliability Analysis Center (RAC) book .Non
Electric Parts Reliability Data" the possible failure modes of each sub-unit. These lists are
then bespoken to each individual design. The determination and classification of the
mechanical failure modes follows the product life cycle:
• Systematic errors in design
e.g. Inadequate specification of chemical and physical operating conditions;
Insufficient protection or detection against faulty installation or operating conditions
• Incorrect information given by the user manual
e.g. Incorrect specification of chemical and physical operating conditions;
Incomplete guidance against faulty installation or operating conditions
• Faults in manufacturing
e.g. Defective basic material; Incorrect processing of the material; Incorrect molding
and welding; Incorrect spacing /length I diameter of critical parts
• Faults in engineering and installation
e.g. Inadequate chemical medium; Inadequate physical operating conditions; Incorrect
model chosen; Inadequate installation I position I angle; Sensor and evaluation unit do
not match; Incorrect electrical connection; Incorrect setting I calibration
• Faults during operation
e.g. Aging I wear and tear; Clotting of the sense line; Ice formation; Even I uneven
corrosion I deposition of material; Random breakdown; Extemal noise signal
2
1oo2D means 1oo2 for discrepancies caused by undetected faults and 2oo2 for detectable faults.
The 1oo2D voting can be realised in the safety-related logic solver.
Electrotechnology, Machinery. Automation · lOSE Department
RldleratraBe 31 Rainer Fal\er
Phone: +4918915791-1601; Fax: -1396
TDV
PRODUCT SERVICE
• Faults introduced by inspection I maintenance

e.g. Incorrect setting I calibration; Inadequate installation; Mechanical damage;
Incorrect electrical connection
For SIL 2 compliant field instruments an easy migration to a SIL 3 compliant safety
instrumented loop seems justified.
SIL AK Transduction Software

Preparation of the physical or chemical Communication
quantity Electronics
1 2-3 Field-proven measurement technology SIL 1 compliant
AND
Preventive maintenance
2 4 Field-proven measurement technology SIL 2 compliant
AND
Preventive maintenance
OR
SIL 2 compliant
AND
Field-proven measurement technology
3 5-6 SIL 2 compliant electronics and SIL 3 compliant communication
AND
Redundancy (1oo2 or 2oo3) at the safety instrumented loop
AND
Field-proven measurement technology
This new type of field-devices is designed such that electronic fault possibilities or mechani-
cal and electronic fault possibilities are detected by the safety-related PE of the field instru-
ment. The advantages of these field instruments are manyfold:
• the field instruments are fail-safe, thus the homogeneous redundancy of field
elements at the process level and the necessary handling by the application
program can be reduced
• preventive manual testing can be reduced as most of the failure modes detected by
periodic inspection will be detected by the integrated PE. That results in additional
benefits such as less human errors and less life time costs.
• Appropriate safety-related smart instruments could also lead to de-centralized safety
instrumented functions simpler to understand than centralized layouts. This needs
increased awareness for the safety aspect of future field bus communication .
3 Pre-tested building blocks

The market of safety-related systems is a very conservative business. The development
and inspection teams had usually enough time to do a careful design and safety verification
& validation . Also as there are no hardware subsystems and software components avail-
Electrotechnology, Machinery, Automation- IQSE Department
Ridlerstralle 31 Rainer Faller
Phone: +49/89/5791-1801; Fax: -1396
TOV
PRODUCT SERVICE
able that were designed with safety in mind each development team has to develop a
safety-related PES from scratch. With the larger market being expected for safety systems
the time to market at equivalent quality and safety level will become a more important issue.
To reduce the development time and to cope with the increasing complexity the design
teams watch out for hardware subsystems and software components that can be integrated
into their designs. The time of building blocks is about to arrive I
To reduce the development time significantly however the building blocks from third parties
must be designed with safety being a mayor objective and they must be pre-tested. Safety-
related and pre-tested building blocks can standardize the development of safety applica-
tions for the engineering companies and can ease the development of safety-related soft-
ware for PES in many ways:
1 Application development
1.1 Function libraries to build applications such as burner controls, emergency stop func-
tions or ISO 104183 safety functions
1.2 Application program development systems for the IEC 1131-3 PLC languages
2 System software development
2.1 Operating systems
2.2 Libraries to implement communication protocols and graphical user interfaces
2.3 Certified high level languages.
The concept of building blocks is an important step in the layered approach of TOV PS
IQSE to safety-related software. The layered software safety philosophy is shown in Figure
6: Layered Software Safety Philosophy. The software building blocks as listed above can
help considerably in layer 3 "Operating Systems; Libraries" and in layer 4 "Embedded Appli-
cation Software; User Interface" and 5 ,User Supplied Application Software".
Figure 6: Layered Software Safety Philosophy

Graphical Application Programming
using certified development tools
Certified third-party RT-OS

incl. API and protection layers
SIFT Software Implemented

Fault Tolerance
HIFT = Hardware Implemented
Fault Tolerance
Pre-tested software building blocks

(Graphics Libraries and
Communication Protocols
Safety-related User API
3
ISO 10418; Petroleum and natural gas industries; Offshore production platforms; Analysis, design,
installation and testing of basic surface safety systems.
Electrotechnology, Machinery, Automation -lOSE Department
Ridlerstralle 31 Rainer Faller
D.ao339 MOnchen September 03, 1996
Phone: +4918915791-1801; Fax: -1396
TDV
PfiOOUCT IBMC£
In the hardware domain few activities have been encountered yet. Development teams in
the medical industry have tried to collaborate with hardware subsystem vendors without
much success.
4 ISO 9001 and Product Type Certification

Why Type-Certification, if a Manufacturer already is ISO 9001 certified?
The ISO 9000-range norms have led to the dissemination of the general, planed-in-advance
,quality assurance thinking" (quality management). Earlier the quality assurance was
comprehended as testing of quality characteristics. Today quality management involves the
design, definition and testing (verification & validation) of clear, quality-creating design- and
manufacturing measures, that enable a continuous quality improvement during the whole
project (quality engineering) using a great portion of the assistance of the development
team. The designer's objective is foremost to create quality. Quality engineering is
supposed to support him and produce consistent proofs.
The idea of quality management and quality engineering fully corresponds to the proce-
dures in complex software systems stipulated in the chapter above. During the design
process, the validation has to be supplemented by development-concurrent verification. It
is laudable, that the different development teams have already accepted the advantages of
systematic procedures and even wish to heavily invest in their improvement.
In wake of the potentially positive effects, many if not the most of the published international
norms and draft standards require the application of ISO 9001-comparable quality assur-
ance procedures for safety-related development in medium to high risk levels. So the user
is quick to believe that by using ISO 9001-certification he will get a high product quality.
Many manufacturers and users also tend to believe that they can reduce the existing type
certification to the auditing of the development cycle and the associated quality engineering.
Yet the development teams as ourselves had to accept the fact that the ISO 9001 certifica-
tion does not make any statements either as to the completeness and adequacy of the
product requirements and design procedures or to the correctness of the methods of quality
engineering being used. Nevertheless, an ISO 9001 auditing guarantees that the end
product was created according to a consistent definition-, development- and test process.
After all the euphoria and disenchantment a smart and cost-reducing symbiosis of quality
management system and type testing was bom. Following it one will not only pay close
attention to a certified OM-system but also to a product-oriented and consistent procedure
of design and quality engineering.
At the beginning of the project the required product characteristics and its application area
will be defined in detail. After that follows an exact definition of the verification & validation
procedures and methods (V&V) to be applied to the development phases. Besides, we
take, as in Figure 2: Development-Concurrent Testing and Certification shown, the V-Model
as the basis for discussion in order to ensure the traceability and the suitability of the
measures. In case the development and quality engineering are competent enough to
apply these procedures and measures then IQSE will first try to prove the safety design and
the necessary V&V means by a development-concurrent, in-depth product audit.
TOV PRODUCT SERVICE GMBH 35 Presentation Elndhovwl

Rldlerstralle 31 Reiner Faller
D.ro339 MOnchen September03, 1996
Phone: +49/8915791-1801 ; Fax: -1396
TDV
PRODUCT SERVICE
)JJ
Prototype
t
V///l' Standards
~;:m----.,
OJ
Requirements spec.
DirectM!s • standards
4.7 Oe$ign
verffica:tion
Requirements
User needs
Order
User needs I
Evaluation
and
ISO 9001 and ISO 9000-3
products
14. Preventille
action
•
Product
Figure 7: Development-Assistant Product Evaluation and Quality Management

The complete picture
Unfortunately, some ISO 9001 certification bodies must stand the accusation of trying to
make a quick buck with ignorant customers. Even for manufacturers with clearly safety-
relevant products, e.g., products referenced by EC-Directives, ISO 9000 audits had the
only purpose of getting information about formal and consistent quality management proce-
dures on a high-level. The propriety of the procedures and measures in the development of
safety-related products and the fulfilment of the "Essential Requirements" were totally
TOV PRODUCT SERVICE GMBH 36 Presentation Eindha.len
Electrotechnology, MachineJY, Automation- IQSE Department
RldlerstraBe 31 Rainer Faller
~MOnchen September 03, 1996
Phone: +49/8915791-1801 ; Fax: -1396
TOV
PRODUCT SERVICE
omitted. Exceptions to the rule are audits according to module H of the modular approach
of EC or according to the respective EC-Directive by a Notified Body.
Certifications by ISO 9000-3 ,Software" or TICKIT or ITQS seem to fare better. Beside the
formal consideration of the QA procedures there is an additional consideration of proce-
dures in development, configuration management and field observation of the software
products. Yet there are only spot-checks as to the propriety to the product. As for the
success rate of by US Department of Defense (DoD) required models for the continuous
improvement of quality management and quality engineering (Bootstrapping or SEI model),
there is no sufficient evidence yet that would allow to pass judgement on a whole project.
The weak spots of the ISO 9001 certification are simply predestined for those companies
that are developing and dealing in manifold products. Consulting and certification can cover
only a few areas in detail just for money reasons alone. The other areas must be viewed
with analogy. Thus the development of a PC is being lumped together with the develop-
ment of the operating system for a safety-related automation system.
Herein is no intention whatsoever to criticise the ISO 9001 certification in general. It is only
a call to improve the procedures in the safety-related area and to carefully check the
influences of an ISO 9001 certification upon the relation between the customer and manu-
facturer.
5 Conclusion and Outlook

The international success of the TOV certification program was mainly achieved by the
benefits resulting in an independently defined interface between users and PES vendors.
Despite the lack of regulatory pressure the industry voluntarily accepted the certification as
a tool for user I vendor communication. The benefits are mutual to both parties:
• The vendor does not have to provide evaluation samples to the user for each project or
major customer he is bidding on.
• The user can rely on an impartial evaluation of a device and does not have to commit
resources to evaluate a device (or multiple devices from various vendors) .
TOV as an independent, internationally recognized testing-agency has been well accepted
to certify devices impartially and objectively.
The introduction of programmable technology into almost every part of the plant widens of
the current certification of PES's (screw-terminal to screw-terminal) and make programma-
ble field elements and networked applications necessary. TOV established a certification
program to offer a broader field of evaluation services like smart field instruments, field
busses and (application) software components.

R idlerstraBe 31 Rainer Faller
D-80339 Munchen September 03, 1996
Phone: +49/89/5791-1801; Fax: -1396
ladsnijdersmieren (Zuid- en Midden-Amerika) hebben hun eigen snelwegen.
B De heren bewegen zich efficient voo rt , als volleerde transporte urs en slepen st ukjes
blad naar huis. Daar nemen de dames het heft ;n handen, onder het motto: Samen werk1
het beter. Ze snijden de partjes nog ve rder in snippers, kauwen die en kweken op de blad
massa een dicht dek Yan miniscule paddestoeltjes: hun ondergrondse voedselvoorraad.
ij van de Gasunie legden ruim 11 .000 kilometer transportleiding onzichtbaar

W onder de grond. We beheren dat wegennet efficient en zorgvuldig. We houden het
voortdurend in de gaten, ook Yanuit de Iucht. Met grote regelmaat voeren we in sp ectie-
duchten uit- per helicopter.
Ook koesteren we, als een bladsnijdersmier, de voorraad aardgas - die trouwens na meer da1
30 jaar comforta bel gebruik groter is dan toen we begonnen e n die nog tot in le ngte van
jaren toereikend is. Daarbij werken we graag samen, met heel vee I anderen.
;!/
Samen werkt het beter. GasuniE
PLC's in safety related applications
by
Ir. K. Kemps
Honeywell Safety Management Systems BV
39
Ir. K. Kemps
Function:
Director Sales & Marketing ofHoneywell Safety Management Systems BV
Experience:
Kees Kemps has 22 years experience in the safety business as active interface between the
users/market and manufacturer/technical realisation. Full involvement in requirement
analysis for product development as well as communicator of the safety solution to the
market. Various technologies have been developed and supported by HSMS, varying from
relay based technology, triplicated PLC-based solutions resulting in the latest dedicated
developed FSC-technology.
41
Safety is mandatory!!
What about av
SAFETY IN THE PROCESS INDUSTRY Honeywell SMS
Safety mandatory I I
What about the AVAILABILITY of Safety??
• what, why, when and by whom?

• how safe is safe enough?
• who determines the level of safety?
• how can these requirements be met?

SAFETY PERCEPTION
• Who has heard about the VDE V 0801 ??
• Who has the VDE V 0801 standard in house??
• Who has read the VDE V 0801??
• Who understands the VDE V 0801 ??
• Who "acts" ace. the VDE V 0801??
SAFElY IN THE PROCESS INDUSTRY Honeywell SMS
STANDARDS
List of applicable (safety) standards over last 15 years.
• TOY-booklet 180
• DIN V 19250/19251 25/18
• DIN V VDE 0801 180
• IEC 801 240
• DIN VDE 0180 120
• DIN VDE 0110 80
• DIN VDE 0116 110
• SP 84.01 (draft) USA 340
• PES guidelines 150
• etc•..
TOTAL NUMBER OF PAGES: 2000
Who validates your safety case?
SAFElY IN THE PROCESS INDUSTRY Honeywell SMS

GERMAN SOCIETY
"SOCIETY"
Manufacturers

BUYING PROCESS
MANUFACTURERS USERS
USERS
PRODUCTION PROBLEMS EXPERIENCED

'·'
DISPUTES
CLAIMS AND DISCUSSIONS BETWEEN TWO

"PARTNERS"
COMMUNICATION
ONGOING DISPUTE BETWEEN TWO "PARTNERS"
you delivered the

wrong productl!l

SOLUTION
2-0UT-OF-3 VOTING
"MR. TUV''

P.n
TOV and VdTOV
o non Governmental body

o non-profit body
o "sponsored" by USERS and MANUFACTURERS
o gained expertise to serve the industry
o respected by both USERS and MANUFACTURERS
o Initially there were 11 "regional" TUV's
o all TUV's offer their expertise (at cost) to USERS!!
o 2 TUV's have "proven expertise" on safety

assessments for MANUFACTURERS
- TOV Rheinland Cologne
- TOV Product Service Munich

"'
TUV-CERTIFICATE
Use a colored copy of the real certificate

"'
TOV-CERTIFICATE
• The certificate proofs that the product has been

assessed:
-by which TOV??
-according applicable norms and standards??
• What is the outcome?
-good or bad??
-does it fulfill your requirements??
• If you don't check the relevant aspects, this "piece of

paper'' only proofs that all bills have been paid by the
manufacturer.

p ,.
TUV-REPORT
• lists all parts of the product which have been assessed

• list of all standards considered with a brief description
• describes how the tests have been executed
• RESULTS OF TESTS ARE STATED
• The last chapter of reports from these 2 "proven" TOV-

bodies state:
-GUIDELINES
-LIMITATIONS in use
-WARNINGS
-RESTRICTIONS
BENEFIT FOR USERS
• know your application and which norms are applicable

• the MANUFACTURER invested time and money to check
the suitability of his product ace. norms & standards
• study the report and check the t. . ;ormance according
your requirements
- 40 pages of "report" text versus 2000 pages of "standards" text
• SAFETY is really covered by knowledgeable bodies!!
• Availability of safety is covered (functional safety)ll
•What about "Availability"??

THE OBJECTIVES
CAPital EXpenditures (CAPEX) +

OPerational EXpenditures (OPEX)
~tJ1N"ERIALS
:4\M.~
HARDWARE
PEOPLEWARE
Honeywell SMS
THE OBJECTIVES
THE OBJECTIVES
An interface for AVAILABILITY($) with SAFETY
THE OBJECTIVES
APPLICABLE FOR ANY (PETRO)CHEMICAL COMPANY
- AVAILABIUTY: SINGLE FAULT TOLERANT FOR CONTINUOUS

PRODUCTION
-SAFETY: SINGLE FAULT TOLERANT FOR SAFE OPERATION
-IMAGE: SINGLE FAULT TOLERANT FOR QUANTITY AND
QUALITY OF THE PRODUCT AND NO ACCIDENTS.
- ENVIRONMENT: SINGLE FAULT TOLERANT TO PREVENT POLLUTION.
A "SINGLE FAULT TOLERANr CONFIGURATION

COMPLIES WITH ALL OBJECTIVES

QUALITATIVE
FAULT MANAGEMENT TO MEET OBJECllVES! I
• Failure Mode Effect Analysis (FMEA)

• Differentiation in failures
-active/passive
- revealed/unrevealed
- hardwarelsoftwarelpeopleware
- random/systematic/common cause
• Definition of basic failure assumptions to be
considered
• Assessed by independent knowledgeable body i.e.

the "proven" T UV's
DIN V VDE 0801 Requirement Classes
~gh
'"" -
~w ..flty~~t-.-CCIT'MI)CI'Iclngtolher~...t~
.......... ......... 3 4 I 5 I s 8
''"'"'
Op..tng and i"'llndedl

mal'lipul.tlonfailu'n
....
- - - "'"
Sll1 Sll2 Sll4
Eft'ectr..nnsdm~
L.eoand: l.,.. ....... ....
QUANTITATIVE
FAULT MANAGEMENT TO MEET OBJECTIVES!!
• PASSIVE METHODOLOGY:
- QUALITY SYSTEMS
-QUANTITATIVE ANALYSIS
-MIL-SPEC COMPONENTS
-ETC.
• RESULT: RELIABILITY
EXPRESSED IN %, THE LEVEL OF COMPETENCE AND THEREFORE THE
LEVEL OF INCOMPETENCE.
- MAINTAINABILITY
- AVAILABILITY
- OPERABILITY
- PROFITABILITY
IEC-1508
Specification Design & Implementation lnslallalion & Commissioning

failures failures failures
Operation & Maintenance
failures
Random Hardware\
failures "-.. I /
Modification
failures
Safety Umbrella for the world ?

IEC-1508
• Introduction of Safety Management Systems (SMS)

• Introduction of the Safety Life Cycle
• Mandatory: qualitative measures
•In addition: quantitative analysis for verification
• Considers the entire Safety Critical Loop:
-Sensing element
- Logic Solver
- Final element
• Validation and Verification calls for "SMS"
• New terminology:
- Functionality (for safety and/or availability)
- "Probabilities of Failures on Demand" (PFD)
-"Mean Time to Fail Safe" (MTIFs) (Spurious Trip rate)

"'
HSMS SOLUTIONS
1992......... TOV-Approval AK-4
1995....... UL-508 and UL-1998
1996......... (pending) SIL2

HSMS SOLUTIONS
1992 ........ . TOV-Approval AK-4/5/6
1995 ....••• UL-508 and UL-1998
1996........... (pending) SIL3
HSMS SOLUTIONS
FSCTM CONFIGURATIONS OVERVIEW
SAFETY ace. DIN V 19250/IEC-1508
INCREASED
OPTIMAL

Overall Safety Life Cycle
AVAILABILITY
SUMMARY
• Check on suitable hardware
- TOV-approved according applicable standards
• Use adequate software tools for programming
- build-in checks for safety "challenge" engineers on safety
• Use the supporting features of the safety system
-during design
-during operation
-during maintenance
• More guidance/support from the safety system
results in less risk with "peopleware"
THIS RESULTS IN HIGHER AVAILABILITY!!!!

International
:t::
There is one industry which influe
cultures. economies and politics of a
n': ~
_··:
_ ys_.• ._',',':.·
1,... ~:~Jff~rt
0
b~r,i:f;ar lidlr;~a to
And Shell is one of its most importa ~rs. ;;1 prof~9/P.~ s_~loo;e Vi(e ni1ehf;coi
But continued success rests on our ab ility io
fin·d aspect's sue as economrcs. rnterper$onal skrl
the right people, for the right job, at just the right and group dynamics.
It may be reassuring to know that our training
::qualities we seek ·f() r

Our pursuit of excellence has made us world
programmes are widely respected and the sk
you develop are highly valued on the open m<
A tra ining with Shell is a training for life
leaders in many areas of our business . Not surpris-
ingly, the same high standards apply in our selec- ..wYo~~~eV,e~~pJ ,,
tion procedures. We look for graduates w ith ~bqve'+, r
Rre:(luen tijob chah@s!3re the cornerstone of
average academic qualifications, a track recold Of (: \.,.she\r~la~pfbathi,oepending upon the area of
personal achievement and a single-minded deter- business you join, during your first five years·
mination to succeed . So now is perhaps the per- us you can anticipate at least two, possibly th
fect time to do some self-appraisal. 'Time to as k different assignments, followed by a subsequ
yourself very candidly: will I one day be able to job move every three or four years.
face the challenges in this industry? If you are
confident of ,~pbil' re ~~at deal on An international perspective
::::-~ppoL~s II
We offer careers for all tastes . On the technical
Shell is a truly international group of compani<
We employ over 5,000 expatriate staff from E
different nat ions . It is common practice to de·
assignments in consultatron with the individu:
side this entails: Exploration & Production. Although it may not be possible to grant all w
Manufacturing, Chemicals and Research & · et anging ne•
Technical services. On the commercial side we •: ain: we
have opportunities in Marketing, Finance. ou want t
Information Technology, Human Resources and
Legal Affairs. We are interested in all outstanding
students, irrespective of your degree. If you are
not sure yet in which area you would like to work , Want to know more?
send us your application form and we will be very .· We challenge you to get to know us better.
happy to discuss your various career opportu- Take part in one of the schemes we provide f
nities. students:
- Gouram i Bus iness Course (applications in
A contribution from day one autumn)
We operate in more than 100 countries and our -Work experience on one of our Prem ium
global turnover exceeds £ 120 billion . Every one Placements (applications year-round)
of our operations throughout the world takes -International Placements (applications in aut
responsibility for its own bottom-line performance. .- Travel Bursaries (appl ications in early spring)
In your first assignment you wi ll be expected to If you are interested in one of these scheme!
achieve clearly specified objectives dictated by a in employment with Shell. ask for our gradua
demanding business plan . You will certainly find brochure Visions & Focus or an application fo
lectually stretching. rr;;e:"3 ir

the work an operational challenge as well as in£el- :~ ~~ "=4-;~
I ]'t~act us on 070 -_377 80 15
t iiJnJhe Hague or wnte to:
Shell International, Recruitment Division,
P.O . Box 162, 2501 AN. The Hague.
The importance of field
instrumentation in safety
instrument systems
by
Ing. L. Korteweg
Shell International Oil Products B V
59
Ing. L. Korteweg
Function:
Senior Instrument Engineer, Shell International Oil Products BV
Experience:
In the instrumentation department focal point for Honeywell matters and responsible for
all subjects related to Instrumented Protection. Experience Joined Shell in 1976. Had
assignments in The Hague, Singapore, Oman, The Hague and Hong Kong and returned to
The Hague in 1991 to take up present position. Worked in the fields of Project
Engineering, Construction, Maintenance and General Instrumentation Service.
Organisations:
Is a member of IEC 1511 committee 'Application Specific Standard on Process Control -
Functional Safety Requirements for E/E/PES Safety - Related Systems for the Process
Industries.
61
TABLE OF CONTENTS
1. INTRODUCTION ....... .. ........ .... ..... ..... ...... ..... ...... .. ... .. .......... .. ..... .... ... ............ ......... .. 65
1. 1. SCOPE ..... ... ... ... .......... ..... .... ... .. .. .......... .... .. .. ..... .. ..... ...... ... .. ....... ......... ...... ......... 65
1 .2 . DISTRIBUTION, INTENDED USE AND REGULATORY CONSIDERATIONS .. .. .............. .. 65
1 .3 . DEFINITIONS .. .... ......... .... ......... .. ........... ..... ......... ........ .. ......... .. ..... ..... ......... ..... ... 65
1.4 . ABBREVIATIONS .... ..... .. ........ ..... ............. ... ... ... ........ ........ .... ... ... .. ........ .. ........ ...... 68
1 .5. CROSS-REFERENCES ... ..... ..... .. .. .. ...... .. .. .. ........... ..... .......... .......... ..... ... .. .. ............. 68
2 . GENERAL ...... .... ....... ...... .......... ........ ........ ........... ... ... ........ .. ........... .. ............ ..... .. ... 69
3. INSTRUMENTED PROTECTIVE FUNCTIONS CLASSIFICATION METHODOLOGY .... ........ 70
3.1. BACKGROUND ....... ... .. ..... .. .... .......... .... ............. .. ... ......... ................... .. ...... ........ .. 70
3 .2 . THE CLASSIFICATION PROCESS .. .. ...... ..... ...... ...... .......... .. .. .. ...... .. .... .... ........... ..... 70
4 . IMPLEMENTING THE CLASSIFICATION RESULTS ....... .. .. ....... .. .... ............. .............. .... 81
4. 1 . INTRODUCTION .. ... ... ... ....... ........ ....... ..... ............ ........ ................. .. .... .......... ........ 81
4.2. GENERAL RULES ...... ... ............ .. ... .... ...... ................ ......................... ..... ........ ... ..... 81
4.3. IPF CLASS OF INITIATOR, LOGIC SOLVER AND FINAL ELEMENT ... ............ .............. 83
4.4. BASIC IMPLEMENTATION STEPS .. .. ......... ........ ........... ...... ........ .. .. .... .. ... ...... .......... 83
5. IMPLEMENTATION OF PROCESS UNIT RELATED INSTRUMENTED PROTECTIVE
FUNCTIONS ... ... ..... ... ........................ ..... .. ......... ......... .... .. ..... .. .. ...... ................ 85
5.1. GENERAL ........ ..... ............ ...... .. ....... ....... .. ........ .. .... .... .. .. ............... .... ........... .. ..... 85
5 .2 . INITIATOR ...... ..... .... ... .............. ... .......... ... ................................... ... .. ................... 85
5 .3. INSTRUMENTED PROTECTIVE SYSTEM ........................ ... ... ............. .. ................ .... 87
5.4. FINAL ELEMENT ...... ... ... ............ .. ... ... ............ ..... .. ...... ..... ........... ..... .................... . 89
5 .5. CABLING ...... .... .... .... .... .... ... ... .... ...... ....... ....... ... .... .... ...... ... ...... .. ... .. ... .......... ....... 90
5 .6 . HUMAN-MACHINE INTERFACE ...... ........ .. .... .............. ... .... .. ... .. ............ ... .. .. ........... 90
5 .7. COMMUNICATION INTERFACES WITH OTHER SYSTEMS ............... .. .. ..... ... .. ...... ..... 91
5.8. MAINTENANCE OVERRIDES .... ...... .. ............ ..... ... .. ..... ........... .. ............ .... .............. 92
5 .9. OPERATIONAL OVERRIDES ... ...... .............. ........ ... .... .... ....... ............ ... ........ .. ....... .. 94
6 . IMPLEMENTATION OF FIRE GAS AND SMOKE DETECTION INSTRUMENTED PROTECTIVE
FUNCTIONS ....... ...... ............. ... ......... ...... ......... .. .... ... .... ........ ..... ........... ... ... .... 95
6.1. GENERAL ......... .. .. ........... .... ... .. ... ............................ .... .. ...................... ................ 95
6 .2. INITIATOR ..... ...... ............................. ............................. .......... .............. .............. 95
6.3. INSTRUMENTED PROTECTIVE SYSTEM ............................ ....... ............... .............. . 95
6.4. FINAL ELEMENT ... ............ .... ...... ...... ............... ..... .... .. .. .. ....... .......... ....... ......... ... .. 95
6 .5 . CABLING ..... ... ........ ...... ..... ..... ...... .... ....................... .... ... ........................ ........ .. ... 95
7 . TESTING ........... ........ .. .. ..................... .. .... ................ ............. .. .. ......... .... ......... ..... .. 96
7 . 1. CLASSIFICATION RESULTS AND TEST PHILOSOPHY ........... ........... ... .. ..... ..... .... ..... 96
7 .2. TEST COVERAGE FACTORS ....... .. ... .......... .. ......... ... .... ...... .. .. ......... .. ..................... 97
7 .3 . INITIATOR TESTING ........ .. ........ ...... .......... ... ............... .. .. ........ ........ ...... .. .......... ... 97
7.4. LOGIC SOLVER TESTING ............. .. ....... ...... ............ ...... .. ... ....... ........ ......... .. ......... 97
7.5. FINAL ELEMENT TESTING ............ .. ... .................... .... ..... ........ ... ..... ...... ... ....... .. .... . 97
7 .6 . AUTOMATIC TESTING ... .. ............ ... ............ ...... .. .. ... ... ......... ... ....... ... ............ ........ 98
8 . IPF CALCULATION METHODOLOGY ......... ...... .......... ...... ...... .... ......... .............. .. ... .. 100
8.1. GENERAL .............. ... ... .... ............. ................. .... ...................... .............. ... .... ... .. 100
8.2. ASSUMPTIONS ..... .. .... ......... ... ........ ... ...... .... .. .. .... .. ... ..... ....... .. ...... ............. .. ...... 100
8.3. INPUTS INTO THE CALCULATION METHODOLOGY ....... ... .... ..... ....... .. .. ... ...... .. .... .. 100
8.4. OUTPUTS OF THE CALCULATION METHODOLOGY .. .. .. .. ...................... .. .... .. .. .. .... . 102
8.5. CALCULATION OF TEST INTERVAL - SPECIAL CASES .. ... .............. ....... ........ ...... .. . 102
9 . MAINTENANCE ... ......................... ................ .......... .... .............. .. ..... .. ... .. ....... ..... ... 104
9.1 . INTEGRITY .... .. ........... .. .. ..... ............................ .. ... ... .. ... ... ........ ........ ....... ... .... .... 104
63
9.2. TEST PROCEDURES ..... ......... ..... ............ ... .. .... ...... .. ... ..... ...... .... .. ....... .. .... .... ....... 104
9 .3. TEST RESULTS ... ... ...... ..... ........... ........ .. ..... .. ..... ... .. ........ ... ....... ... .. .... ..... ..... .. .... 104
9 .4. SCHEDULED MAINTENANCE ................. ... .. ..... ... ...... .. ... .............. ..... ..... ..... .. .. .. ... 105
9.5. TRIP REPORTS ..... .. .... .... ... ........ ..... ......... ...... ................ .................. ..... ..... ... ...... 105
9.6 . MODIFICATIONS ... ... ..... .... ... ....... ..... ... ... ...... ... ...... .... .... ....... .... ... ... ... .. ..... ........ .. 105
9 .7. AUDITS .. .. ....... ... ..... ....... .. .......... ... ...... ...... ... ...... .... ..... ..... .. ...... .. .. ..... ..... .. ..... .. .. 105
10. REFERENCES .... .... ... .. ... ...... ...... .. ..... ........ ....... ... ..... .. ..... ...... ........ .. .. .... .. .. ... ...... .. 106
APPENDICES
APPENDIX 1 SUGGESTIONS ON HOW TO SET UP A CLASSIFICATION EXERCISE . .... ... 107
FIGURES ... .... .... ... .... ... .. ....... .... ....... ... .... .... ........ .... ......... ............. .. ..... .. . ····· ·· 108
64
1. INTRODUCTION
1.1. SCOPE
This document specifies requirements and gives recommendations for classifying
Instrumented Protective Functions and implementing them .
1.2. DISTRIBUTION, INTENDED USE AND REGULATORY CONSIDERATIONS

This document is intended for use in the process industry.
If national and/or local regulations exist in which some of the requirements may be more
stringent than in this document the Contractor shall detennine by careful scrutiny which
of the requirements are the more stringent and which combination of requirements will be
acceptable as regards safety, environmental, economic and legal aspects. In all cases
the Contractor shall infonn the Principal of any deviation from the requirements of this
document which is considered : ~ ~1e necessary in order to comply with national and/or
local regulations. The Principal may then negotiate with the Authorities concemed with
the objective of obtaining agreement to follow this document as closely as possible.
1.3. DEFINITIONS
1.3.1. General definitions

The Contractor is the party which carries out all or part of the design, engineering,
procurement, construction, commissioning or management of a project or operation of a
facility. The Principal may undertake all or part of the duties of the Contractor.
The Manufacturer/Supplier is the party which manufactures or supplies equipment and
services to perfonn the duties specified by the Contractor.
The Principal is the party which initiates the project and ultimately pays for its design
and construction. The Principal will generally specify the technical requirements. The
Principal may also include an agent or consultant authorised to act for, and on behalf of,
the Principal.
The word shall indicates a requirement.
The word should indicates a recommendation.
1.3.2. Specific definitions

Demand
A process or equipment condition or event which requires the Instrumented Protective
Function to take action to prevent a Hazardous Situation.
Failure
Actual perfonnance falls short of specified perfonnance.
Final Element
A device or combination of devices that manipulate a process variable or attract the
attention of the operator to achieve risk reduction. The Final Element includes output
cards or output relays, solenoid valves and cabling. Examples are valves, switchgear
(rotating equipment stop circuits) and alarms.
Frequency of Demand
The frequency at which Demands occur. Dimension (time-1).
65
Hazardous Situation
The potential to cause harm, including ill health and injury, damage to property, products
or the environment, production losses or increased liabilities.
Hazard Rate
The frequency at which Hazardous Situations occur. Dimension (time-1).
Hazard Rate = Frequency of Demand * Probability of Failure on Demand
Initiator
A device or combination of devices that indicates whether a process or equipment item is
operating outside the operating envelope. The Initiator includes input cards and input
relays. Examples are manual switches, position switches and measurement systems
(including process connections, sensors, transmitters, cabling, trip amplifiers or input
cards etc.).
Instrumented Protective Function
A function comprising the Initiator function, Logic Solver function and Final Element
function for the purpose of preventing or mitigating Hazardous Situations.
Instrumented Protective Function Class
Unrevealed Failure class I, II, Ill, IV, V, VI and X, plus Revealed Failure class F or N
detailing the requirements for an Instrumented Protective Function.
Instrumented Protective System
The electromechanical, electronic and/or programmable electronic Logic Solver
component of the Instrumented Protective Function, complete with input and output
equipment.
Logic Solver
The portion of an Instrumented Protective Function which performs the application logic
function. The Logic Solver excludes trip amplifiers, input cards and output cards.
Examples are electromechanical relays, solid-state/magnetic-core logic and the Central
Processing Unit (CPU) section of programmable electronic systems.
Mitigation
Makes a consequence less severe or relieves consequences.
Permissive
The result of a check on whether or not a combination of conditions is healthy, to allow
the Logic Solver to proceed with the next step in a sequence.
Probability of Failure on Demand
The probability of the Instrumented Protective Function failing to respond to a Demand.
Dimensionless.
Process Safety Time
The period of time in which the process can be operated without protection and with a
demand present, without entering a Hazardous Situation. Dimension (time).
Revealed Failure
A failure whose occurrence is inherently apparent.
Revealed Failure Robust
A configuration in which plant availability is not jeopardised by the Revealed Failure of a
single IPF component.
Risk
The Hazard Rate multiplied by the consequence of a Hazardous Situation.
Trip
An Instrumented Protective Function action to bring the Final Element(s) to a safe state.
66
Unrevealed Failure
A failure which is dormant in the Instrumented Protective Function and can only be
revealed when the system has to perform a certain action or through testing.
Unrevealed Failure Robust
A configuration in which plant safety is not jeopardised by the Unrevealed Failure of a
single IPF component.
67
1.4. ABBREVIATIONS
AK Anforderungsklasse (requirement class)
CAPEX Capital expenditure
CPU Central processing unit
DCS Distributed control system
DIN Deutsche Industria Norm (German industrial standard)
ESD Emergency shutdown
FGS Fire gas and smoke detection and protection system
FLO Functional logic diagram
HAZOP Hazard and operability study
HSE Health, safety and environment
IEC International Electrotechnical Commission
IPF Instrumented protective function
IPS Instrumented protective system
MOS Maintenance override switch
MVC Measurement validation and comparison
NDE Normally de-energised
NE Normally energised
NRV Non-retum valve
oos Operational override switch
OPEX Operational expenditure
PC Personal computer
PEFS Process engineering flow scheme
PFD Probability of failure on demand
PLC Programmable logic controller
SER Sequence of events recorder
SIL Safety integrity level
TSO Tight shut off
TOV Technischer Oberwachungsverein (German body, translates to
Technical Inspection Agency).
NOTE: Throughout this document, reference to TOV means enher TOV Bayem or TOV Rheinland.
USD United States Dollars

uz Tag numbering system to indicate IPF group
VDU Visual display unit
1.5. CROSS-REFERENCES
Where cross-references to other parts of this document are made, the referenced
section number is shown in brackets. Other documents referenced in this document are
listed in (10.).
68
2. GENERAL
Instrumented Protective Functions are implemented on the basis of:

- the requirements laid down in design books;
- proper and proven engineering design;
- experience;
- results of HAZOP studies and technical desk HSE reviews.
A formal classification method is required to:
- Remove uncertainties regarding the safety integrity, cost effectiveness and availability
of IPFs for present and new designs and installations.
- Provide an audit trail and thus traceability.
- Ensure that designs are of a suitable technical standard but not over-engineered.
- Form a basis for maintenance strategies such as test frequencies.
Summarising, this document is intended to guide users to a safe, cost effective and
consistent design, implementation and maintenance strategy for IPFs.
Application of the IPF classification methodology should, for existing plants, be justified
by a management directive to have fit-for-purpose IPFs with minimum manpower. For
new projects it is justified by the project requirement to have a fit-for-purpose, cost
effective design.
For existing plants, it is not possible to justify a classification exercise on the basis of
reduction in manpower as it is impossible to indicate before performing the exercise
whether or not the existing installation is fit-for-purpose in terms of safety.
The classification methodology described in this document is developed based on the
German standard DIN V 19250 and the wor1< done by IEC Sub-Committee 65A, see
IEC/65A draft 1508, and has been tested on real process unit cases. The report of this
test is covered by a separate document.
Where applicable, local authority or insurance company approval shall be obtained to
apply the method of classification and implementation described in this document.
This document shall not be used to justify replacement of relief valves by IPFs.
The term "safeguarding" is used in this document only when it relates to Instrumented
Protective Functions as well as to protective equipment of a mechanical nature such as
non-retum valves, relief valves and bursting disks.
69
3. INSTRUMENTED PROTECTIVE FUNCTIONS CLASSIFICATION METHODOLOGY
3.1. BACKGROUND
The initial risk in operating a process unit or a piece of equipment can be reduced by
facilities other than an IPF, such as increased wall thickness for high pressure protection,
resulting in an intermediate risk. See Figure 1. If this intermediate risk is lower than a
tolerable risk, an IPF is not required. If the intermediate risk is higher than a tolerable
risk, an IPF is required to reduce the risk. Such a tolerable risk level is determined by
sound current practice.
A protection system can be mechanical (relief valves, bursting discs, etc.) and/or
instrumented (IPF). In most designs both types of protection systems are applied, with
the mechanical system being the last line of defence wherever possible.
The requirement for an IPF results from proper design practices which are checked by
the technical desk HSE review or the HAZOP study. This document provides a
methodology to classify these IPFs. It is not intended to replace the quantitative risk
assessment, technical desk HSE review or the HAZOP study.
The consequence of an IPF failing on demand is discussed during a technical desk HSE
review or a HAZOP study and is also one of the basic inputs to the classification
methodology. The classification exercise could therefore be an extension of a technical
desk HSE review or a HAZOP study.
The full process of classification and implementation of IPFs is indicated in Figure 2 and
Figure 3. Comparison of these two figures shows that the classification methodology
described in this document removes the requirement to provide a tolerable hazard rate
for each IPF, and removes the requirement for accurate calculation of the frequency of
demand on each IPF.
3.2. THE CLASSIFICATION PROCESS
3.2.1. General
The IPF classification and implementation methodology should be applied during
development of the PEFSs and the safeguarding narratives, i.e. during the Basic Design
and Engineering Package (BDEP) or Project Specification phase.
Following the technical desk HSE rev::. •• vr rlAZOP study, a comprehensive IPF
classification exercise shall be performed.
The IPF classification and implementation methodology can also be applied to existing
plants, generating the benefits as described in (2.).
A well-developed issue of the following documents shall be available to the team
performing the classification:
- process and utility engineering flow schemes (PEFSs);
- safeguarding memorandum with process safeguarding flow schemes (PSFSs);
- safeguarding narratives;
- cause and effect matrices.
Controls which protect process units or equipment from operating outside the operating
envelope, such as minimum flow control and maximum or minimum pressure control, are
not IPFs. It is therefore not required to classify these controls. If present, alarms and
switch functions related to these controls shall be classified.
Appendix 1 gives suggestions on how to set up a classification exercise.
70
3.2.2. IPF classification team
The team performing the IPF classification shall be kept small. Competent personnel
responsible for the subjects of process technology, process safety, operations and
process control shall form the team. Other disciplines, e.g. rotating equipment specialists,
shall be consulted as required, e.g. when the IPFs of a compressor are classified.
A facilitator shall be appointed. The task of the facilitator is to guide the team through the
classification steps and to ensure that every step is recorded to the satisfaction of all
team members before the next step is dealt with.
The facilitator shall be familiar with the classification methodology as described in (3.)
and (4.).
3.2.3. IPF and loop

An IPF consists of the initiating, logic solver and final element functions. Alarms, not
related to automatic trips, and switching functions are also considered IPFs.
An IPF loop consists of the hardware, initiator, IPS or, in the case of alarms, DCS and
final element and the utilities such as power and instrument air supply required to
perform the IPF.
NOTES: 1. The hardware and software implementation of the IPF is by one or more IPF loops.
2. An IPF may consist of a combination of IPF loops. For example a backflow protection function may consist of
low nowand low differential pressure ln~lators and two valves.
3. For permlsslves, valves or rotating equipment stop circuits are not necessarily the fonal element; the logic 80iver
may be the final element.
The classification shall be performed for each IPF. For an IPF consisting of one initiator
and one final element this is straightforward. Functions shall be extracted as indicated in
Figure 4 and Figure 5. With more than one initiator function and more than one final
element function, a combination of these two figures shall be applied.
Independent functions with a common initiator or a common final element shall be
classified individually assuming the other functions are operating properly.
It shall be noted that the logic solver may consist of more than one UZ block. For
example, a recycle gas low flow trip that trips the compressor and, via the compressor
and feed pump UZ blocks, also trips the feed pump.
As a starting point it may be taken that, in addition to alarms, every 'x' on the cause and
effect matrix is a function. This is not valid for functions consisting of more than one
initiator or more than one final element. To ensure that all functions have been classified,
the classification report shall be checked against the final functional logic diagrams.
To save time required for classification, the IPFs to be classified should be identified and
the IPF identification section of the classification report, see Figure 8, should be
completed before the team convenes for the classification exercise.
The number of IPFs to be classified if UZs are connected together as shown in Figure 6,
can grow dramatically. Figure 6 also shows how the classification effort can be reduced.
It is beneficial to prepare this type of diagram, known as a "spider diagram", giving an
overview of aiiiPFs in a unit, as preparation for a classification exercise.
3.2.4. IPF classification procedure
3.2.4.1. General
The classification methodology is split into two parts:
- classification of IPF unrevealed failures (failures on demand, which are safety
related);
71
- classification of IPF revealed failures (often called 'nuisance' or 'spurious' failures,
which are related to economics).
The classification of IPF unrevealed failures is further split into:
- consequences related to personnel safety;
- consequences related to production and equipment loss;
- consequences related to the environment.
The basis of the classification methodology is the risk diagram related to personnel
safety published in DIN V 19250. Applying this risk diagram to an IPF results in a
requirement class (AK class) for that function. AK classes, however, are not easily
translated to implementation requirements for IPFs.
The DIN risk diagram was adopted by IEC/SC65A draft 1508, in informative annex D,
which uses Safety Integrity Levels (Sils) as the result of applying this diagram. These
Slls are related to Probability of Failure on Demand ranges. These PFD ranges can be
applied to calculate whether the implementation and maintenance strategy results in an
IPF of sufficient integrity.
NOTE: The informative annex Din IEC/SC65A draf\1508 indicates a general risk graph implementation and an example.
The example is the same as the DIN V 19250 version but with heavier weighting of the more severe consequences,
and has been selected for this document with minor changes.
The IEC/SC65A draft 1508 relates the SIL not only to probabilistic PFD requirements, but
also gives deterministic requirements which, as far as applicable, have been
incorporated in this document.
Risk diagrams have been added in this document for production and equipment loss and
for environmental consequences. Although the added risk diagrams are not related to
IEC/SC65A draft 1508, they shall not be changed without the approval of the Principal.
In line with the risk diagrams, diagrams to classify IPF revealed failures are also included
in the methodology promoted in this document.
The fuiiiPF classification methodology is indicated in Figure 7.
AIIIPFs, including alarms, shall be classified.
Classification of pre-alarms is not required. For pre-alarms it shall be confirmed that
corrective operator action to avoid the IPF action is feasible. If this is not the case, the
pre-alarm may be deleted. The result of this confirmation shall be recorded, preferably in
the classification report.
NOTE: n may not always be apparent that operator action Is feasible. If, for example. an IPF action (pre-alarm) would occur
If a controller setpolnt Is increased too much. operator action to avoid another IPF action (shutdown) is feasible by
reducing the setpolnt again.
3.2.4.2. Consequences
The consequences of IPF failure on demand and IPF revealed failure shall be recorded
as general descriptions. The descriptions shall be clear and unambiguous, such that
another expert is able to follow the reasoning for selecting the routes in the risk diagrams
described in the next sections.
If the failure on demand of an IPF has multiple consequences, all consequences shall be
classified and the most stringent IPF class shall be selected for that function. If the
demand has different causes, the consequences of failure on demand will usually be
different as well, requiring a classification for all causes and consequences.
Attention shall be paid to the fact that the location of a plant may have an impact on the
consequences, e.g. the difference between onshore and offshore production
installations, manned and unmanned operation, close to or far from the fence.
72
For permissives used in batch processes and sequences, two types of failures are
relevant:
- The permissive indicates that the conditions are safe to proceed while the actual
conditions are not safe to proceed. This failure is an unrevealed failure in terms of
classification. The consequence shall be described under consequence of failure on
demand.
- The permissive indicates that the conditions are not safe to proceed while the actual
conditions are safe to proceed. This failure is a revealed failure in terms of
classification. The consequence shall be described under consequence of revealed
failure.
3.2.4.3. Unrevealed failures
3.2.4.3.1. Frequency of demand

A demand on an IPF may be caused by instrument malfunction, operator error, etc.
After recording the consequences, the first question to be answered by the classification
team is: how often is the IPF activated (W classification)? The IEC/SC65A draft 1508
describes the frequency of demand in qualitative terms: very low, low and relatively high.
This document has added quantitative demand frequencies.
The following rules are applicable:
- With proper control and when the dynamic behaviour of the process is known, the
frequency of demand may be taken as W2.
- A classification of W1 requires a special justification describing why it is so low.
IEC/SC65A draft 1508 indicates that the control system that is the basis of such a low
frequency of demand shall be a safety-related system fulfilling all requirements laid
down for these systems in IEC/SC65A draft 1508. This is not the case for the majority
of DCS systems. Effective W reduction as described below does not fall under this
rule.
- Another description for W1 is that a demand on the IPF may happen, but in a typical
unit it is unlikely to happen during the lifetime of the unit.
- In batch processes valves are closed and opened frequently by the batch controller.
Situations exist where a certain valve position is a permissive to proceed with a next
step, because starting the next step with the valve in another position would give a
hazardous situation. The frequency of demand is not the frequency of the valve close
commands, because a real demand is present only when the batch controller fails to
signal the valve to move to the safe position or the valve fails to move to the safe
position. The frequency of demand shall therefore be taken as W2 .
- It may be taken into account that one NRV used in a clean and non-corrosive duty
reduces the frequency of demand on a backflow protection system typically by a
factor of 10, and two different makes and types of NRVs in series reduce the
frequency of demand typically by a factor of 50. The latter is not a factor 100 because
of common mode failures not related to make and type. Note that NRVs are
considered safety-related, but the IEC/SC65A draft 1508 does not detail requirements
for these external risk reduction facilities.
NOTE: It is assumed that the small leakage of an NRV can be accommodated by e.g . a fire relief valve.
- If the potential consequence occurs in less than one in ten of the demand cases the
frequency of demand may be reduced by one level. The maximum number of
effective W reduction steps is 1.
EXAMPLE: A furnace explosion due to sub-stochiometric firing occurs in less than 10% of the demand cases; the frequency
of demand on the sub-stochlometric firing IPF is W2, which may effectively be reduced to WI .
3.2.4.3.2. Personnel safety

To classify the IPF related to personnel safety, the following three questions shall be
answered:
73
(i) What is the potential extent of human injury per demand if the IPF fails on demand,
i.e. when a hazardous situation occurs? If there is no injury (SO), the IPF is not
required regarding personnel safety and this part of the classification is finished. Any
other S-value leads to a next step in the personnel safety risk diagram. If there is the
remotest chance that two persons may die (i.e. if it cannot be excluded that the
person may be accompanied by a second person), S2 should be selected.
(ii) What is the duration of presence of the person(s) who may be injured in the area
affected by the possible hazardous situation? A2 shall be selected when the
person(s) are likely to be present at the time of the hazardous situation, e.g. the
demand occurs during local manual start or the hazardous situation may occur after
the person(s) have arrived on the scene to investigate a developing abnormal
situation. For S1 and S4 this step is not required.
(iii) What are the possibilities for the person(s) who may be injured to avert the
hazardous situation? This step is only required for S2. Note that the possibility to
avert a hazardous situation should not be uprated from G2 to G1 on the assumption
that the person will wear personal protective equipment, unless it is certain that the
protective equipment will be worn. Usually, systems are designed on the assumption
that the use of such equipment is not absolutely required to achieve a sufficient
degree of safety, although it is recognised that it can improve safety still further.
If the result of the classification is SO, the IPF is not required for personnel safety. For
other results, following the risk diagram along the lines of S, A and G, the IPF class for
the function related to personnel safety can be obtained from the relevant W column.
3.2.4.3.3. Production and equipment loss

A diagram is provided in Figure 7 to classify production and equipment loss.
A more detailed description of the potential production and equipment loss (L) selections
is indicated below. Damage refers to direct hardware replacement and repair cost and
also to consequential losses due to down time.
LO - No operational upset or no damage to equipment.
Not sufficient upset or damage to justify an alarm, e.g.:
- Little or no upset or damage at all.
- A failure of the controller will result in an alarm elsewhere.
L1 - Minor operational upset or minor damage to equipment.
Minor operational upset, e.g.:
- Off-spec product.
- Relief case of medium quantity.
Minor damage to equipment, e.g.:
- Cavitation of a conventional pump on low suction level.
- Longer term moderate or major damage to essential or non-essential
equipment, allowing ample time (minimum one day) for operator action.
L2 -Moderate operational upset or moderate damage to equipment.
Moderate operational upset, e.g.:
- Upset in a utility affecting other units such as liquid in an off-gas stream to the
fuel gas system.
- Relief case of a large quantity or relief case of medium quantity of highly
valuable products.
Moderate damage to equipment, e.g.:
- Overpressure resulting in minor loss of containment (e.g. gasket leaks) if the IPF
is the final protection because the installation of a mechanical relief device is not
possible or practical.
- Cavitation of a spared high speed or multi-stage pump.
74
L3 - Major operational upset or major damage to equipment.
Major operational upset, e.g.:
- An immediate large relief case that would cause violent high energy release
such as vapour breakthrough from high to low pressure, e.g. hydroprocessing
units, high pressure solvent treating units etc.
- Process fluid overflow.
- Solidification of product in a large unheated piping system requiring major
corrective action.
- Non-costly repair required of essential unspared equipment.
Major damage to equipment, e.g.:
- Costly repair required of major spared equipment or non-essential equipment.
L4 -Damage causing major loss of containment or damage to essential equipment
causing major economic loss.
Damage causing major loss of containment (rupture), e.g.:
- Excessive over-temperature such as exotherms and runaway reactions.
- Over-pressure resulting in major loss of containment if the IPF is the final
protection because the installation of a mechanical relief device is not possible
or practical.
Damage to essential equipment which from a damage point of view is similar to L 1,
L2 or L3 , but could cause a major economic loss (millions of US Dollars) due to the
disabling of essential unspared equipment for an extended repair or replacement
period, e.g.:
- Suction vessel high level IPF on a recycle gas compressor.
- Low suction level IPF of a multistage, high speed HCU feed pump.
- Fumace or boiler protection.
NOTE: For extreme economic losses, the IPF class may be Increased by one step to ensure an appropriate eo&t-
benef~ ratio.
If the result of the classification is LO, the IPF is not required for production and
equipment loss. For other results, the IPF class can be obtained from the diagram by
selecting the point corresponding to the L and W.
3.2.4.3.4. Environment
A diagram is provided in Figure 7 to classify environmental consequences.
A more detailed description of the potential environmental consequence (E) selections, is
indicated below:
EO -No release or release with negligible damage to the environment.
No release at all or a very minor release that is below the environmental quality
standard, not even justifying an alarm, e.g.:
- A very small release from a flange gasket or from a valve stem seal without
blow-out of gaskeVseal material.
E1 -Release with minor damage to the environment that should be reported.
A release that is not very severe but is large enough to be reported to plant
management or to local authorities, e.g.:
- A moderate leak from a flange gasket, a valve stem seal, a pump or compressor
seal, a small bore connection, a relief valve blowing hydrocarbons into the
atmosphere.
- Small-scale liquid spill contained on the location or platform.
- Small-scale soil pollution without affecting ground water.
75
E2 -Release within the fence with significant damage to the environment.
Significant loss of containment that damages the environment on the premises but
not outside the fence, e.g.:
- A cloud of obnoxious vapour travelling beyond the unit limit following flange
gasket blowout, compressor seal failure etc.
- A liquid release that is not collected in the drain system and could affect ground
water locally or could spill into a river or sea.
E3 -Release outside the fence with temporary major damage to the environment.
Major loss of containment travelling outside the premises causing environmental
damage that can be cleaned up without lasting consequences, e.g.:
- A vapour or aerosol release with or without liquid fallout that causes temporary
damage to plants, fauna or property, following venting to atmosphere, liquid
entrainment from flare, etc.
- Solids (dust, catalyst, soot, ash) fallout following an operational plant upset.
- Liquid spill into a river or sea.
E4 -Release outside the fence with permanent major damage to the environment.
Major loss of containment travelling outside the premises causing environmental
damage that cannot be cleaned up without lasting consequences, e.g. :
- A vapour or aerosol release with or without liquid fallout that causes lasting
damage to plants, fauna or property, following venting to atmosphere, liquid
entrainment from flare, etc.
- Solids (dust, catalyst, soot, ash) fallout following an operational plant upset.
- Liquid spill into a river or sea.
- Liquid release that could affect ground water outside the fence.
IPFs that prevent relieving to the atmosphere should be classified according to this
category as well.
Flaring, venting and noise may have an impact on public image and should therefore be
addressed when performing environment classification.
The following additional rules apply:
- If flaring is within the allowable environmental limits as set by the local authorities it
shall be considered for the classification as having no environmental consequences. If
flaring or venting is above these limits it shall be considered for the classification as
production loss, e.g. cost of shutdown, fine.
- If the classification team decides that, for a certain consequence, the related public
image is a very sensitive issue, E shall be increased by one level.
If the result of the classification is EO, the IPF is not required for environmental
protection. For other results , the IPF class can be obtained from the diagram by selecting
the point corresponding to the E and W .
3.2.4.3.5. Synergetic Consequences

For architectures where one initiator function activates more than one final element
function, the individual classifications only classify final element failure on demand
because the assumption is made that, when classifying one function, the other functions,
and thus the initiator, function properly. An additional classification, initiator failing on
demand, is therefore required. A check shall be performed whether initiator failure on
demand, and consequently none of the final elements operate on demand, has
synergetic consequences, i.e. consequences in addition to those caused by the failure of
the individual final elements. If that is the case, the initiator shall be classified
accordingly.
NOTES: 1. As an example, assume one fuel gas knock out drum and more furnaces . Individual IPF classifications of high
level to fuel gas shut off may resu~ in 52. In this case we assume that only one function fails and the others still
function, which Is only possible In case the initiator functions. Check on synergetic oonsequences when in~iator
76
tails gives 53 because In this case In all furnaces an uncontrolled fire or explosion may occur, hence the higher
classlf~eationfor the level trip lnniator.
2. The consequence of lnniator failure on demand could also resu~ in a lower IPF class compared to the highest
class resu~lng from the Individual classlf~eations of functions containing that lnniator. This is the case for e.g.
oxygen and natural gas shut-off in a Shell Gassification Process (SGP) where the consequence of leaving the
oxygen valve only open Is more severe than to leaving both valves open. Hence the class for the function initiator
to oxygen valve Is higher than the resu~ of the synergetic consequence of initiator failing classification. The latter
determines the required lnnlator class.
The above is not relevant for final elements because, for architectures where more
initiators activate one final element, final element failure is classified for each function
and as a minimum the most stringent classification is selected for the final element,
see also(- IPS technical specification;
- completed data requisition sheets.
4.3.).
3.2.4.3.6. Interpretation of the results and general rules

The highest class resulting from ·the three types of consequences shall be selected for
the IPF.
An IPF shall not be removed when the classification results in unclassified, without
feedback to the HAZOP study and/or technical desk HSE review. If an IPF is not
required, it shall be deleted before the next IPF is classified.
If more IPFs protect against the same consequences, the classification may indicate that
all but one can be deleted. In this case a reiteration process shall take place to ensure
that the IPF which remains is the most suitable one.
If the classification method indicates that the IPF class is X, the design without the IPF
shall be made safer such that the IPF is either not required or is classified lower than X .
This rule shall be applied in the majority of cases. Under special circumstances, to be
decided by the Principal and on a case-by-case basis, the decision could be taken to
have a third party perform a full safety and reliability assessment and, if required, request
approval of the design from the authorities.
NOTE: As an example of the type of analysis which should be carried out In such cases, reference Is made to the
exploration and production application of design of mu~i-well systems for which full flow relief Is not
possible/desirable. This Is documented In a separate document. AAhough this report is specifiC to mu~l-well design,
the methodology Is generally applicable. When such analysis has been carried out, the resunlng design will fall
outside the scope of this document and no attempt should be made to reciasslfy uslng this document.
For IPF classes II to VI a pre-alarm shall be implemented unless corrective operator

action to avoid the IPF action is not feasible.
Automatic start-up overrides with a duration of 5 seconds above the minimum time
required for start-up, or based on process or equipment conditions, are preferred to
manual start-up overrides because they will have a positive impact on the overall IPF
PFD by removing the risk associated with human error of leaving on, or switching on
again, a manual start-up override.
To achieve the requirements of an IPF class, unrevealed failure robustness may be
required. This is implemented in a 1oo2 (one-out-of-two) configuration, meaning that if
one of the two initiators or final elements has an unrevealed failure, the IPF action will be
taken by the second initiator or final element, respectively.
If a manual trip switch is installed to allow the operator to react to unforeseen events, the
classification of this switch shall be same as the classification of the most stringently
classified final element activated by the manual trip switch.
NOTE: The manual trip switch could be a furnace trip sw~ch , but also a plant emergency trip switch.
77
In combined IPF and sequence control systems (e.g. furnace start-up), each step may
have to be classified separately because the frequency of demand and the
consequences may be different. This is also valid for different phases of plant operation.
For fire detection and protection classification, only the incremental consequence of IPF
failure on demand shall be taken into account, not the full consequence of a fire. The fire
is assumed to be there already and the IPF is installed for mitigation purposes, e.g. an
automatically triggered water deluge system or facility ESD.
3.2.4.4. Revealed failures
3.2.4.4.1 . General
The revealed failure classification should be performed after the unrevealed failure class
implementation has been decided, because implementation of the requirements related
to the unrevealed failure class may impact the revealed failure rate of initiator or final
element configurations.
The revealed failure classification diagrams given in Figure 7 are based on:
- A pay-out period of 1 year.
- The assumption that the revealed failure robustness will reduce the revealed failure
rate to a negligible figure.
- Minimum CAPEX.
The classification diagrams should be applied; detailed calculations to justify revealed
failure robustness requirements should not be made.
Initiators and final elements should be classified separately, due to the possible
significant difference in cost of revealed failure robustness for initiators and final
elements.
NOTE: The revealed failure robustness classification diagrams may also be applied to parts of function components. Details
on the impact of IPF PFD and revealed failure rate calculations when part of a function component is Implemented
robust are covered by a separate document.
3.2.4.4.2. Cost of robustness

Three diagrams are indicated in Figure 7 for different costs of revealed failure
robustness. The cost of robustness shall be determined and the related diagram
selected,
Data on the cost of revealed failure robusiness shall be obtained from competent
personnel responsible for instrumentation.
3.2.4.4.3. Frequency of revealed failure

The frequency of revealed failure for the IPF component under classification shall be
determined (R classification).
The default failure rates for single initiators and single final elements, as given in a
separate document, both translate to R 1.
Unrevealed failure robustness increases the revealed failure rate by up to a factor of two
compared to a single configuration.
78
3.2.4.4.4. Cost of revealed failure
The cost of revealed failure related to the consequences described in (3.2.4.2.) shall be
determined (C classification).
NOTES: 1. The cost of revealed failure for aiiiPFs with the same final element shall be the same.
2. If the cost of an inttlator revealed failure differs slgnifocantly from the cost of actuator revealed failure due to e.g.
longer plant down lime, the C classifocatlon may be different for Initiator and actuator.
3. The cost of revealed failure should take into account potential consequential damages or loss e.g. where thermal
shocks may lead to premature furnace tubes material fatigue.
3.2.4.4.5. Revealed failure class

If the result of the classification is CO, the IPF is not required to be revealed failure
robust. For other results, the revealed failure class can be obtained from the diagram by
selecting the point corresponding to R and C.
3.2.4.4.6. Interpretation of the results and general rules

The result of the revealed failure classification for initiators and final elements is N or F.
N indicates that revealed failure robustness is not required, F indicates that revealed
failure robustness is required.
3.2.5. Documentation
The classification results shall be documented as part of the safeguarding narratives or
as a separate document.
The classification report shall be such that it shows that the classification was made on
objective and reasonable grounds, by a team with members qualified to perform the
classification. This can be achieved as follows:
- Build-up the team as indicated in (3.2.2.).
- A short statement indicating the consequences of IPF failure on demand and IPF
revealed failure shall be documented.
- If the team is unable to reach a consensus, the issue should be raised to a higher
level of management, again with all necessary disciplines represented and, if
applicable, the Principal shall be consulted.
To enable consistency checks and easy handling of data, classification results shall be
entered into a database. It shall be possible to search on any word in any field. As an
example, a print-out of a database record is given in Figure 8. Items in bold are the field
headings, the remainder are the database entries. For more examples see the report on
the test of the classification methodology. Figure 9 provides a blank classification form
that may be used during the classification exercise.
This database may also be used to enter the implementation data such as test frequency
etc.
For authority approval purposes, classifications where personnel or environment
consequences are above SO and EO respectively should be documented separately.
The question on the IPF classification form, 'is it a pre-alarm', shall be answered with yes
or no. If corrective operator action to avoid the IPF trip action is not feasible, a note shall
be made that the pre-alarm can be deleted.
If one of the selections made during the classification is WO, W1, W3, A2 or G1, an
explanatory note shall be recorded.
The classification report shall be updated as part of each plant change such that the
requirements for each IPF are at all times auditable and traceable.
79
A summary of the unrevealed failure classification results may be shown in a cause and
effect matrix, as shown in the example in Table 1, using the existing cause and effect
matrices.
Table 1 Cause and effect matrix summarising the unrevealed failure
classification
Cause.!. Effect Close Fuel Stop Initiator Overall Class
-... Gas Valve Compressor Failure Initiator
High Fuel Gas Pressure IV N/A IV
low Air Fuel Ratio IV N/A IV
Flame Failure IV N/A IV
Furnace Feed IV N/A IV
Hiah Furnace Outlet Temperature Ill N/A Ill
High Speed v N/A v
low lub-Oil Pressure Ill N/A Ill
High Compressor Outlet Temperature Ill IV v v
Overall IPF Class Final Element IV v
NOTES: 1. Empty enllies are also empty In the original cause and effect matrix.
2. Entries·-· have been classified as unclassified, and the IPF can be deleted.
3. The ruw 'Overall IPF Class Final Element' and the columns 'ln~lator Failure' (synergetic consequences) and
'OventiiiPF Class lnltiatof' are add~lonal to the original cause and effect matrix.
80
4. IMPLEMENTING THE ClASSIFICATION RESULTS
4.1. INTRODUCTION
This Section deals with general rules related to the implementation of the classification
results obtained as described in (3.). This Section indicates the basic implementation
steps that shall be taken to arrive at a test interval and to select the architecture.
The details of implementing the classification results are dealt with in (5.) to (9.).
An important group of IPFs that will often be deleted after classification are those IPFs
which protect against events that are already covered by other IPFs. This will reduce the
complexity of the functional logic diagrams.
EXAMPLE: The IPF action following high-high level in a recycle gas compressor suction vessel should only be to stop the
compressor. Any subsequent actions. such as stop feed, stop furnace. open low rate depressuring valve, should be
in~iated by recycle gas low flow alone. W~hout the IPF classiftcation methodology described in this document, these
cascading IPFs were common because of the tradttional dictum: "if you know tt already, take the action and do not
wa~ for subsequent initiators" .
Deletion of the cascading IPFs does not necessarily reduce the potential for revealed
failures. Only the deletion of an entire initiator will help to achieve better plant availability.
4.2. GENERAL RULES

For IPF class Ill, control valves and IPF valves may be combined only if the demand on
the IPF cannot be caused by a malfunction of the control valve and the IPF valve has no
requirements for leakage class V or VI TSO according IEC 534-4. In this way the
common mode element is virtually eliminated.
NOTES: 1. The requirement for leakage class V or VI TSO according to IEC 534-4 Is often over-stressed because the term
TSO valve Is lncorrectfy used instead of IPF valve. The TSO requirement should be challenged during design.
2. As an example where the valves may not be combined, consider flow streams A and B, each with their own flow
control, being mixed and reacted. A TZA-HH should stop flow A to ldll an e~othermlc reaction. The flow control
valve of A could well be the root cause of too much A, so tripping tt may not be effective, hence a separate IPF
valve Is required.
3. In batch processes valves are closed and opened frequently by the batch controller. S~uations exist where a
certain valve pos~ion Is a permissive to proceed with a next step, because starting the next step with the valve In
another position would give a hazardous s~uation. A malfunction of the valve may be the cause of the demand. A
separate means of stopping the batch, such as with a separate valve, shall therefore be provided when the IPF
Is classified as IPF class Ill or higher.
Because the operator has more information about the overall plant and evacuation
situation than any IPF, IPF class IV fire, gas and smoke detection functions may be
implemented with the operator as one link of the IPF chain, provided that:
- The control room is a safe area and continuously manned by competent personnel;
- The operator has time to take action, i.e. the process safety time exceeds the sum of
the IPF response time and the operator response time.
If an IPF operates a valve when activated, this action shall be communicated to the DCS,
triggering an action in the DCS to automatically switch the related controller to manual
and drive the output to the safe position, either zero or maximum, if this can be done at
acceptable cost. This DCS action shall only be triggered on receipt of the change of state
from normal to trip, without preventing the operator from changing the controller state
and output at any other time.
If an unrevealed failure robust initiator is required for one function, while the classification
of a second function with the same initiator requires a single configuration, one initiator
of the unrevealed failure robust set may be used for that function. See Figure 10. This
implementation reduces the revealed failure rate of the second function .
If one function is classified as IPF class I or II while others with the same initiator are
classified as IPF class Ill or higher, the former may be implemented in the DCS.
Implementing the IPFs in this manner requires separate initiators for the IPF class I or II
81
functions than for the IPF class Ill functions. This will only be cost effective if a separate
measurement for control or indication is available to be used for the IPF class I or II IPF.
If an IPF classified as IPF class I or II is implemented as IPF class Ill, testing
requirements for this function remain those for IPF class I or II, see (For special
requirements regarding cabling, refer other documents.
7.).
Pre-alarms should be obtained from the control transmitter signal in the DCS if this is
available.
The following documents shall be provided to specify the requirements and organisation
for implementation of IPFs:
- functional logic diagrams (FLDs);
- IPF classification results;
- typical block schemes;
- typical loop diagrams;
- IPS technical specification;
4.3. IPF CLASS OF INITIATOR, LOGIC SOLVER AND FINAL ELEMENT

The IPF class for those initiators and final elements which are part of only one IPF can
be obtained directly from the classification report.
If one initiator activates more than one final element, the highest of all IPF classes
related to that initiator, including the result of the check on synergetic consequences
(3.2.4.3.5.), shall be selected for the initiator.
If one final element is activated by more than one initiator, the lPF class of all functions
of which the final element is part shall be added to arrive at the classification of the final
element. This shall be done as follows:
- Count the number of IPFs for each class.
- If the number of times a class appears is 10 or more, each full number of 10 classes
shall be taken as one occurrence of the next higher class.
- Repeat the exercise until there are not more than 9 occurrences of any class.
- Take the highest class that remains.
EXAMPLE: Assume 31 functions having the same final element, 22 of which are IPF class Ill and 9 of which are IPF class IV.
The method is shown in table 2.
Table 2 Example of the adding rule
r-::;-1 ~~
Start Equivalent Leaving Equivalent Overall Final Element
To To Classification
22x Ill 2x Ill 2x Ill 2xlll
2x IV v
9x IV 9x IV 11 x IV 1 x IV
1xV
The same adding rule applies to logic solver components that are common to more than
one function, unless the functions are independent.
The adding rule is not valid for IPF class I (alarm only) functions because the operator
decides how he will act and he usually has more than one option in a particular situation.
4.4. BASIC IMPLEMENTATION STEPS
4.4.1. General
Applying (3.), (4.2.), and (- IPS technical specification;
82
4.3.) will result in an IPF class for each initiator, the logic solver and each final element.
These classes shall be translated to implementation requirements as explained below.
From IEC/SC65A draft 1508 and DIN V 19250 the relation between IPF class, SIL,
required PFD and required AK class (from DIN V 19250) can be obtained as shown in
Table 3.
Table 3 Relation between IPF class, SIL, required PFD and required AK class
IPF Class Safety Required PFD IPS Approval
Integrity Level according AK
(SIL) Class
I - >10-1 -
II a >10·1 1
Ill 1 >10·2 - <10· 1 2-3
IV 2 >10-3- <1Q-2 4
v 3 >10· 4 - <10·3 5
VI 3 >10· 4 - <10·3 6
X 4 >10·5- <10· 4 7
X b Not Indicated 8
A deterministic requirement of IEC/65A draft 1508 is that IPF class V and VI initiators and
final elements shall be unrevealed failure robust.
Table 3 shows that the PFD requirement does not differ for IPF classes V and VI.
However, because the consequences resulting in class V or VI can be very different and
the calculation methodology does not take common mode failures and software failures
into account, the following additional requirements shall apply for IPF class VI functions:
- The initiator shall be diverse.
- The IPF shall not contain software.
- The final element shall be diverse.
4.4.2. IPF implementation

Pre-alarms and IPFs with an IPF class I require no special equipment and shall be
implemented as alarm only. The control loop measurement and the DCS may be used
for implementation.
If operator action cannot be relied upon, IPF class I functions shall be classified and
implemented as IPF class II.
IPF class II functions require no special equipment and shall be implemented as a
switching function. The control loop measurement and the DCS may be used for
implementation.
All initiations by IPF class II, Ill, IV, V and VI functions shall be announced by an alarm.
For IPF class Ill to VI functions, the required PFD as indicated in table 3 in (4.4.1.) is one
of the governing requirements. This PFD can be obtained in various ways:
- Using equipment with a lower unrevealed failure rate will reduce the PFD of the IPF.
- Reduction of the test interval and increase of test coverage (7.2.) will reduce the IPF
PFD.
- Applying unrevealed failure robustness, i.e. one-out-of-two (1oo2), for final element
and/or initiator will reduce the IPF PFD.
See (8.) for details on how to calculate PFD and the effects of equipment failure rate,
test philosophy and architecture implementation.
For IPF class V and VI functions, the initiator and final element shall be unrevealed
failure robust, irrespective of the PFD. For IPF class VI functions, the initiator and final
83
element shall be unrevealed failure robust and diverse and the logic solver shall not be
microprocessor based.
Where unrevealed failure robust valves are required and in the absence of leakage class
V or VI TSO requirements, one of the two valves may be the control valve.
The required AK class for the logic solver can be obtained from table 3 in (4.4.1 .).
The result of the revealed failure classification for initiators and final elements is N or F.
N indicates that revealed failure robustness is not required, and F indicates that revealed
failure robustness is required.
If the result of the classification does not require unrevealed failure robustness but does
require revealed failure robustness for an IPF initiator or final element, the relevant
component shall be executed in a two-out-of-two (2oo2) configuration. The effect of this
architecture on the PFD may be such that equipment, test philosophy and/or architecture
requires adjustment in order to fulfil the PFD requirements related to the IPF class.
If both revealed and unrevealed failure robustness is required for initiators and for relay
type final elements, they shall be implemented in a two-out-of-three (2oo3) configuration.
Valve type final elements shall in this case be implemented as indicated in Figure 11, the
'2oo4' configuration.
Figure 12 shows a possible implementation of the various classes.
84
5. IMPLEMENTATION OF PROCESS UNIT RELATED INSTRUMENTED PROTECTIVE
FUNCTIONS
5.1. GENERAL
The requirements given in this and the following chapters are based on the assumption
that a DCS is available. If this is not the case, the Principal shall be consulted for the
human-machine interface requirements.
The normally energised (fail-safe) design concept shall be implemented. For certain
process applications, however, a normally de-energised (non-fail-safe) design concept
for IPF final elements may be required. In such cases approval of the proposed
implementation shall be obtained from the Principal.
Requirements detailed in the technical specification of the IPS are as far as possible not
repeated in this document.
IPF loops class Ill and higher shall function independently of process control systems,
without any mutual influence, except where explicitly indicated in this document.
The separation between IPF and process control system is recommended in IEC/SC65A
draft 1508 and can be justified as follows:
- Assume that with a combined control and IPF measurement, 50% of the unrevealed
initiator failures will cause a hazardous situation because the process is out of control
in the hazardous direction. At the same time the IPF does not function .
- The default unrevealed failure rate of an IPF initiator is for example 0.024 per year.
- The number of hazardous situations caused by combining control and IPF
measurement is therefore 0.012 per year.
- A conservative estimate of the cost of one hazardous situation is USD 1,000,000.
- The cost of the hazardous situation caused by combining control and IPF
measurements is therefore USD 12,000 per year.
- The estimated cost of one IPF measurement is USD 10,000.
- The payback of separating control and IPF measurements is therefore approximately
one year.
If sequential functions and IPFs are difficult to split, the IPS shall also take care of
sequential control functions (e.g., for fired heaters).
5.2. INITIATOR
IPF class Ill and higher initiators shall have their own process tappings, impulse lines,
sensors, utilities (power fuses, air supply branch-offs), etc. Only elements such as orifice
plates and bluff bodies of vortex meters may be shared with control measurements.
Intelligent sensors with 4-20 rnA output signals are preferred to discrete, direct mounted,
field switches because they have lower failure rates, better accuracy, better stability and
allow sensor signal analysis and measurement comparison. These sensors shall
communicate with the IPS in 4-20 rnA signal mode. Digital communication protocols for
sensors are not yet acceptable. Use of hand-held communicators on intelligent sensors
shall, for reasons of integrity, be restricted and may only be applied if tests have proven
that their use will not cause adverse consequences regarding revealed or unrevealed
failures. Additional line resistors may be required to permit communication with the
sensor.
Manual switches shall be normally closed.
IPF initiators, except high liquid level IPF initiators, should have the same range and
accuracy as neighbouring process sensors in order to facilitate measurement
85
comparison. See also (For special requirements regarding cabling, refer other
documents.
7.). High liquid level displacer and dP cell IPF initiators should have vessel connections
at 80% and 100% to ensure proper functioning under varying density conditions
compared to design.
Where possible, separate trip amplifiers shall not be applied. Sensor signals shall be
connected directly to input cards integrally available in IPSs.
In case input cards are not available for signals used in the field, these signals shall be
converted in the field.
If intrinsically safe electrical equipment is applied in hazardous areas, isolation barriers
are required. To minimise the number of components in the IPF loop, ex 'n' , ex'e' or
ex 'd' type sensors should be applied in zone 2 or in zone 1 (except ex 'n') hazardous
areas.
For analogue inputs and for Normally Open contact inputs, open or short circuit cable
faults or sensor faults shall, as far as possible, be detected via line monitoring and self
testing features. Operators shall be informed in case of fault detection and maintenance
shall be initiated immediately. Revealed failure actions (spurious trips) may be avoided in
such cases provided that the following requirements are met:
- A second or back-up indication shall be available to the operator.
- The control room shall be continuously manned by competent personnel.
- An alarm shall be generated and annunciated on the DCS indicating that the IPF trip
measurement is faulty.
- Other ways to trip or stop the process shall be available to the operator.
- A maintenance override for that IPF should be available.
- The process dynamics shall be such that the operator has time to act.
- This automatic override functionality is time restricted, i.e. the trip measurement shall
be taken in maintenance override before a pre-set time of one hour has elapsed. In
case an MOS is not available, the fault will cause a spurious trip after the pre-set time
has elapsed.
For an implementation of the automatic override, see Figure 14.
It is recognised that it may not always be possible to avoid spurious trips under open
circuit or short circuit conditions. The possibility to implement automatic overrides does
not imply that time delays should be appli~rl to IPS inputs to avoid revealed failure
actions under such circumstances. Time delays for this purpose shall not be applied if
the sum of the required delay time and the IPF response time (including the IPS
response time which shall be taken as two times the IPS cycle time) exceeds the process
safety time and shall be approved by the Principal. The process safety time shall be
determined by Process Control and Technology departments.
If the IPS has line monitoring facilities, analogue sensors shall have "direct" output
signals only. If this is not the case, high trip sensors shall have "reverse" output.
For IPF loops class Ill and higher, the initiators should have a red colour and should have
a red nameplate with black lettering.
If diverse initiators are required , diverse measuring principles shall be applied. These
diverse measuring principles shall, where possible, include different types of process
connections. An example of a diverse measuring principle is ultrasonic and dP cell level
measurements. An example of a non-diverse measuring principle is displacer and dP cell
level measurements, because in both cases the tappings may block.
NOTE: Diverse measuring plinciples shall not be applied when this would resun In an increased unrevealed failure rate as
would be the case when a pressure transmitter is replaced by a pressure switch.
86
5.3. INSTRUMENTED PROTECTIVE SYSTEM
IPSs shall be based on either:
- electromechanical relays;
- solid-state/magnetic-core technology;
- microprocessor technology (PLCs).
Pneumatic and hydraulic relay based IPSs shall not be used for new or re-
instrumentation projects and are therefore not dealt with in this document.
For new or re-instrumentation projects, particular attention shall be paid to
electromechanical relay-based IPSs as they may not fulfil the requirements of IPF class
V and higher.
The IPS, including the IPS-PLC to IPS-PLC communication link for IPF class Ill and
higher safety related signals, shall fulfil the requirements of the DIN V 19250 risk class
(AK class) related to the IPF class resulting from the classification and shall be certified
by TOV.
In case an IPS-PLC is applied, the complete IPS, including system software versions and
releases, shall be evaluated and certified by TOV.
To avoid unexpected failures of software and/or hardware, only proven releases of
software and hardware shall be used. The release of the system should not be upgraded
after order placement for functionality enhancements. Upgrades to fix bugs that
jeopardise safety or plant availability shall be implemented but only after certification by
TOV.
The majority of the IPFs will be IPF class V or below; however, it is preferred to
purchase, as a minimum, AK class 5 TOV-certified IPSs so that the majority of plant
changes can be incorporated in the same IPS.
Although solid-state/magnetic-core and PLC-based systems are preferred, relay-based
systems may be selected for certain applications. Relay-based systems have the
disadvantages that no self-diagnostics are available, troubleshooting and making
modifications can be difficult and communication to a DCS is only possible for the output
signals. The DCS shall not be connected in series with the trip amplifiers that are
required to input analogue initiators into a relay based IPS.
Only IPS suppliers or system builders (integrators) which are accepted by the Principal
shall be used for IPS engineering, construction, wiring, testing, etc.
The IPS-PLC to IPS-PLC communication link shall be fail safe and revealed failure
robust, and the signals transmitted over this link shall be NE such that IPF trip actions
are taken when the link fails.
IPS quantitative reliability assessment studies have shown that, in order to obtain
revealed failure rates equal to or better than relay based IPSs, IPS-PLCs are only
acceptable when fail safe, revealed failure robust input and output cards and processors
are used. Output cards driving non-critical indication or alarm lamps should be single and
non-fail-safe.
When making a selection between solid-state/magnetic-core technology and PLCs, the
following shall be considered:
- actual field experience (installed base);
- requirements of national and/or local regulations;
- application complexity;
- level of automation;
- skills required.
Advantages of PLCs are:
87
- faster engineering, through configuration techniques;
- ease of FLO simulation, off-line on a PC;
- ease of logic modifications;
- ease of commissioning;
- ease of monitoring the integrity of field devices and their wiring;
- fewer different hardware cards;
- self-documenting facilities.
Disadvantages of PLCs are:
- special skills required;
- possible bugs in the software;
- higher revealed failure rates;
- protection against (on-line) logic modifications requires strict procedures.
IPS systems shall be as simple as possible and shall have a minimum number of
components.
IPS-PLCs shall not be applied when an IPF class VI integrity is required because the
software contribution to the unrevealed failure rates of PLCs is unknown, and therefore
not taken up in the IPF calculation methodology. Only in very exceptional cases, and with
the approval of the Principal, may PLCs be considered for class VI loops.
If a classification results in a number of IPF class VI loops and the remainder of the IPFs
implemented in the same IPS-PLC are IPF class V or lower, the IPF class VI loops may
be implemented in the IPS-PLC making use of the secondary means of de-energisation
functionality which bypasses all microprocessors in the system. In this case the IPS-PLC
shall comply with the requirements of IPF class V and the secondary means of de-
energisation facility shall be TOV certified according to DIN V 19250 AK class 6.
Process units should be allocated to IPSs with due consideration to IPS failure. Details
regarding the allocation of process units to Input and Output cards shall be given in the
IPS technical specification.
To ensure suitable response time for activation and sufficiently accurate time stamping,
the scan or cycle time of IPS-PLCs shall be less than 300 ms.
For each piece of rotating equipment, it shall be checked whether a 300 ms cycle time is
sufficient to protect the equipment, i.e. confirm that the process safety time of the
equipment exceeds 600 ms. If this is not the case, an IPS-PLC is not suitable.
If PLC based IPSs are considered for equipment packages, for reasons of integration,
spare parts, training and maintenance, the same IPS should be selected as those
applied in the remainder of the plant or project. It should be realised that doing this may
complicate the factory acceptance test of these equipment packages.
Time synchronisation between IPSs, SERs and DCS, shall be applied from an external
clock.
Initiator or final element and IPS robustness implementation shall be independent. For
example, assume a 2oo3 initiator has to be routed to an IPS with revealed failure robust
inputs. In that case each initiator is connected to one point of each of the dual input
cards, resulting in a total of 6 routes. A different set of dual input cards shall be used for
each initiator. See Figure 15.
On-line changes to tuning parameters may be made provided they are tested before
taking the loop into service. On-line logic changes and operating system software
upgrades should not be performed unless full functional tests can be performed with the
process unit in operation. If on-line changes are to be made then a thorough analysis
shall be made and agreed with Operations, addressing the following:
- What has to be changed?
88
- How and when is it to be changed?
- What are the contingencies for errors?
- What risk assessment will be made?
- What fall-back scenarios are in place?
IPS systems shall be fed via two separate power feeders, with at least one of them
connected to a vital uninterrupted power supply system (UPS), with automatic change-
over facilities and remote alarm in case of single failure.
To facilitate long term reliable operation of IPSs, this equipment shall be installed inside
(field) auxiliary rooms. These rooms shall have temperature and humidity control facilities
fulfilling the requirements stated in the IPS technical specification.
In order to reduce down-time and override time, 'card' or 'complete component'
replacement techniques shall be applied.
As a minimum a common cabinet utility alarm and a common system alarm shall be
transmitted to the DCS for the attention of the operator. When the alarm occurs the
operator shall contact the responsible maintenance person for further action.
Engineers should be trained before and during the factory acceptance test. Mechanics
and technicians should be trained during site acceptance testing and commissioning
activities. If own personnel are not properly trained and kept up-to-date, modifications
shall be left to the Supplier.
5.4. FINAL ELEMENT

Where a control valve also functions as an IPF class Ill or higher IPF valve, the IPF shall
have priority over the process control function. Where the control valve is fitted with a
positioner, the solenoid valve driven by the IPS shall be fitted between the positioner and
the actuator diaphragm or piston. A digital output shall not be routed from the IPS to the
DCS with the DCS configured to drive the valve to the safe position, since in that case
the IPF class II DCS would be part of the IPF class Ill loop.
If diverse unrevealed failure robust valves are required, the valves shall be of a different
make and/or type (model).
IPF valves classified as IPF class Ill or higher shall not be provided with a hand wheel or
a bypass as these increase the unrevealed failure rate of the final element.
IPF class Ill or higher valve type final elements should be air operated and spring loaded.
Hydraulically operated valves are less suitable due to the complexity of the hydraulic
system. Hydraulic actuator requirements are given in a separate document. Electric
motor operated valves without spring return shall not be used for IPF class Ill or higher
valve type final elements.
For IPF loops class Ill and higher, the valve actuator should have a red colour and
should have a red nameplate with black lettering.
For NDE IPF final elements, automatic wiring tests such as line monitoring and earth
fault and automatic test of the availability of instrument air shall be implemented on each
loop. Regular functional testing shall also be performed. The IPS-PLCs are designed,
especially with respect to the internal diagnostics, for the de-energised signal being the
safe state of inputs and outputs. For NDE applications which do not apply an external
inverter such as a relay, the IPS-PLC shall also be designed for the energised signal
being the safety related input or output state. This is not the case for many of the TOV
certified IPS-PLCs. If this is not the case, inverter relays with the appropriate
classification shall be applied.
89
Power and air supply for NDE final elements shall be such that the impact of supply
failure on the IPF PFD is negligible, e.g. by means of an alarm in case the supply fails.
Instrument air supply requirements for depressurising systems are covered in a separate
document.
Detailed valve type IPF final element requirements are covered in a separate document.
Rotating equipment stop circuit type IPF final elements should be implemented by a 24
V(dc) output connected to the coil of an interposing relay. A contact of this relay should
be wired into the motor switchgear. This implementation is referred to as 'no special
equipment' in Figure 12.
5.5. CABLING
For certain applications, special cabling may be required.
The maximum allowable distance between the IPS and the solenoid valve shall be
checked.
5.6. HUMAN-MACHINE INTERFACE
5.6.1. Operator interface

Process alarms and IPS system and utility alarms shall be presented to the operator via
the DCS operator workstations. Resets shall be operated from the DCS.
ESD, OOS and MOS enable switches shall be mounted on a blank section of the
operator console.
For complex logics, one or both of the following should be displayed on the DCS screen
in addition to the information displayed on the process graphics:
- 'live' cause and effect matrices;
- help text.
The DCS system shall be used to perform all IPS alarm handling, indication,
annunciation, logging and printing.
For IPS system alarms and IPS utility alarms, more (or all) diagnostic information may be
transmitted from the IPS to the DCS in addition to the common alarms. Alarms can then
be shown individually or combined, depending on the action to be taken by the operator.
Help screens should be provided to indicate causes and actions associated with the
alarms. The necessary actions shall be taken to ensure that mean time to repair figures
of the IPS do not deteriorate so as to prevent jeopardising plant safety or plant
availability.
Time stamps should not be sent from the IPS to the DCS. The SER time stamping shall
be used for post mortem analysis.
Any time delay, due to system constraints, between (IPS) trip initiation and (DCS) alarm
presentation shall be less than 3 seconds.
If technically possible, full SER functionality should be provided in the DCS, i.e.
integration of SER lists with DCS alarms lists and functionality presently available in the
SERs also in the DCS.
The list of signals to be transmitted to the DCS for operator interface is given in the IPS
technical specification. In addition, the signal to switch automatically the related controller
to manual and drive the output to a safe position may be transmitted to the DCS.
The first trip action occurring in each UZ group (first failure) shall be detected by the IPS.
A first-up flag shall be transmitted to the DCS and the DCS screen shall display the first-
90
up alarms differently from the subsequent alarms, until the first-up reset is activated from
the DCS and the first-up flag removed by the IPS.
OOSs, see (5.9.), shall be implemented as a hardwired switch with a yellow back-lit
handle; the light shall be on when the override is switched on. ESD switches shall be
implemented hardwired, with a red handle without back-light. For MOS enable switches,
see (5.8.3.).
The normal position of all switches on the console shall be horizontal.
5.6.2. Sequence of event recorder

Plant events, utility events, operator actions (overrides and manual trips) and IPS failures
shall be logged and stored on the SER for incident analysis purposes.
The SER network should be revealed failure robust. This network may be combined with
the maintenance I engineering network.
If the SER functionality resides in a PC, site procedures shall ensure that the SER
cannot be infected by viruses.
The list of the type of events and signals to be recorded on the SER is given in the IPS
technical specification.
5.6.3. Maintenance and engineering interface

The maintenance and engineering interface shall give details of all IPS failures (card
failures, cable faults etc.).
The maintenance and engineering interface should consist of one or more (PC based)
workstations. Site procedures shall ensure that these workstations cannot be infected by
viruses.
A workstation shall only be used as an on-line diagnostic tool whilst connected to a 'live'
operating system.
'Forced' or software overrides on input and output channels of IPS-PLCs shall be
enabled and disabled by means of a key lock and/or password facility. Procedures shall
be in place that during and after plant start-up all such overrides on input and output
channels are removed. Presentation of 'forced' overrides to the operator shall be similar
to MOS presentation.
A revealed failure robust IPS-PLC network should be used for the maintenance and
engineering workstation functionality. This network may be combined with the SER
network. In addition to this network, individual engineering workstation connections, one
per IPS-PLC, shall be provided. These can be used when the maintenance/engineering
network fails.
5.7. COMMUNICATION INTERFACES WITH OTHER SYSTEMS
5.7.1. Interface with DCS

In order to monitor IPS related events on the DCS screens and to activate resets and
MOSs, there shall be communication between DCS and IPSs. Therefore the IPS shall be
linked with the DCS. The link shall be by point-to-point DCS gateways or serial links and
should be revealed failure robust. The revealed failure robustness is required because of
the MOS and reset control from the DCS, and not for safety purposes. IPS to DCS
connections via integrated IPS-PLC networks should be avoided because of gateway or
serial communication port loading and additional time delays.
Failure of serial links shall not cause nuisance trips. IPF class Ill to VI signals shall not be
transmitted over this link because the highest IPF class in which a DCS may be part of
the IPF loop is class II. If the communication link between DCS and IPS fails, an alarm
shall be generated in the DCS.
Interfaces between DCS and IPS systems shall be such that upon any failure of the link
the protection functionality of the IPS system will not be defeated, except for MOS and
reset signals from the DCS that may be routed through this interface and therefore
cannot be operated when the link fails.
The requirements for serial links are covered in a separate document.
The list of the type of signals to be communicated between IPS and DCS is given in the
IPS technical specification.
5.7.2. Interfaces with other systems

There shall be no communication interfaces between the IPS and systems other than
DCS. Interfaces between IPS and other systems shall be hard-wired.
5.8. MAINTENANCE OVERRIDES
5.8.1. General
The preferred and TOV-approved (see TOV document "Maintenance Override")
implementation is described in this Section.
Maintenance override switches (MOSs) are used to override IPF initiators to enable
maintenance or on-line functional testing. It shall be considered during the basis of
design (BOD) phase whether MOSs are required in those cases where spare process
units or equipment are available.
Maintenance override facilities may be provided only for those IPF initiators where a
second or back-up indication, and a means to stop the process, are available to the
operator. Furthermore, the process dynamics shall be such that the operator has time to
act.
Therefore, MOSs shall not be provided on, for example:
- flame sensors;
- (axial) displacement type sensors;
- manual ESD inputs.
A maximum of one trip initiator may be overridden per protection group (UZ group) at any
one time.
To reduce the number of MOSs, an MOS shall not be applied for 2oo3 IPF initiator
configurations. To reduce the IPF PFD, an MOS function shall be provided for each of
the initiators of 2oo2 IPF initiator configurations. Setting of one MOS shall create a
situation such that, during the time the override is switched on, the configuration
automatically functions as a 1oo2 system.
Outputs shall not be overridden because, within one protection group (UZ group), they
are usually the result of more than one input.
An MOS override shall not inhibit the alarm function.
For an implementation example, see Figure 16.
92
5.8.2. Operational considerations
Operations personnel shall be solely responsible and authorised to switch an IPF initiator
into override.
Before an MOS is activated, all work and permit procedures shall be followed, such that
a record is available indicating the name of the person who switched on the override.
When the IPF initiator is in override, the operator shall check the related control or
indicating transmitter measurement frequently such that manual actions (removal of the
override or manual ESD) can be taken if the process moves out of the operating
envelope.
The proposed set-up requires optimum (radio) communication between the operator and
the technician. A separate radio channel should be provided for this.
MOSs shall be activated for as short a time as possible.
5.8.3. Implementation
An MOS shall be activated from the DCS VDU/keyboard. When an MOS is activated, the
appropriate override signal shall be sent via the communications link to the IPS.
A hard-wired, yellow, back-lit MOS enable switch shall be provided on the DCS console.
At least one switch shall be provided per process unit. Only when this switch is in the
enable position is the MOS signal accepted by the actual protection logic. Because this
switch is hardwired, the operator has the possibility to de-activate any override when the
communication link fails.
The status of the MOS enable switch shall be read by the DCS via the serial link for
event logging purposes.
The logic to activate only one override per protection group (UZ group) shall be
implemented in the IPS.
In case the DCS to IPS communication link fails, the overrides shall remain as they were
before the failure and when the link is re-established there shall be no status change.
5.8.4. Human-machine interface related to maintenance overrides

The process graphics on the DCS VDUs should indicate (grouped together):
- the control measurement/pre-alarm;
- the trip alarm;
- the MOS activate command switch;
- the MOS activated indication.
A dedicated overview graphic should be provided on the DCS to enable the operator to
quickly find trip initiators in override without searching for the correct process graphic.
In the DCS optimum use should be made of units or compounds to convey MOS related
information to the operator.
The MOS activated indication will only come on when an MOS command is issued and
the enable switch is tumed to the enable position and the override logic is performed in
the IPS.
A yellow, common (minimum one per process unit), hardwired MOS indication lamp
driven from the IPS shall be provided on the DCS console to indicate that at least one
override is set in the relevant process unit. This shall be implemented by applying an
MOS enable switch with a yellow back-lit handle, the lamp in the handle functioning as
the MOS indication lamp.
93
All MOS related events shall be recorded on the SER with a time stamp and shall also be
printed on the DCS printer. The service description which is also printed shall include the
tag name of the initiator being overridden.
MOS activation shall generate a (low priority) alarm on the DCS. If the MOS is not
removed the alarm shall be repeated every 4 hours.
The operator shall check, when switching on an override, that the indications described
above function properly.
5.9. OPERATIONAL OVERRIDES

Operational overrides should be avoided by implementing automatic start-up overrides,
see (3.2.4.3.6.), in the FLD design.
Operational overrides shall not be provided on manual ESD inputs.
Operational override switches shall be located on the DCS console and hardwired to the
IPS. The switch shall have a yellow, back-lit handle.
94
6. IMPLEMENTATION OF FIRE GAS AND SMOKE DETECTION INSTRUMENTED
PROTECTIVE FUNCTIONS
6.1. GENERAL
Active fire protection equipment is covered in a separate document.
The Contractor shall check local regulation requirements related to the FGS, and if these
are more stringent than the requirements of this document, they shall prevail. In these
instances, the Principal shall be informed.
This section deals only with FGS IPF and IPS requirements which are additional to or
different from process unit IPF and IPS requirements as described in (5.).
FGS IPFs shall be separate from the process IPFs because the FGS IPFs shall remain
operable during plant shutdown.
6.2. INITIATOR
The requirements for the sensor part of the FGS IPF loops are given in a separate
document. In case of conflict between this separate document and the IPF class
requirements of the initiator, the Principal shall be consulted. The interface between the
sensor and the FGS IPS input card is either a 4-20mA signal or a potential free contact.
If the initiators are of the normally open (quiescent current) design, continuous line
monitoring facilities capable of detecting open loops and short circuits shall be applied
and an alarm raised if a fault is detected. No protective action shall be taken if such a
fault in the initiator circuit is detected.
6.3. INSTRUMENTED PROTECTIVE SYSTEM

The FGS IPS should operate independent from any other instrumentation system, such
as DCS and process unit related IPS, except for the DCS human-machine interface.
Combining FGS related IPS and process unit related IPS requires the approval of the
Principal.
The maximum cycle time of the FGS shall be 500 ms.
The battery back-up time requirement is given in a separate document.
6.4. FINAL ELEMENT

The automatic output actions performed by the FGS shall be entirely independent of the
DCS.
If the process unit or rotating equipment will be tripped by the FGS, the FGS final
element shall be implemented as a potential free contact output which is routed to a
digital input of the relevant process IPS. Requirements for equipment packages that are
fully self-contained are given in another document.
Final elements that constitute a personnel hazard when actuated, such as extinguishing
agent release systems, shall have safety features to ensure evacuation of personnel
before release.
6.5. CABLING
For special requirements regarding cabling, refer other documents.
95
7. TESTING
7.1. CLASSIFICATION RESULTS AND TEST PHILOSOPHY

To achieve the PFD related to an IPF class, the loop architecture may be changed
(impact on CAPEX), hardware with a lower unrevealed failure rate may be installed
(impact on CAPEX) or the test interval may be reduced (impact on OPEX and/or
CAP EX).
The relation between the IPF class and the testing frequency is given by the PFD
formulae described in (8.). Figure 17 shows the basic relationship between test
frequency, IPF loop unrevealed failure rate, architecture, PFD and IPF class using
simplified formulae and a zero test duration. The relationship can be obtained by means
of the IPF calculation methodology as described in a separate document, see (8.).
For manual testing, experience has shown that it is very difficult to keep up with a test
interval of less than 6 months.
As can be seen in Figure 17, large reductions in IPF PFD are possible by testing the loop
automatically, around once per day to once per week. For more details on automatic
testing, see (7.6.).
To enable manual testing without the requirement to shut the process unit down, use can
be made of MOSs for initiator testing. For IPF final element testing , however, additional
equipment may have to be installed, such as an additional valve in parallel to the valve to
be tested . In that case, precautions shall be taken that the additional equipment is not in
use during normal operation as this would increase the unrevealed failure rate of the IPF
final element.
IPF class I and II functions, including alarms and pre-alarms, shall be tested once every 4
years .
For IPF class Ill to VI functions, two types of tests can be identified:
- Regular proof tests with a certain test interval (maximum 4 years) and coverage
factor.
- Tests during planned shutdown with a maintenance interval (the time between
planned shutdowns) and a coverage factor as close as possible to 1. The
maintenance interval shall be maximum 4 years if the planned shutdown cycle
exceeds 4 years.
A demand is not necessarily initiated for safety reasons, it may be caused for example
by an operator wanting to stop a furnace by means of the furnace ESD switch. If such a
demand occurs with an interval shorter than the test interval, the test interval used in the
PFD calculations may be reduced provided that a proper coverage factor is used and a
test record is made.
If, for existing installations, the IPF classification and implementation methodology results
in a significantly increased test interval, this test interval shall not be increased in one
step because of the possible effect of time-based maintenance on unrevealed failure
rates. If, for example, the test interval of a valve was 6 months with an observed failure
rate of 0.047 unrevealed failures per year, an increase in test interval to two years will
dramatically increase the unrevealed failure rate of the valve if the valve tends to stick
after 9 months. In this case, time-based maintenance (stroking or greasing of the valve)
shall be applied at an interval of less than 9 months and the valve shall be tested every 2
years. The maximum test interval step increase is 6 months.
For new installations the initial test interval shall be 6 months, which can be increased, in
case of satisfactory test results, in steps of 6 months to the calculated test interval.
96
7.2. TEST COVERAGE FACTORS
An important factor in the IPF calculation methodology (8.) is the test coverage factor.
This factor is a measure on a 0-1 scale of how well the test is performed, i.e. which
proportion of the unrevealed failures possibly present in the IPF loop will be found by the
test.
7.3. INITIATOR TESTING

To achieve the highest possible coverage factor, initiators shall be tested by simulating,
as close as possible to the process, a change in process condition exceeding the limit. If
the impulse lines are not included in the test, the coverage factor shall be reduced
accordingly.
Irrespective of the IPF class, initiators shall be tested with a coverage factor of as close
as possible to 1 during planned shutdowns (maintenance interval), i.e. maintain in the
workshop and clean the impulse ljnes, such that PFD calculations may be performed with
a coverage factor of 1. The maintenance interval shall be maximum 4 years if the
planned shutdown cycle exceeds 4 years.
Proper functioning of line monitoring, if implemented, shall be tested during every
planned shutdown. The interval of these tests shall be maximum 4 years in case the
shutdown cycle exceeds 4 years.
7.4. LOGIC SOLVER TESTING

Relay-based IPSs shall be fully tested during every planned shutdown (maintenance
interval). The maintenance interval shall be maximum 4 years if the planned shutdown
cycle exceeds 4 years.
Solid-state/magnetic-core and PLC based IPSs do not require to be tested manually,
unless the user decides to test for human induced errors. The maintenance interval as
used in (8.) shall be set equal to the life time of the IPS, usually 10 years.
7.5. FINAL ELEMENT TESTING

To achieve the highest possible coverage factor, NE final elements shall be tested by
forcing the IPS output.
Irrespective of the IPF class, final elements shall be tested with a coverage factor of as
close as possible to 1 during planned shutdowns (maintenance interval), i.e. maintain in
the workshop, such that PFD calculations may be performed with a coverage factor of 1.
The maintenance interval shall be maximum 4 years if the planned shutdown cycle
exceeds 4 years.
Proper functioning of loop monitoring, if implemented, shall be tested during every
planned shutdown. The interval of these tests shall be maximum 4 years if the planned
shutdown cycle exceeds 4 years.
If the valve action is monitored by the DCS by monitoring the effect of the valve moving
to the safe position and the DCS generates a report, this report may be considered as a
test provided that the valve has no TSO requirement. The valve closing time should also
be checked such that incipient problems (valve becoming sticky) are also detected.
NOTE: The valve moving to a safe position is not necessarily detected by a posrtion switch; the reduction of flow to zero, if a
closed valve Is the safe position, Is also a detection possibllrty.
In batch processes valves are closed and opened frequently by the batch controller.
Situations exist where a certain valve position is a permissive to proceed with a next
step, because starting the next step with the valve in another position would give a
97
hazardous situation. If the movement to the safe position of the valve during the batch is
checked by the batch controller and a report indicating functioning of the valve is
generated, the test interval may be assumed to be the time between the (batch
controlled) movements to the safe position.
7.6. AUTOMATIC TESTING
7.6.1. General
Automatic functional testing is one way to reduce the test interval and at the same time
reduce human-induced unrevealed failures and nuisance trips caused by human errors
during manual testing.
Irrespective of the automatic tests performed, manual testing with a coverage factor of as
close as possible to 1 shall be performed during planned shutdowns (maintenance
interval). The maintenance interval shall be maximum 4 years if the planned shutdown
cycle exceeds 4 years.
7.6.2. Process IPF initiators

Research is in progress to determine whether one or a combination of the following
methods is a suitable replacement of manual initiator testing:
- continuous comparison of initiator signals, e.g. IPF initiator versus DCS control
measurement;
- continuous analysis of initiator signal noise for analogue measurements;
- analysis of measurement rate of change.
The coverage factor of comparison tests is 0.99 according to IEC/SC65A draft 1508.
7.6.3. Flammable or toxic gas initiators

To enable one-man testing of flammable or toxic gas detectors the following system shall
be implemented if specified by the Principal:
A test button and lamp connected to the FGS IPS shall be provided near each
detector and a common test enable switch shall be mounted on the mimic.
The panel operator enables the test by means of the test enable switch. Enabling the
test is recorded on the SER.
The tester presses the button and the lamp will come on when the IPS has taken the
detector in override. Pressing the button is ~~corded on the SER.
The tester presents the test gas to the detector head and the HH level shall be
detected within a set time. HH level detection or non-detection within the set time is
recorded on the SER.
If the HH level is not detected within 4 minutes or when the level returns to normal, the
override shall be removed automatically. Removal of the override is recorded on the
SER.
- The SER printout functions as the test record.
NOTE: The Principal may decide to use another testing method.
7.6.4. Final elements

For IPF final elements, automation of valve testing may be applied. Performing this test
by partial valve stroking has not always been successful. The coverage factor of partial
valve stroke testing is 0.5 according IEC/SC65A draft 1508. Partial valve stroking should
therefore not be applied.
Semi-automatic full valve stroking may be used as a substitute for manual testing
provided that it is acceptable to Operations to operate the valve for a short period.
98
If semi-automatic full valve stroke testing is applied to valves with leakage class V or VI
TSO requirements, the coverage factor shall be determined together with the discipline
responsible for stating the TSO requirement.
The basic testing principle for semi-automatic full valve stroke testing shall be as follows:
- The tester initiates the test from the DCS.
- The command to close the valve should be transmitted via the communication link
from the DCS to the IPS.
- The IPS sends the close command to the valve for a period exceeding the valve travel
time (such that the DCS can detect the safe position) after which it returns the valve
again to the position it had before the test.
- A valve safe position indication shall be available in the DCS.
- The test result shall be recorded by the DCS automatically.
- The consequence of the valve failing in the safe position as a result of this test should
be considered.
Another automatic test which may be implemented is to monitor stroking times during
each operation of the valve and raise an alarm when the stroking time exceeds a
specified limit.
99
8. IPF CALCULATION METHODOLOGY
8.1. GENERAL
The details of the IPF calculation methodology are described in a separate document.
The purpose of this calculation methodology is:
- To calculate required test intervals to fulfil the probabilistic IPF class requirements
taking into account unrevealed failure rates, test coverage factor, etc.
- To calculate the IPF revealed failure rate.
8.2. ASSUMPTIONS
The probabilistic calculations used in the calculation methodology do not take into
account common mode and systematic failures, nor are human errors taken into account
in the version of the calculation methodology available at the time of issue of this
document.
The failure rates used in the calculation methodology are assumed to be constant over
time. Failures that are expressed as failures per million operations, (operating) time
based failures, systematic failures and human errors, have to be converted to failure
rates constant over time. This can be done by making use of the test results, e.g. 1,000
solenoid valves proof tested with a regular interval over a period of 10 years yield a
number of failures per 10,000 'solenoid valve years' which can be converted to failures
per year for a solenoid valve.
NOTE: Preventive maintenance will reduce time dependent failures, resulting In lower converted unrevealed failure rates.
For NDE output circuits the failure rate of cables and connections, power supply,
instrument air supply, etc. shall be included in the unrevealed failure rate of the final
element, while for NE output circuits they shall be included in the revealed failure rate.
8.3. INPUTS INTO THE CALCULATION METHODOLOGY
8.3.1. Instrumented protective system

A selection is to be made between:
- relay system;
- solid-state/magnetic-core system;
- IPS-PLC system;
- other, in which the user is free to enter the failure rate data required.
8.3.2. IPF architecture
The architecture for the initiator and final element components of the IPF are not
necessarily the same.
The following initiator architectures are covered by the calculation methodology:
- non-robust, for both revealed and unrevealed failures, i.e. 1oo1;
- unrevealed failure robust and non-robust for revealed failures, i.e. 1oo2;
- revealed failure robust and non-robust for unrevealed failures, i.e. 2oo2;
- unrevealed failure robust and revealed failure robust, i.e. 2oo3.
The calculation methodology covers the following architectures for final elements:
- non-robust, for both revealed and unrevealed failures, i.e. 1oo1, for rotating
equipment stop circuits and valves;
- unrevealed failure robust and non-robust for revealed failures, i.e. 1oo2, for valves;
- revealed failure robust and non-robust for unrevealed failures, i.e. 2oo2, for valves;
- unrevealed failure robust and revealed failure robust, i.e. '2oo4', for valves.
100
8.3.3. Failure rates
Both unrevealed and revealed failure rates of the following loop components shall be
entered into the calculation methodology:
The initiator, excluding the IPS input. For those cases where no failure rate data are
available from local records, the calculation methodology provides default failure
rates.
IPS input. For PLC type IPSs, this is the (robust) input card. For other IPSs this is the
trip amplifier and the first relay, solid-state module or magnetic-core. Except for 'other'
types of IPS systems, failure rates are fixed in the calculation methodology.
Logic solver. Except for 'other' logic solver types, failure rates are fixed in the
calculation methodology.
IPS output. For PLC type IPSs, this is the (robust) output card. For other IPSs this is
the last relay, solid-state module or magnetic-core. Except for 'other' types of IPS
systems, failure rates are fixed in the calculation methodology.
The final element, excluding the IPS output. For those cases where no failure rate
data are available from local records, the calculation methodology provides default
failure rates.
The failure rates for the initiator and IPS input are added to give the total initiator failure
rate because it is assumed that both the initiator and the IPS input are tested during the
regular manual or automatic proof test. For similar reasons, the failure rates for the IPS
output and final element are added to give the total final element failure rate.
An upgrade or new version of the IPS may necessitate an update of the failure rates
mentioned above.
8.3.4. Testing
The following types of information related to testing are required:
- Test interval for the initiator and IPS input combination, and for the IPS output and
final element combination . These two test intervals are not necessarily the same. The
logic solver is assumed to be tested only during the maintenance interval.
- Coverage factors with which these tests are performed.
- Test duration. It is assumed that the initiator is on maintenance override and the final
element is either mechanically prohibited from moving fully or bypassed. Hence during
the test both inputs and outputs are in the unrevealed failure condition. For tests
where this is not the case, e.g. automatic testing of initiators by MVC, the test duration
should be set to zero.
- Maintenance interval or lifetime. Both the input and the output combinations will be
tested during planned shutdown (maintenance interval) with a coverage factor as close
as possible to 1, see (For special requirements regarding cabling, refer other documents.
7.). The maintenance interval shall be maximum 4 years if the planned shutdown cycle
exceeds 4 years. Relay type logic solvers shall also be tested during the planned
shutdown, hence the maintenance interval is also applicable to this type of logic
solvers. Solid-state/magnetic-core and IPS-PLC logic solvers do not require testing
during planned shutdowns, hence the lifetime of this type of equipment shall be taken
into account.
- Repair time shall be taken into account for all components of the loop. The calculation
methodology assumes that the loop stays in override when an unrevealed failure is
found during the test. Repair times for both revealed and unrevealed failures are
assumed to be the same.
101
8.4. OUTPUTS OF THE CALCULATION METHODOLOGY
The calculation methodology provides the following outputs:
- PFD of the initiator and IPS input combination;
PFD of the logic solver;
PFD of the IPS output and final element combination;
PFD of the IPF, assuming the initiator and final element are in override during repair
and assuming the initiator and final element are not in override during repair,
IPF class of the IPF, assuming the initiator and final element are in override during
repair and assuming the initiator and final element are not in override during repair;
revealed failure rate of the above mentioned IPF components.
NOTE: IPF class V or VI cannot be obtained when the inrtiator or final element are single (loot) or revealed failure robust
(2oo2), irrespective of the PFO.
The PFD of the IPF loop components are given to enable test interval optimisation.
The IPF PFD shall be lower than the PFD required for the IPF class related to the IPF. If
this is not the case, test intervals, architecture or function components shall be changed
such that the PFD is sufficiently reduced.
8.5. CALCULATION OF TEST INTERVAL- SPECIAL CASES
8.5.1. Initiator or final element part of more functions

If an initiator or final element is part of multiple IPFs, the test interval for the initiator or
final element shall be the shortest of the initiator or final element test interval calculated
for the IPFs.
8.5.2. Adding rule

The simple rule given in (8.5.1.) is not valid when the adding rule is applied, see (- IPS
technical specification;
4.3.), e.g. 13 initiators and 1 final element. If all functions are IPF class Ill, the adding rule
results in final element implementation requirements as per class IV. A class IV final
element may be implemented single (1oo1) and, if no additional steps are taken, the test
interval for the final element would be the same as in the case of the final element being
part of only the most stringent IPF class Ill function.
The steps to be taken to determine the test interval taking into account the more
stringent final element requirements are:
(i) Calculate the PFD for each loop and take the most stringent final element PFD.
(ii) Reduce the test interval of the final element such that the PFD obtained in the
previous step is reduced by a factor 10.
(iii) Use this test interval as the final element test interval.
If in the example above all individual functions would have been class IV, the final
element shall be implemented as class V which, according to the deterministic class V
requirements, would mean unrevealed failure robust. The test interval shall be calculated
following the steps indicated above, with the addition that in step (ii) the unrevealed
failure robustness is incorporated.
NOTE: The addrtion of unrevealed failure robustness may resu~ in an increased test interval.
102
8.5.3. Synergetic consequences
The following steps shall be taken to determine the test interval taking into account the
more stringent initiator requirements if synergetic consequences (3.2.4.3.5.) are
applicable:
(i) Calculate the PFD for each function and take the most stringent initiator PFD.
(ii) If the initiator IPF class resulting from the check on synergetic consequences is one
IPF class above the highest IPF class of that initiator for the classifications excluding
the synergetic consequences, reduce the test interval of the initiator such that the
PFD obtained in the first step is reduced by a factor 10.
(iii) If the initiator IPF class resulting from the check on synergetic consequences is two
IPF classes above the highest IPF class of that initiator for the classifications
excluding the synergetic consequences, reduce the test interval of the initiator such
that the PFD obtained in the first step is reduced by a factor 100.
(iv) Use this test interval as the initiator test interval.
If all individual functions are class IV or lower and due to synergetic consequences the
initiator shall be implemented as class V, the initiator shall be unrevealed failure robust.
The test interval shall in this case be calculated following the steps indicated above, with
the addition that in step (ii) or (iii) the unrevealed failure robustness is incorporated.
NOTE: The add~lon of unrevealed failure robustness may resuH In an Increased lesl interval.
103
9. MAINTENANCE
9.1. INTEGRITY
Integrity of IPFs shall be managed by applying the following :
- Modifications shall be carried out following plant change procedures.
Temporary modifications, e.g. defeat of an IPF loop, shall be separately identified
within the plant change procedure.
For software based IPSs, principles of system management shall be applied.
A focal point for Manufacturer/Supplier maintenance and support shall be appointed.
System revision and upgrades shall be avoided, see also (5.3.). In case a revision or
upgrade is required, procedures as described by the Manufacturer/Supplier shall be
adhered to. All revisions and upgrades shall be documented.
Software back-ups shall be made at regular intervals.
Security and access rights shall be documented.
A system logbook shall be available for recording all systems modifications.
System documentation shall be available.
Adherence to strict security procedures when remote maintenance is applied.
Follow-up of pending repairs.
9.2. TEST PROCEDURES

Procedures and test sheets for periodic functional testing and inspection shall be
available and used.
It shall be clear to the users which part of the intended (by design) protection
functionality is covered by the test procedures.
Testing shall be carried out according to a pre-defined planning schedule, based on test
intervals calculated according to (8.). The schedule status shall be reported .
Manual testing of IPFs shall be performed by a qualified team having dedicated
procedures, reports, data bases, etc. This team shall work in close relation with
operational, mechanical and electrical testing teams, as well as with the instrument
maintenance team .
The team shall ensure that unrevealed failures are not introduced by the tests (e.g. by
leaving impulse lines closed).
IPF testing may be subcontracted, depending on local circumstances.
9.3. TEST RESULTS

Test results and details of corrective actions or preventive maintenance activities shall be
recorded, preferably in coded form, in a database for future reference and statistical
analysis.
Coding should be as follows :
- Failure mode which indicates the problem as found by the technician, e.g. impulse line
closed .
- Failure causes indicating the causes of the problems (if known), e.g. human error.
- Failure type (unrevealed).
- Corrective maintenance and preventive actions taken .
- Time spent and manning required on the various activities.
These results shall be analysed, reported and used to optimise test frequencies or to
modify the system where necessary. Test frequencies should be adjusted to reflect
actual data available from the database.
104
Test reports shall be archived for at least ten years or for the life of the IPF, whichever is
longer.
9.4. SCHEDULED MAINTENANCE

Apart from functional test and inspection procedures, time and condition based
maintenance schedules such as periodic calibrations, valve stroking or periodic valve
overhaul may also be required.
9.5. TRIP REPORTS

Trip reports should be stored, preferably in coded form, in the same database as the
database referred to in (9.3.).
The coding should be as follows:
- real demand;
- system (instrumentation) failure;
- human error;
- unknown.
Trip reports shall be analysed and used to optimise test frequencies or to modify the
system where necessary.
9.6. MODIFICATIONS
Modifications shall follow the same IPF classification and implementation procedures as
applied to new designs.
9.7. AUDITS
A yearly audit should be carried out to confirm compliance with:
change procedures;
test procedures;
test schedule;
recording and analysis of results;
integrity management such as:
- changes made to the logics performed by the IPS;
- no 'forced' inputs or outputs present in the IPS;
- adherence to restrictions imposed by the IPS type approval.
105
10. REFERENCES
In this document, reference is made to the following publications:

NOTE: Unless specifically designated by date, the latest edijlon of each publication shall be used, together with any
amendments/supplements/revisions thereto.
GERMAN STANDARDS
Control Technology; Fundamental Safety Aspects to be DIN V 19250
Considered for Measurement and Control Equipment.
Issued by:
Beuth Verlag GmbH
Burggrafenstrasze 6
Postfach 11 07
D-1 000 Berlin 30
Germany.
Wartungseingriffe/Maintenance Override,
Version 2.2, 08. September 1994.
Issued by: or:
TOV Rheinland rov Bayern
ISEB lOSE
Am Grauen Stein Ridlerstrasse 31
D-51105 Cologne D-80339 Munich
Germany. Germany.
INTERNATIONAL STANDARDS
Draft. Functional safety of safety related systems. IEC/SC65A draft
Parts 1-7. 1508
Industrial Process Control Valves IEC 534-4
Part 4: Inspection and routine testing.
Issued by:
Central Office of the lEG
3, Rue de Varembe
CH 1211 Geneva 20
Switzerland.
Copies can also be obtained from national standards organisations.
106
APPENDIX 1 SUGGESTIONS ON HOW TO SET LIP A CLASSIFICATION EXERCISE
Introduction
For the IPF classification exercise it is essential to set up a structure to optimise team
productivity and quality of output. This Appendix gives guidelines for the organisation of
an IPF classification exercise.
Planning
A planning schedule should be set up, detailing the individual team members by name
and discipline. No more than 5 hours per day should be spent on classification because
otherwise motivation and concentration may fall and the quality of team output may
reduce dramatically. Each function requires equal attention. Regular breaks should be
planned. The team members should not be disturbed during classification. Specialists
such as rotating equipment or fumace specialists should be on call and available when
their input is needed.
Team
The composition of an IPF classification team is defined in (3.2.2.). Efficiency will be
increased considerably by appointing a secretary who records the discussion in the IPF
database. The secretary role can be fulfilled by a junior technologist or engineer. It is
essential that the secretary has a technical background. The facilitator shall ensure that
the discussions are sufficiently detailed without losing the objectives of the classification .
Time keeping and preventing procedural errors are two important tasks for the facilitator.
Preparation
To minimise delays, all preparatory work shall be done prior to classification. Once the
team has started the classification process no time should be lost doing work that could
have been done in advance.
The following should be available before the start of the classification exercise:
- Copies of the documents which contain input information for the discussion.
- PC, including IPF classification database and IPF calculation software, overhead
projector, LCD panel screen etc. shall have been set up and tested.
- Identification of the IPF loops and the creation of records in a database. The order in
which they are going to be discussed shall have been ftxed .
The following documents and office equipment should be available:
Process and Utility Engineering Flow Schemes (PEFSs);
Process Flow Schemes (PFSs), Process Safeguarding Flow Schemes (PSFSs),
cause and effect matrices, process safeguarding memoranda and IPF & control
narratives;
overhead projector;
projection screen or equivalent;
LCD panel screen for use on the overhead projector;
PC installed in the meeting room (connected to LCD panel);
software package to store the classification results in a database, installed on the PC.
107
FIGURES
FIGURE 1 RISK REDUCTION -GENERAL CONCEPTS

FIGURE 2 IPF CLASSIFICATION AND IMPLEMENTATION WITHOUT METHODOLOGY OF
THIS DOCUMENT
FIGURE 3 IPF CLASSIFICATION AND IMPLEMENTATION WITH METHODOLOGY OF THIS
DOCUMENT
FIGURE 4 MULTIPLE INITIATORS RELATED TO ONE FINAL ELEMENT
FIGURE 5 ONE INITIATOR RELATED TO MULTIPLE FINAL ELEMENTS
FIGURE 6 SPIDER DIAGRAM- REDUCTION OF CLASSIFICATION EFFORT
FIGURE 7 IPF CLASSIFICATION RISK DIAGRAMS
FIGURE 8 IPF CLASSIFICATION RESULTS- DATABASE PRINT-OUT- EXAMPLE
FIGURE 9 IPF CLASSIFICATION- BLANK FORM
FIGURE 10 ONE INITIATOR CONNECTED TO MULTIPLE FINAL ELEMENTS
FIGURE 11 COMBINATION OF UNREVEALED AND REVEALED FAILURE ROBUST VALVES
FIGURE 12 POSSIBLE IMPLEMENTATION OF IPF CLASSES
ARCHITECTURES AND MAXIMUM TEST AND MAINTENANCE INTERVALS
FIGURE 14 AUTOMATIC MAINTENANCE OVERRIDE
FIGURE 15 2oo31NITIATOR AND DUAL INPUT CARD
FIGURE 16 MOS IMPLEMENTATION
FIGURE 17 RELATION IPF PFD AND IPF CLASS- TEST INTERVAL
108
FIGURE 1 RISK REDUCTION - GENERAL CONCEPTS
ACTUAL TOLERABLE INTERMEDIATE INITIAL RISK

REMAINING RISK RISK RISK
Risk with the Risk with the Risk without the
addition of other
addition of other addition of any
risk reduction
risk reduction protective features
facilities and
facilities
IPF function
_j J
I
INCREASING
K
RISK
NECESSARY MINIMUM
RISK REDUCTION
K Partial risk
ACTUAL RISK REDUCTION
Partial risk covered by other

covered by
IPF function risk reduction facilities
[ Total risk reduction

J
109
FIGURE 2 IPF CLASSIFICATION AND IMPLEMENTATION WITHOUT METHODOLOGY OF
THIS DOCUMENT
PROCESS TECHNOLOGY
PROCESS CONTROL
SAFETY
INSTRUMENTATION
OPERATIONS
PROJECT ENGINEERING
PROCESS CONTROL
START START
SELECT TECHNOLOGY AND

ARCHITECTURE
DETERMINE TEST PHILOSOPHY
RELIABILITY ENGINEERING
CALCULATE DEMAND RATE
(INPUT FROM ALL DISCIPLINES)
DETERMINE ACCEPTABLE HAZARD RATE
CALCULATE TARGET IPF FUNCTION

PROBABILITY OF FAILURE ON DEMAND
DETERMINE ACCEPTABLE IPF FUNCTION

MEAN TIME BETWEEN REVEALED FAILURE
CALCULATE LOOP COST

(BOTH CAPEX AND OPEX)
110
FIGURE 3 IPF CLASSIFICATION AND IMPLEMENTATION WITH METHODOLOGY OF THIS
DOCUMENT
PROCESS TECHNOLOGY
PROCESS CONTROL
SAFETY
INSTRUMENTATION
OPERATIONS
PROJECT ENGINEERING
PROCESS CONTROL
SELECT TECHNOLOGY AND

ARCHITECTURE
DETERMINE TEST PHILOSOPHY
RELIABILITY ENGINEERING
IPF CLASSIFICATION
CALCULATE LOOP COST

(BOTH CAPEX AND OPEX)
lll
FIGURE 4 MULTIPLE INITIATORS RELATED TO ONE FINAL ELEMENT
INITIATOR FUNCTIONS FINAL ELEMENT FUNCTION
FIGURE 5 ONE INITIATOR RELATED TO MULTIPLE FINAL ELEMENTS
INITIATOR FUNCTION FINAL ELEMENT FUNCTIONS
Function 2
112
FIGURE 6 REDUCTION OF CLASSIFICATION EFFORT
SPIDER DIAGRAM
Al1 Al2 Al3 811 812 813
UZ-A_TRIP
UZ-A UZ-B
AA1 AA2 8A1 8A2
Without reduction of classification effort, a total of 24 IPFs would have to be classified ,

including the synergetic consequences classification. To reduce the classification effort,
follow these steps:
1. Assign a temporary tag number to the connection UZ-A to UZ-8, in the sketch 'UZ-
A TRIP'.
2 . Classify all 9 UZ-8 functions
811-BA 1; 811-BA2; 812-BA 1; 812-BA2; 813-BA 1; 813-BA2 and initiators failure
3. Classify UZ-A_TRIP-BA1 and UZ-A_TRIP-BA2 and UZ-A_TRIP initiator failure
4. Classify all 9 UZ-A functions
AI1-AA 1; AI1-AA2; Al2-AA 1; AI2-AA2; Al3-AA 1; Al3 -AA2 and initiators failure
5. If the AI initiator classes resulting from step 4 are equal to or exceed the UZ-A_TRIP IPF
class resulting from step 3, the classification is finished . The total number of
classifications performed is 21 .
6. If step 5 is not true for one or more Als, one of the following options shall be selected :
Accept the UZ-A_TRIP IPF class for all those Als. The classification is finished and
the total number of classifications performed is 21, but the IPF class for those Als is
too high.
Classify those Als to all BAs functions. The classification is finished and the total
number of classifications performed is between 21 and 27.
NOTE: If UZ-A_TRIP is classified equal to the highest 81 , a check shall be done
whether the adding rule, see (- IPS technical specification;
4.3.). has any affect on BA 1 or BA2 .
FULL CAUSE AND EFFECT MATRIX

The classification effort can also be reduced when all the possibilities in a cause and effect
matrix are implemented, i.e. each initiator trips all final elements. In this case the lPFs can be
split as follows:
ADD'L_TAG
Initiators Final Elements
To classify, follow these steps:

1. Classify each initiator to ADD'L_TAG function, the latter shall also be given a description,
e.g. plant trip. This results in the required initiator class.
113
2. Classify each ADD'L_TAG to final element function. The demand rate (W) on ADD'L_TAG
can be determined by summating the initiator Ws ( 10 or more W 1 s result in W2 and 10
or more W2s result in W3 with the W never above W3) or from experience. This results
in the required final element class.
NOTE: The synergetic consequence check on initiator failure is not required because it is embedded in step 1.
114
FIGURE 7 IPF CLASSIFICATION RISK DIAGRAMS
CLASSIFY IPF UNREVEALED FAILURES FOR THE THREE CATEGORIES

AND SELECT THE MOST STRINGENT IPF CLASS
PERSONNEL SAFETY PRODUCTION AND EQUIPMENT LOSS
so
XQ:M- ~I.
51 111 I. START
fL--., h fL:
G1 Ill II I
hh h
52 Ill Ill II
i-=- h h fL--,
START- ~~ ~ hIll ENVIRONMENT
.. Lm_ V IV 111
3
START-~- -'=-'- ':=:'-1i

L.§.U A1
b~
VI 'V
h
IV
1
DINV19250
r I A2 7h ~ bv
.L...., ; : . !W
AKCiass
IPF Clasa
54 x•
LL:_
X
!!____
~
lL_
__g_ VI V V
I--
~X
3
IEC 65A Draft 1508 X I
c__
SIL
=---.. . . . . . . . .
rN) Frequency d demand ~ 1-..monlod
WO= Unclu.tified
(1.) -
~ ,_...onoqulpmentlooo.,...
pn>ducticn and
Func:tlon demand
domond
W1 =Very lo¥r.t (demand rate once per 10-100 years) LO = No opetationaJ ~ no !Mmage tiD equ6pmMI:
=
W2 LOW' (demand l'llte once per 1-10 years) L1 = M i n o t - - - minor domoge ID oqu""*"
(S)
W3 = Relativetv high (demand rate mote than once per yea"
~ extent d human InJury per d4Hnand;, tnw'umentad
l2
l3 =
Mojo!-- - rnojcf . . . . _ . , _ . , . , _ ~
Protec:tive Function felt& on dem•nd L4 = Damage to ~ equipment cauetng major economic loaa: major lou
SO =No injury of containment
51 = Slight in,lury, non-permanent (E) - ......,.,.,_ ..,._ . .,.,.. .... - - w- -
S2 = SeYere Injury, dNth of one person Protective Function faita on derT.nd
53 = Death of wveral persons EO = No-a<--negligiblo--ID1he......,.,_.
54 = Cata&tropha, many casualties E1 = Releeae 'tMth minor darnalge to the erMronment tn.t thould be ~
(A} Duration of pra.ence In danget" zone E2 = R..._.. -Mthln r.nc. 'lll'ittllignificwft da~N~ge to the ..-Mronrnent
A 1 = Seldom 1D hequemty (o1 Hme ol demand) E3 = R - oulsldo r.nc.- -.,...,y rnojcf . . . , _ . , 1he INMron.-
A2 = Frequently to continuo~y (at time al demand} E4 =
Releeae outakie t.nc. 'Nitti penn8nent ma;or damage to the erMronment
(GI Possibility 1D...., hazard
G1 = Undef certain condition&
G2 = Hardly possible
CLASSIFY IPF REVEALED FAILURES

COST OF REVEALED FAILURE ROBUSTNESS (CR)
CR ~ USD 1,000 USD 1,000 < CR ~ USD 10,000 USD 10,000 < CR ~ USD 100,000
~ FCO~ ;R2 ;R1

N N
START_ _Q_~ F N
~ F F F
1---
~ F F F
'--
(C) ~production looo P"'""""""""" w1-..monlod-
Function take. .ction without • demarMI
(R) F,.quoncyol- !Mu<e
R1 =llorylaw(-!Mure-onc:epo<10-100~r&l
co = Colt~ usc 1,000 R2 =Low (rewe.led fMurw ...c. once per 1-10 ~)
C1 = USO 1,000 <Colt$ USO 100,000 R3 = R--,. h i g h ( - , _ . . . . - mono...., once po< , _ ,
C2 =usc 100,000 < Collt $ uso 1,000,000
C3 =uso 1,000,000 < Collt ~ uso
10,000,000
C4 =uso 10,000,000 < CoA
115
FIGURE 8 IPF CLASSIFICATION RESULTS- DATABASE PRINT-OUT- EXAMPLE
IPF CLASSIFICATION
PEFS Initiator Tag: T-2.665.807-C
Initiator Tag: 17PDZA-002LL 17FZA-012LL Service Desc.: Backflow Detection R-1701 Feed
Related UZ1: 17UZ-020 Service Desc.: HC Feed Backflow IPS
Related UZ2: Service Desc.:
Intermediate Tag1: 17UZ-021 17UZ-022
Intermediate Tag2:
Intermediate Tag3:
Final Element Tag: 17FCV-011 17UZ-021 Service Desc.: Feed To Reactor R-1701
Is It A Pre-Alarm: N
Consequence Of Failure On Demand:
Case 'a'. The consequences are backspinning of pump and rupture of vessel V-1701 since it is
impractical or impossible to protect it with a relief valve (too hot material). Vessel rupture is much
more severe than pump backspinning, therefore the latter is not dealt with in detail any further.
Case 'b'. The pump will be stopped by 17FZA-012LL or, if the trip level is not reached, the
operator will stop the pump as soon as he recognises the situation. If the backflow protection
system fails, the flare system will be over loaded both in terms of temperature and in terms of
flow, but the flare system will not be ruptured.
Consequence Of Revealed Failure:
The pump will stop. The unit will be out of feed for 7 hours. At end of run the chances of the
reactor temperature runaway protection system 17TZA-HHs activating are reasonably high which
would cause an outage of 24 hours. The cost of a revealed failure is 5,600 Ud*45 USD/t*1 d-USD
250,000.
Demand W: 1I
0
Personnel Safety S: 3 I 2 A: 2 I 1 G: - I 2 Personnel Safety Class VI-
Loss L: 4 I 4 Production And Eq't Loss Ill I
Class
Environment E: 1 I 0 Environment Class II/-
Overall Unrevealed Failure V
Class
Cost C: 2
CR Initiator: USD 7,500 RateR: 1 Revealed Failure Class N
CR Final Element: USD RateR: 2 Revealed Failure Class N
42,500
Nota 1:
There are more than one initiator and valve in the same function, but from the classification it will be clear that
these are provided to implement unrevealed failure robustness.
There are two occurrences that can cause backflow: a. Pump stoppage. and b. Inadvertent opening of 17RV-002.
These cases are indicated before and after the '/' respectively, i.e. a I b.
Nota 2:
For case 'a', every time the pump stops the possibility of backflow is present. This would result in a frequency of
demand of more than once per year. However, two non-return valves (NRVs) are installed to reduce the frequency
of demand on the IPF. One NRV reduces the frequency of demand by a factor 10 and two different makes and
types of NRVs reduce the frequency of demand by a factor 50. The laner is not a factor 1 00 because of common
mode failures not related to make and type. Because of the NRVs the classification of the frequency of demand on
the IPF is reduced from W3 to W1.
116
Note 3:
Inadvertent opening of 17RV-002 will happen very infrequently, W1 . However, because NRVs are installed the
frequency of demand on the IPF valves reduces to WO.
Note 4:
For case 'a', the most dangerous time is when the pump is started because a stop frequently occurs just after a
start. The pump has a local start. This means that more than one person w ill be present during the most dangerous
time and the classification shall therefore be A2.
Note 5:
Two valves in a 1oo2 configuration results in R2.
117
FIGURE 9 IPF CLASSIFICATION- BLANK FORM
IPF CLASSIFICATION
PEFS Initiator Tag:
Initiator Tag: Service Desc.:
Related UZ1 : Service Desc.:
Intermediate Tag1:
Intermediate Tag2:
Intermediate Tag3:
Final Element Tag: Service Desc.:
Is It A Pre-Alarm:
Consequence Of Failure On Demand:
Consequence Of Revealed Failure:
Demand W:
Personnel Safety S: A: G: Personnel Safety Class
Loss L: Production And Eq't Loss Class
Environment E: Environment Class
Overall Unrevealed Failure Class
Cost C:
CR Initiator: RateR: Revealed Failure Class
CR Final element: RateR: Revealed Failure Class
Note 1:
Note 2:
Note 3 :
Note 4:
Note 5:
118
FIGURE 10 ONE INITIATOR CONNECTED TO MULTIPLE FINAL ELEMENTS
Function 2: No additional requirements fof robustness
FIGURE 11 COMBINATION OF UNREVEALED AND REVEALED FAILURE ROBUST VALVES
119
lnsoumented Protective Function Classes Related to Unreveeled Failures

X Change to safer design
3
VI PFD < 10- , possible implementation:
- Initiator: Separate from control; unrevealed failure robust; diverse
- IPS: Solid-state/magnetic-core hardware (TUV approved AK6)
Final element:
Valve: Separate from control; unrevealed failure robust; diverse (if no TSO leakage
class V or VI requirements, second valve may be a control valve tripped by a
solenoid valve)
Rotating equipment stop circuit: No special equipment, unrevealed failure robust
V PFD < 10-3, possible implementation:
- Initiator: Separate from control; unrevealed failure robust
- IPS: Relay /IPS-PLC I solid-state/magnetic-core hardware CTOV approved AK5)
- Final element:
Valve: Separate from control; unrevealed failure robust (if no TSO leakage class V or
VI requirements, second valve may be a control valve tripped by a solenoid valve)
Rotating equipment stop circuit: No special equipment, unrevealed failure robust
2
IV PFD < 10- , possible implementation:
- Initiator: Separate from control
- IPS: Relay /IPS-PLC I solid-state/magnetic-core hardware (TOV approved AK4)
Final element:
Valve: Separate from control; unrevealed failure robust (if no TSO leakage class V or VI
requirements, second valve may be a control valve tripped by a solenoid valve)
Rotating equipment stop circuit: No special equipment
1
Ill PFD < 10- , possible implementation:
- Initiator: Separate from control
- IPS: Relay /IPS-PLC I solid-state/magnetic-core hardware (TUV approved AK3)
- Final element:
Valve: Separate from control, unless the demand on the IPF cannot be caused by a
malfunction of said control valve and the valve has no TSO leakage class V or VI
requirements
Rotating equipment stop circuit: No special equipment
PFD ~ 10-
1
II , possible implementation:
- No special equipment
- Switching function
PFD ~ 10- , possible implementation:
1
- No special equipment
- Alarm only, if operator action can be relied upon. otherwise classify and implement as II
For all classes II-VI a pre-alarm shall be included, provided corrective operator action to avoid the IPF action is
feasible.
All actions for classes II-VI shall be announced by an alarm.
Revealed failure robustness may be added to all possible implementations without degrading the IPF class,
provided the test and maintenance intervals are selected according Figure 13.
In case the class already requires unrevealed failure robustness, the combination revealed and unrevealed failure
robustness shall be implemented.
NOTES: 1. Class YN1 reouires unrevealed {allure robus!ness.
2. The test and maintenance Intervals related to the selected arcMectures can be obtained from Figure 13.
3. The AK classes given above refer to DIN V 19250 requirement classes.
4. ~ ~ems are mandatOf)' minimum requirements.
Instrumented Protective Function Classes Related to Revealed Failures

F Revealed failure robust
N No additional requirements for robustness
NOTE: The 'F" originates from faun tOlerant. R has not been used in order to avoid confusion with the revealed failure rate
classiftcation.
120
ARCHITECTURES AND MAXIMUM TEST AND MAINTENANCE INTERVALS
IPS Final Initiator Final Teat and Maintenance Interval (years)

Typo Element Architecture Element
U1ing Dofautt Faih.Jro Rates and Coverage Factors see 18.)
Typo Architecture
IPF Claoolll IPF Class IV IPF Clan VNI
I LS F PFD I LS F PFD I LS F PFD
PLC Rot Eq1 s s NIA NIA NIA NIA
PLC Rot Eq1 UFR s NIA NIA NIA NIA
PLC Rot Eq1 RFR s NIA NIA NIA NIA
PLC Rot Eq1 UFRJRFR s NIA NIA NIA NIA
PLC YIIMe s s NIA NIA NIA NIA
s NIA NIA NIA
~=
PLC UFR NIA
PLC s RFR NIA NIA NIA NIA
PLC YIIMe s UFRJRFR NIA NIA NIA NIA
s
~=
PLC UFR NIA NIA NIA NIA
PLC UFR UFR
UFR RFR NIA NIA NIA
~=
PLC NIA
PLC UFR UFRJRFR
PLC YIIMe RFR s NIA NIA NIA NIA
PLC YoM> RFR UFR NIA NIA NIA NIA
PLC VoM> RFR RFR NIA NIA NIA NIA
PLC YoM> RFR UFRJRFR NIA NIA NIA NIA
PLC VIIMe UFRJRFR s NIA NIA NIA NIA
PLC VoM> UFRJRFR UFR
PLC VoM> UFRJRFR RFR NIA NIA NIA NIA
PLC VoM> UFRJRFR UFRJRFR
Roily Rol. Eq1 s s NIA NIA NIA NIA
Roily Rot. Eq1 UFR s NIA NIA NIA NIA
Roily Rot. Eq1 RFR s NIA NIA NIA NIA
Roily Rot. Eq1 UFRJRFR s NIA NIA NIA NIA
s s NIA
~=
Roily NIA NIA NIA
Roily s UFR NIA NIA NIA NIA
s
~=
Roily RFR NIA NIA NIA NIA
Roily s UFRJRFR NIA NIA NIA NIA
s
~=
Roily UFR NIA NIA NIA NIA
Roily UFR UFR
Roily YIIMe UFR RFR NIA NIA NIA NIA
UFR UFRJRFR
~=
Roily
Roily RFR s NIA NIA NIA NIA
Roily YIIMe RFR UFR NIA NIA NIA NIA
~=
Roily RFR RFR NIA NIA NIA NIA
Reily RFR UFRJRFR NIA NIA NIA NIA
Reily YaM> UFRJRFR s NIA NIA NIA NIA
~=
Reily UFRJRFR UFR
Reily UFRJRFR RFR NIA NIA NIA N/A
Roily VoM> UFRJRFR UFRJRFR
SSIMC Rol. Eq1 s s NIA NIA NIA NIA
SSIMC Rot. Eq1 UFR s NIA NIA NIA N/A
SSIMC Rot. Eq1 RFR s NIA NIA NIA NIA
SSIMC Rot. Eq1 UFRJRFR s NIA NIA NIA N/A
s s
~=
SSIMC NIA NIA NIA NIA
SSIMC s UFR NIA NIA NIA NIA
SSIMC VIIMe s RFR NIA NIA NIA NIA
SSIMC VIIMe s UFRJRFR NIA NIA NIA NIA
SSIMC ':/liMe UFR s NIA NIA NIA N/A
SSIMC
~- UFR UFR
~=
SSIMC UFR RFR NIA NIA NIA N/A
SSIMC UFR UFRJRFR
s
~=
SSIMC RFR NIA NIA NIA NIA
SSIMC RFR UFR NIA NIA NIA NIA
SSIMC YIIMe RFR RFR NIA NIA NIA NIA
RFR UFRJRFR
~=
SSIMC NIA NIA NIA NIA
SSIMC UFRJRFR s NIA NIA NIA NIA
SSIMC YIIMe UFRJRFR UFR
SSIMC YIIMe UFRJRFR RFR NIA NIA NIA NIA
SSIMC YoM> UFRJRFR UFRJRFR
Actual tnp to teat, teat durat1on 1 E·16 Test I maintenance Interval• (yean) uaed :
Required PFD cannot be obtained by reducing test interval 10 0 .75 (9 monthal 0 .08 14 wooka)
Final Element (related interval is test Interval, maintenance interval It 4 years) 4 0 .5 (6 montha) 0 .04 12 wooka)
I Initiator (related interval I• test Interval, maintenance interval is 4 years) 3 0 .25 (3 montha) 0 .02 (1 wookl
LS Logic Solver (related interval is maintenance interval) 2 0 . 17 12 montha)
MC Magnetlc ·Core 1.6
N/A Not Applicable (unrovealod failure robust required for IPF clan VNII 1
Rot. Rotating Equipment Stop Circuit
Eq't
PFD Probability of Failure on Demand
RFR Revealed Failure Robust
s Single
ss Solid· State
UFR Unrevealed Failure Robuat
121
FIGURE 14 AUTOMATIC MAINTENANCE OVERRIDE
IPS
IPF
INITIATOR 1 - - - - REMAINDER
OF LOGIC
INPUT FAULT
DETECTED
ALARMS ETC. NOT INDICATED
Acceptable provided the following is adhered to:

A second or back-up indication shall be available to the operator.
The control room shall be continuously manned.
An alarm shall be generated and annunciated on the DCS indicating that the IPF trip
measurement is faulty.
Other ways to trip or stop the process shall be available to the operator.
The process dynamics shall be such that the operator has time to act.
This functionality is time restricted, i.e. the trip measurement shall be taken in
maintenance override before a pre-set time of one hour is elapsed. In case an MOS is not
available, IPF action shall be taken after the pre-set time has elapsed .
FIGURE 15 2oo3 INITIATOR AND DUAL INPUT CARD
2oo3
LOGIC
122
FIGURE 16 MOS IMPLEMENTATION
DeS CONSOLE
ESD lHZl
oos
-®
JC>.
C)PA
C)PZ
CJ
¥~
~
C)oos
MOS ~N;TrvATEO
ENABLE 'Q'
COMMON ,......c:::;--
MOSLAMP I \
ocs DCS SEQUENCE OF EVENTS MAINTENANCE I ENGINEERING
Wan=MER
CONTROL IPS
PROCESSOR GATEWAY
a~
110
SIGNALS AS DESCRJBEO IN THE

THE IPS TECHNICAL SPECIFICATION
I I I ~
SER AND MAINTENANCE I ENGINEERJOO HIGHWAY
SIGNALS TO SER AS DESCRIBED IN THE

IPS TECHNICAL SPECIFICATION
l COMM INSTRUMENTED
PROTEGnVE
MOS ~M SYSTEM
AGnVATED SIGNAL
SIGNAL
& 1-L-----1-41
VALVE
TEST
FEEDBACK CENTRALJFIELD AUXIUARY ROOM
CONTROL TRIP
ALARM
SWITCHING
FIElD
SWITCH WITH BACK-LIT HANDLE ESD EMERGENICY SHVTlJOWN
SWITCH IPS INSTRUMENTED PROTEGnVE SYSTEM

MOS MAINTENANCE OVERRIDE SWITCH
HARD-WIRING (EXCEPT IN IPS) oos OPERATlONAL OVERRIDE SWITCH
COMPUTER COMMUNICATlON SER SEQUENCE OF EVE~S RECORDER
123
FIGURE 17 RELATION IPF PFD AND IPF CLASS- TEST INTERVAL
Probability of Failure on Demand

UlOE+OO , - - - - - - , - - - , - - - - - - , - - - - , - - - - - - , - --------,- ----,---------,
IPFCLASSIII
1.00E.{)2 hf-r'----+---+--:::,...-<::...._-+--c::::;;;;lo;:"~r-'--=---,-::oiiiiiii.;!II.'IIIIR£-~·~·-'"'··c.:..:··c..:··.:..:··-1·. . - 2oo2

___________ _.. . . _ 1oo1
IPF CLASS IV
IPFCLASSVM
.. ---·· -.-- 2oo3

1 .00E~ t-PM.~--f=-___,ir-r..""'---"'"+---l---+-----ll--:-:~~+.:.:..:...----1
_______ . . _ 1oo2
-------
1.00E.{)5 +----+---t---'---t-----'-'-t----+----1i-----+----1
0 0.5 1.5 2.5 3 3.5 4
Test Interval (years)
IPF Component Unrevealed Failure Rate X (failures per year)
IPF Component Unrevaalod F allure Rate «X (failures per year)
NOTE: FOf 1oo1 and 2oo2 conf~guratlons , the PFD vs. Test Interval lines stop at a PFD of UlOE-3 because of the deterministic
requirement that fOf IPF cia&& V and Vllhe conf~guration shall be unrevealed failure robust.
124
Oak met kunststof kooiconstructies
zijn we bijna door de bocht.
DSM, •t iseen
verrassende wereld.
Waar gewerkt wordt aan de toekomst, daar is DSM. stollen, die het traditionele staal in kooiconstructies
Zoals in de automobielindustrie. Met kunststoHen voor kunnen vervangen . En nog meer bescherming bie-
het interieur, de carrosserie en - extra hittebestendig den ook. Het is maar een voorbeeld van de betrok-
- onder de motorkap. Maar ook met speciale kunst- kenheid van DSM bij het Ieven van alledag .
DSM l~
OSM maakt grondsrotfen en naltfabrikaten die gebruikt worden in auto's, verpakkingen. elektroniCJJ en
geneesm1ddelen. Er werken 77.000 mensen bij D$M in Europa, de Veren;gde S ta ten en l'lel Veffe Oosten.
Reliability for safety and plant life
management
by
Ir. C.M. Pietersen

AEA Technology Netherlands BV
127
Ir. C.M. Pietersen
Function:
General Manager of AEA Technology Netherlands BV International safety and reliability
expert.
Experience:
• Chris Pietersen has a background in process control and safety instrumentation. He
started his professional career in Shell. Later he managed the Risk Analysis department
in TNO for more than 10 years. He acted as an independent investigator in disasters
and wrote many papers on process safety. Director of a safety consultant company in
India. In 1993 he was appointed as TNO Senior Research Fellow.
• In August 1994 he joined AEA Technology Netherlands BV in The Hague to develop
Safety and Reliability services to the industry. He acts as an advisor to governmental
bodies for safety and risk related items.
Organisations:
• Member of the European Safety Centre
• Member of the European Safety and Reliability Association
129
RELIABILITY FOR SAFETY AND PLANT LIFE MANAGEMENT
Overview of the presentation at the symposium Safety in the Process Industry

24 September 1996
Eindhoven
ir. C.M. Pietersen

AEA Technology Netherlands BV
The Hague
1. General
Plant Life Management is a term used for a broad spectrum of activities to optimise the Cost
of Ownership of process plants. This presentation is focussed on the conditions for a reliable
and safe operation and the way to assess these. It is stated that the new approaches presented
will lead to a better management tool and consequently can reduce the Cost of Ownership of a
plant. Designing and operating the plant in a fit for purpose way creates a sound basis for a
safe operation also . The presentation will cover the following:
Plant Life management

Reliability assessment methods are increasingly playing an important role for safety and
optimisation of Cost of Ownership of process plants. This holds for all stages in the lifecycle
of the system or the plant, including the design, operation/ maintenance and abandonment
stages. Reduction of the lifecycle costs of a plant is vital in the highly competitive international
world of eg production of chemicals.
The process industry and engineering/maintenance contractors clustered the related activities
and studies under the heading ofPlant Life Management (PLM).
Plant lifetime extension

A relevant factor in this respect is the necessity for lifetime extension of existing, relative old
process plants. Many Chemical Plants in eg the Rotterdam Rijnmond area can be put in this
category. A systematic reliability and availability assessment will give the necessary measures
to obtain a (future) predefined availability, reliability and safety level. In this way the
investment in plant lifetime extension can be optimised.
Risk Based Inspection

Risk based inspection techniques are studied for more accurate determination of inspection
frequencies. Pilot studies have shown that a safety justification can be given for a differentiated
extension of intervals between inspections. For some parts of the installation it may mean an
increased use ofNDT techniques like Time OfFlight Diffraction (TOFD).
This approach can lead to less down time of the installation.
Maintenance Outsourcing
Many companies are concentrating on the activities which are considered to be the core
business. Maintenance of the production plants are obviously often not considered to be core
business. This leads to outsourcing of maintenance to specialised maintenance contractors.
These contractors are faced with requirements for the quality of the maintenance, often
expressed in terms of availability requirements of the plants. This creates
131
the need for systematic availability studies making use of the best available data from
inspection and maintenance regimes of the specific plant and includes failure statistics.
Safety
The safety of a process plant need to be assured also during the different stages of the lifecycle
of the plant. This also holds for the different modes of operation: start-up, production,
maintenance and shutdown. The Risk Level of a plant need to be reduced to acceptable levels.
This for instance is part of the Responsible Care program from the Chemical industry. Also
legislation requirements are in place for this in most countries. From the Cost of Ownership
point of view, safety is also an important factor. Recent studies have shown that the costs of
accidents are often larger than expected and accounted for. The awareness of this in industry is
growing (see figure 2).
The remaining, residual risk need to be dealt with in emergency preparedness plans and
repressive systems as Fire & Gas systems.
Safety Related Systems

Safety Related Systems (eg ESD systems) designed to safeguard against hazardous situations
need to be fit for purpose: Over-instrumentation will lead to many spurious trips and a
consequent lower availability of the plant. Moreover, the start up made necessary by this can
also create higher risk levels. In these situations there is always the temptation at operator
level to put the safety system in an override mode. On the other hand, under instrumentation
will lead to unacceptable risk levels. The IEC 1508 draft guideline presents possibilities to
design the Safety Integrity Level ( Probability of Failure on Demand- PFD) of Safety Related
Systems in relation to the risk level: lower PFD's for higher risk levels and vv).
Figure 1 presents a scheme of risk reduction as presented in IEC 1508. The use of it is
however not straightforward as it does require the insight in the necessary PFD of a specific
safety system in relation to the overall plant risk levels. This problem will be discussed, also in
the framework ofthe new European Directive (Post Seveso ll) and the implementation of it in
the Netherlands.
2. Reliability Assessment
In order to have the full benefits of Reliability Assessment for Plant Life Management
purposes, it is important to use relevant data and assessment techniques. Even more crucial is
that the assessment is performed by (a team of) people with a good knowledge of the plant
and the inspection and maintenance history of the plant. Furthermore, different other
disciplines need to be involved in the assessment, depending on the subject under
consideration: eg Instrumented Systems (including PLC's) or Structural Integrity of pressure
vessels. The following will be dealt with in the presentation:
I. Failure Mode And Effect Analysis (FMEA): Method and importance.

2. Fault tree Analysis and dependent modelling: The use of AEA Technology Fault Tree
Manager and The Partial Beta method for Common cause modelling.
3. CoUection of inspection, maintenance and of failure rate data.
4. Examples of recent projects:
Design of a High Integrity Pressure Protection System (HIPPS).
Avail ability of a process installation.
Risk Based Inspection of an gas production installation.
132
Figure 1 Risk Reduction
Actually Risk without Risk without

Tolerable
Remaining MC-protective Protective
Risk
Risk Measure Measure
Necessary
Minimum Risk Reduction
< ,---------
Partial Risk
covered by
MC-protective
Acrual Risk Reduction
Partial Risk
covered by
non-MC-protective
MC:
Mcasuremenl and ConLrol
Measures Measures
133
Figure 2 Safety is good for business
"We recognise tlze importance ofcosting loss events as part of total

safety management Good safety is good business. "
Dr J Whiston, ICI Group Safety, Health and Environment Manager
"Safety is witlzout doubt, tlze most crucial investment we can make.

And the question in not what is costs us, but what it saves. "
Robert E McKee, Chairman and Managing Directot;onoco (UK) Ltd.
"Prevention is not only better, but cheaper than cure...

There is no necessary conflict between humanitarian and commercial
considerations. Profits and safety are not in competition.
On the contrary safety at work is good business. "
Basil Butler, Managing Director, British PetroleuJOO pic.
134
Postbus 1161, 6160 BD Geleen
Burg. Lemmenssrraat 125.6163 ID Geleen
Telefoon: 046 4766362
Telefax: 046 4764790
Oprichnngsjaar: 1992
Aamal medewerkers: 438
Kontaktpersoon: M. Schlechniem,
Kwaliteitscertificering: ISO 900!/VCA & BS7750 techniek
Stork Limburg, uw veelzijdige, De- & montage aktiviteiten aan machines ter plaatse aile werkzaamheden
jlexibele panner op £/ekrrotech- o.a. pompen. ventilaroren. com- • Procesanalyse-appararuur Izoals; doen. Dit doen we teeen zeer
nisch, /nstrumentatieteclrnisch en pressoren en turbines. druk-. spanning-, stroom-. concurrerende pri)Ze~. Bovendien
lrerkruigbouwkundig gebied, heeft weerstand-. temperaruur-. zijn we 24 uur per dag bereikbaar
zich gespecialiseerd in het BUSINESS UNIT ELEKTRO- pulslfrequentie-. en debietrneters) om uw weegproblemen op re los-
realiseren van mono- en multi- E:'\ INSTRUMENTATIE- sen.
disciplinaire projekren ten SERVICES:
behoeve wn de industrie, alsmede l!Equipment Services-
in het onderhoud van produA1en - E/1 Construction Kalibratie
die in dt!"J! branclre worden toe- Nieuwbouw en onderhoudswerk- De kalibratiegroep en de afdeling
gepasL zaamheden in de industrie en weegwerkruigen van Stork Lim-
utiliteitsbouw. burg B.V zijn smds mei 1992
Het belangrijkste aspekt birmen O.a. aan kracht- en beveiligings- ISO- 9001 mertificeerd. Met dit
onze dienstverlening is de zorg installaties. meet-. regel-, & cenificaat i; Stork Limburg B. V
voor optimale Kwaliteit. Arbeids- schakelappararuur, procesbesru- bevoegd a! uw meetappararuur
omstandigheden & Milieu. Stork rings- en bewakingsappararuur voor; elektriciteit, srroming,
Limburg vindt continu verbeteren - Proces Besturing (PB)- testing gewicht en analyse te kalibreren.
belangrijk. Ons bedrijf is gecenifi- Controle. inspeklte en kalibratie SPECIALISMEN BII\'NEN DE Stork Limburg B.V beschikl hier-
ceerd volgens de ISO - 900 L VCA van totale procesbesruring. PRODUKTGROEP voor over zeer nauwkeurige stan-
& de BS7750 systematiek. Maken van loopchecks & funk- !/EQUIPMENT SERVICES daarden. die rechtstreeks herleid
tionele tests ,·an procesbesru- zijn van nationale en intemarionale
Stork Limburg is een zelfstandige ringsappararuur & ondersteuning !/Equipment Services srandaarden. Professionele kalibra-
werkmaatschappij van het Stork biJ opstan. \Ver~1 met standaarden we Ike tie vergt specialisrische kermis en
Concern en maakt dee! uit van de - Hoog-. Midden- & laag- gerelateerd zijn aan de nationale hoogwaardige appararuur.
ICM gtoep (Installation. Conrrac- spanning & E-Testing c.q. intemationale standaarden. Appararuur die Stork Limburg in
ting & Maintenance). Onderhoud. revisie. nieuwbouw haar bezit heeft! Stork Limburg
& modiftcatie van hoog-. midden !/Equipment Services- Gas- B. V werkt daamaast sam en met her
Stork Limburg heeft haar dienst- en laagsparmings-installaties & analyses Nederlandse Meetinstiruut om uw
verlening en \akkennis onder- componenten. Deze servicegroep is gespecia- weeginstallatie te kalibreren.
gebracht in 2 Business Units: liseerd in het oplossen \aR techni-
- Ell Werkplaats sche problemen, zij sraan garant De kalibratiegtoep beschikt over
BUSINESS UNITWERKTUIG- ContTOie. revisie. keuring en voor de keuring van a! uw gas- een oproepsysreem waarbij de
BOUWKUNDJGE SERVICES: onderhoud van: analysemeters en conditionerings- instrumenten die aan de beun zijn
• Elektromororen & rransforma- system en. voor kalibrarie sch.riftelijk worden
- Venpanen toren opgeroepen. De termijn waarbin-
Bewerkingen \an aile materia len. • Regelkleppen met aandrijving & l!Equipment Services- nen bepaalde weeg-, ijk-, test-. en
Onder andere draaien. frezen. klepstandsteller Weegwerktuigen hulpappararuur opnieuw
koneren en slijpen. Expenises zo- • Aile afsluirers en veerveilig- De afdeling weegwerkruigen. on- gekalibreerd dienen re worden,
ais Iappen. balanceren en honen heden. derdeel van Stork Limburg B. V, wordt bepaald door uw wensen en
· Apparatenbouw & Construe- • Fijnmechanische werkzaamheden kan weegwerktuigen voor u kali- de wenelijke eisen. De dienst
tion Piping Beheer. dokumentatie & planning breren volgens voorsch.riften van weegwerkruigen bewaakt de uit te
Bewerkingen aan aile metal en. de ijkwet. voeren periode van kalibratie en
Revisie. keuring & onderhoud - !/Equipment Services Dit varieen van laboratoriumweeg- neemt automarisch actie na
aan procesappararuur. Lassen Controle. repararie. kalibratie en schalen en plateauwegers tot op- aankondiging vari werkzaamheden.
nndt plaats onder keur IStoom- ijking aan: zakmachines en weegbruggen. Dit Desgewenst adviseren wij u op dit
wezen. Vinconel • Procesbesruringsappararuur alies is mogelijk met gebied. Het rranspon van instru-
- Rotating Equipment I 1elektronisch & pneumatisch) gecenificeerde standaarden. Stork menten verzorgt Stork Limburg
'lachine~· Services • Weegwerkruigen & afweeg- Limburg B. V is Oexibel en komt B.V voor u.
Commissioning of a type approved
PLC
by
Dipl.-Phys. E. Pofahl
TOV Rheinland, Cologne
Germany
137
Dipl.-Phys. E. Pofahl
Function:
• Expert in type testing and qualification of electrical, electronic and programmable
electronic systems to use in safety related application at TOv Rheinland .
• Expert in Software. Development of techniques and tools for inspections of safety
critical software.
Experience:
Worked in several projects in the area of assessment and certification of process safety for
electronic and programmable electronic systems
Organisations:
• Member of VDE GK 914 (VDE 0801) "Principles for computers in safety related
systems"
• Member of AK prEN 50156 "Electrical equipment for Furnaces"
139
Commissioning of a type approved
PLC
Content:
Introduction
Differences between ESD and Continuous Control Systems
PLC restrictions as a result of a type approval
Representative restriction
Commissioning and acceptance test
Safety in the Process Industry

September 24, 1996
Golden Tulip Hotel Central
's-Hertogenbosch, The Netherlands
141
Introduction
Today there are a lot of technical systems and applications where the proper and safety
function of measurement and process control equipment is essential for the prevention of
human injury or death. As an integral part of this equipment, computer based systems
(programmable electronic systems, PES) increasingly perform safety functions. The fast
development of computer technology has led to many different applications with
programmable electronic systems (PES) in safety related systems.
As a subgroup of all PES one finds programmable logic controllers (PLC) in plants for
safety critical applications. Sometimes however there is not enough confidence in the
complex hardware and software design of modem PLCs.
One of the aims of using PLCs in a plant is to reduce risk, not to increase it by
inappropriate technology. This principle is shown e.g. in the DIN 19250 "Fundamental
safety aspects to be considered for measurement and control equipment", and in the paper
Draft IEC 1508 (former subcommittee 65A), "Functional safety: Safety related systems",
part 5: "Guidelines on the application of Part I (ofiEC 1508)".
Actually Tolerable Risk without Risk without

remaining risk MC-protective protective
risk measure measure
Necessary minimum
risk reduction
Actual risk reduction
Partial Risk I Partial Risk MC:

Covered by Measurement and Control
Covered by I
MC-protective I non-Me-
measures protective
I measures
I
Risk reduction by use of protective measures
142
TUV checks the design, hardware and the operating software of PLCs within a type
approval . This gives confidence in the PLC itself
Before a PLC is set to work in the plant however other steps are necessary to ensure the
PLC provides additional safety to reduce risk to an acceptable level as required by the
specific application. This is depicted in the following diagram:
TOV activities
Plant installation Focus : PLC
Concept
Engineering
PLC-occeptonce test Check of

(e.g . in the factory) - realized appfication software
- documentation
- functions (function test)
- c heck o f PLC-restric tlons
- timing considerations
- maintenance provisions
Acceptance lest
during commissioning
lin the plant)
Commissioning of a type approved PLC
On the left hand side all sequential activities, necessary from concept level to the
acceptance test in the plant, are shown. On the right hand side the corresponding TDv
activities are shown. As one can imagine, these activities need interdisciplinary knowledge.
143
Differences between ESD and Continuous Control Systems
There are significant differences between Emergency Shutdown (ESD) Systems and
Continuous Control Systems.
A typical ESD system is designed in such a way, that zero or de-energised is the safe state.
From the safety point of view therefore availability considerations are not needed. As soon
as faults, which can not be handled, are encountered, the system shuts down the
application. A burner control system demands an ESD system, which closes the relevant
valves in the event of errors. On the other hand, by system design one application can be
subdivided in logical groups, which could do a partial shut-down, as long as the main
controllers work. A typical example would be a large vessel with many groups of burners.
Most fire and gas applications are typical Continuous Control Systems. If a fire control
system detects failures within the system, an alarm must be generated. Shutting down the
system is not allowed and would not increase the safety. In the event of a fire it must be
possible to activate the relevant fire-extinguisher. For Continuous Control Systems high
safety and high availability is required. Normally this is implemented by using more
redundancy than would be needed for a specific level of safety.
PLC restrictions as a result of a type approval
A programmable logic controller (PLC) is a general purpose device which may be used
anywhere in a plant. It may be used it for measuring and controlling and it also may be used
in areas, where the safety of the whole plant is involved.
As most PLCs are not designed exclusively for safety applications, restrictions must be
compiled for PLCs used in a safety critical environment. As there is a manifold of PLC
technology on the market, each PLC has its own, specific restrictions.
The restrictions are compiled as a result of a type approval of the PLC. These restrictions
must be followed to ensure the whole system complies with safety standards.
PLC vendors publish the TDv restrictions within their user documentation. This ensures,
that everyone knows about the restrictions for the use of a PLC in safety critical
applications.
TDv is working on a paper, where the overall valid restrictions are combined regardless of
the PLC brand. This has already been done on the restrictions for maintenance override in
safety relevant PLCs. See also the paper "Maintenance Override", which is attached.
144
Representative restrictions
While the restriction:
"Disabling diagnostic on safety relevant modules is not allowed"
is obvious, the following restriction resulted from experience in the field :
"The PLC may be run with disabled points only during the commissioning phase.
Before final operation it must be checked, that no points are left disabled".
It is possible to disable a physically connected device logically from the PLC, e.g. for test
and maintenance reasons. If this is done by the "normal" disabling feature of a PLC, there is
a high chance that enabling the points will be forgotten. Therefore simply "forcing" inputs
or outputs for maintenance and repair is forbidden. How this task can be carried out is
shown in the paper "Maintenance override", which is attached.
Commissioning and Acceptance Test
Commissioning means bringing the PLC-system, other control-equipment and the process
into interaction. It is TOY-philosophy to do accompanying consulting and acceptance
testing throughout construction and commissioning. Knowing that the plant constructor is
sometimes more concerned with meeting the time schedule this is recommendable.
Working under this pressure the constructors main interest is not safety and reliability.
From our point of view it is less the function of the system which has priority than it is for
the commissioning and construction engineer. We have to focus our attention on the
restrictions given by the government and technical rules, which have to be fulfilled in order
ensure safety and reliable operation throughout the lifetime of the plant. This ensures early
detection of construction, design or installation errors and can therefore be easily
corrected. Commissioning and acceptance engineers must work closely together at the
same time maintaining their independence. This ensures that the time schedule is met while
considering all aspects.
The use of PLCs in safety related systems requires special measures throughout the whole
lifecycle of the plant. The following typical factors must be considered when using a PLC
in a safety related system:
personnel
controlled equipment and related processes
environment
controlling equipment, e.g. PLCs and associated equipment
wiring (flammability, insulation temperature, survival of function for defined time)
installation requirements
145
Therefore before conuruss10ning, the commissioning engineer normally expects the
following to be carried out:
Validation of safety requirements according to the safety analysis and the subsequent
cause-effect-diagram.
Verification of the logic diagram and its conversion into the application software.
From the point of view of safety a quality control plan is needed for the user software
in order to help ensure thorough examination. Besides the testing of software by the
authors and the users, independent testing and evaluation is highly recommended .
Pre-installation simulation in the factory of the PLC with a complete function test of
the 110 level.
In the event of a complex system a process simulator is required. Among others the
following characteristics are tested :
response time,
behaviour of the system during PLC power failure, emergency stop and run mode
change.
Software-testing, including simulation of expected error conditions (communication

lines, operator mistakes, etc.).
The testing of the PLC-system is the next step and includes the following :
1. Testing of installation by using an installation report. This test must be carried out
extensively and concerns all relevant safety aspects.
These are:
field wiring, e.g. separate installation of redundant wiring and function survival of
very essential cables.
protective and functional earthing, e.g. appliance of the correct functional

earthing techniques to get a proper PLC function. Earthing of signal cable shield
where the maximum capacity is located.
146
noise and transient suppression measures of noise coupling
correct length of wiring,

separation of the cables for inputs, outputs and power circuits, routing
mains live conductors (spacing of 10 em or more from signal cables)
separation of the field wiring from internal 1/0 cabling and from bus lines
use of twisted pair and/or shielded cables with low inductance cable shield
filtering ofl/0 cables presumed to be sensitive to electrical noise
special attention where mechanical contacts are in series with inductive
loads in DC circuits
2. Compliance with the current service and environmental conditions, e.g.

temperature, contaminants shock and vibration, electromagnetic influence and
sensitivity to lightning.
3. Successive set up and checks
The set up of the PLC system is carried out in steps.

One of the most important things during commissioning and testing is the check of the
1/0. In these steps the right interaction between PLC system and process periphery will
be verified (loop checks).
The criteria are:
Binary inputs: Checking binary and digital input signals to ensure

that physical states of sensors comply with signal
latches in PLC.
Analogue inputs: Checking analogue input signals to ensure

agreement of physical value and data received by
PLC.
Binary outputs: Ability to switch, checking that no forced binary and

digital outputs are set.
Analogue outputs: Functionality
Supervised inputs and outputs: Detection of opens and shorts
147
4. System function tests and fault simulation
The commissioning functionality checks of PLC, process and other control equipment
must be performed according to a commissioning test plan. This test plan must also
include different modes of operation of the PLC:
local mode
remote operation with DCS interaction
maintenance
In this context special care has to be taken concerning restrictions written in the type
approval for the PLC system.
The fault simulation is usually performed after system functional tests. For this test a
list of faults must be generated. Experience shows that most of the faults occur at the
1/0 and other interfaces to the PLC. Therefore this list must include failure modes of:
sensors, contacts and actuators

inputs and outputs
field wiring e.g. exchanged connections
fuses and circuit breakers
interruption of mains
guards and related motion detection (false alarm or failed alarm)
interlocks
The simulation must verifY that an identified fault causes an output to go into a pre-
defined state as the system operation requires.
Conclusion
Special attention must be paid to the commissioning of PLCs, which are used in safety
critical applications. In addition to electrical aspects architectural features of a PLC also
have to be considered. The items, which have to be looked at, are pointed out in the
user documentation and in the chapter "restrictions" in the report of the type
approval of the specific PLC.
148
References
IEC 1131 Programmable Controllers

- Part 4 : User Guidelines
Draft IEC 1508 Functional safety of programmable electronic systems (PES)

Part 1 to 7
DIN V 19250 Grundlegende Sicherheitsbetrachtungen fur MSR-Schutzein-

richtungen
Measurement and Control Fundamental Safety Aspects to be
considered for Measurement and Control Equipment
DIN V VDE 0801 Grundsatze fur Rechner in Systemen mit Sicherheitsaufgaben

Principles for Computers in Safety Related Systems
VDIVDE 2180 Sicherung von Anlagen der Verfahrenstechnik mit Mitteln der
Mel3-, Steuerungs- und Regeltechnik.
Contact
TOY Rheinland Sicherheit und Umweltschutz GmbH

Institute for Software, Electronics, Railroad Technology (ISEB)
Attn. Mr. Ekkehard Pofahl
Am Grauen Stein
D-511 05 Cologne
Germany
Tel.: + 49-221-806-0 (Switchboard)

Ekkehard Pofahl+ 49-221-806-2981
Fax: + 49-221-806-1736
Email: 100566.3315@compuserve.com
149
TOV
Rheinland
TOV
PRODUCT SERVICE
Wartungseingriffe
Maintenance Override
TOY Rheinland TDvBayem

Sicherheit und Umweltschutz GmbH Institut fur Qualitat und Sicherheit
Institut fur Software, in der Elektronik (IQSE)
Elektronik, Bahntechnik (ISEB)
Am Grauen Stein WestendstraJ3e 199
D-51105 Koln D-80686 Mtinchen
Telefon +49 (221) 806-1815 Telefon +49 (89) 5791-1842
Telefax +49 (221) 806-1736 Telefax +49 (89) 5791-1396
Email I 00567.2545@compuserve.com
150
TOV
Rheinland
TDV
PRODUCT SERVICE
Wartungseingriffe
Ubersicht
In diesem Papier werden Vorgehensweisen fur Wartungseingriffe im Bereich sicherheits-

relevanter Geber und Stellglieder vorgeschlagen. Daneben werden auch Vorschlage gemacht,
die Sicherheitsprobleme und die Unannehmlichkeiten der festverdrahteten Losungen zu
bewaltigen. Ferner ist eine Checkliste aufgefuhrt.
Wartungseingriffe
Es gibt zwei Grundmethoden zur Oberpriifung der an die SPS angeschlossenen sicherheits-
relevanten Peripherie:
Spezielle Schalter sind mit Eingangen der SPS verbunden. Diese Eingange werden
genutzt urn Stellglieder und Geber im Wartungsbetrieb abzuschalten. Die
Wartungsvorraussetzungen sind ein Teil des Anwenderprogramms der SPS.
Wahrend des Wartungsbetriebs werden Geber und Stellglieder von der SPS
spannungsfrei getrennt und manuell mit besonderen Mal3nahmen uberpriift.
In einigen Fallen ist es wtinschenswert (z.B. dort, wo das Platzangebot begrenzt ist) die
Wartungskonsole in die Bedienanzeige zu integrieren oder die Wartung durch andere
Strategien abzudecken, dies bedingt die 3. Alternative fur Wartungseingriffe:
Wartungseingriffe durch serielle Kommunikation mit der SPS.
Diese Moglichkeit ist mit Sorgfalt zu handhaben und wird im folgenden vorgestellt.
Verfahren fUr Wartungseingriffe
Die Anbindung an die SPS tiber serielle Schnittstellen ist hauptsachlich auf2 Arten moglich:
A Die serielle Kopplung wird mit Hilfe des MODBUS-RTU Protokolls oder anderer
zugelassener Protokolle ausgefuhrt. Die Wartungseingriffe durfen nicht durch SPS-
Entwicklungssysteme ausgefuhrt werden.
B Der AnschluJ3 von SPS-Entwicklungssystemen an die SPS zur Ausfuhrung von

Wartungsarbeiten ist erlaubt. Dies erfordert zusatzlich Sicherheitsmal3nahmen in der be-
treffenden SPS zur Verhinderung von Programmanderungen wahrend des Wartungs-
intervalls. Diese Mal3nahmen sollen durch die Baumusterpriifung (z. B. durch den TDv)
abgesichert werden.
Die folgende Tabelle zeigt die allgemeinen Anforderungen. Die Unterschiede zwischen den
Losungen A und B sind in kursiver Schrift dargestellt.
151
TOV
Rheinland
TDV
PRODUCT SERVICE
Abstract
Suggestions are made about the use of maintenance override of safety relevant sensors and
actuators. Ways are shown to overcome the safety problems and the inconvenience of
hardwired solutions. A checklist is given.
There are basically two methods used now to check safety relevant peripherals connected to
PLC's :
Special switches connected to inputs of the PLC. These inputs are used to deactivate
actuators and sensors under maintenance. The maintenance condition is handled as part
of the application program of the PLC.
During maintenance sensors and actuators are electrically switched off of the PLC and
checked manually by special measures.
In some cases, e.g. where space is limited, there is the wish to integrate the maintenance
console to the operator display, or to have the maintenance covered by other strategies. This
introduces the third alternative for maintanence override :
Maintenance overrides caused by serial communication to the PLC.
This possibilty has to be handled with care and is introduced in this paper.
Maintenance Override Procedures
Connecting to PLC via serial lines is possible in mainly two ways:
A. The serial link is done via the MODBUS RTU protocol or other approved serial
protocols. The maintenance override may not be performed by the engineering
workstation or programming environment.
B. The engineering workstation or programming environment is allowed to be connected to

the PLC to perform maintenance override. That requires additional safety measures inside
the associated PLC to prevent a program change during maintenance intervals. These
measures shall be approved, e. g. by ruv.
The following table shows common requirements. The differences between solution A and B
are shown by typeface italic.
152
TOV
Rheinland
TUV
PRODUCT SERVICE
Anforderungen an die AusfUhrung der WartungseingrifTe Verantwortung

Schon wahrend der Softwarekonfiguration der SPS ist in einer Projektingenieur und Inbetrieb-
Tabelle oder in dem Anwenderprogramm zu entscheiden, ob das nahmeperson sind fur die korrekte
Signal Oberschrieben werden darf Konfiguration verantwortlich.
Die Konfiguration mu13 in emer Tabelle aufzeigen, ob em A: Projektingenieur
gleichzeitiges Eingreifen in unabhiingige Teile der Anwendung
B: Projektingenieur,
erlaubt ist.
Baumusterpriljung
W artungseingriffe werden fur die komplette SPS oder em Bediener, Wartungsingenieur
Teilsystem (Prozel3teil) durch das Prozel3\eitssystem (PLS) oder
B: Baumusterpriljung
einen festverdrahteten Schalter freigegeben (z.B.
Schliisselschalter) .
A: Eingriffe werden durch das PLS aktiviert. A: Bediener, Wartungsingenieur
B: Wartungsingenieur aktiviert den Eingriffiiber ein SPS- B: Baumusterpriljung,
Entwicklungssystem. Wartungsingenieur
Der Bediener sollte die Eingriffsvorraussetzungen aus
organisatorischen Grunden bestiitigen. I
Direkte Eingriffe auf Ein- und Ausgiinge sind nicht erlaubt. A: Projektingenieur
Eingriffe sind in Verbindung mit der Anwendung zu Oberpriifen
B: Projektingenieur,
und durchzufuhren. Mehrere Eingriffe in einer SPS sind erlaubt,
lnbetriebnahmeperson
solange nur ein Eingriff in einer sicherheitsrelevanten Gruppe
ausgefuhrt wird. Der Alarm soli nicht Oberschrieben werden.
Die SPS alarrniert den Bediener (z.B. Ober PLS) durch Anzeige Projektingenieur,
der Eingriffe. Der Bediener wird gewarnt his aile Eingriffe Inbetriebnahrneperson
zuriickgesetzt worden sind.
A: Die Eingriffe werden durch PLS zurilckgesetzt. A: Bediener, Wartungsingenieur
B: Der Wartungsingenieur setzt die Eingriffe mit Hilje des SPS- B: Wartungsingenieur,
Entwicklungssystems zurilck. Baumusterpriljung
A: Es sollte einen zweiten Weg fiir die Zurilcknahme der A: Projektingenieur
Wartungseingriffe geben.
B: Sojern erjorderlich, kann der Wartungsingenieur mit einem B: Wartungsingenieur,
jestverdrahteten Schalter den Wartungseingriff zurilcksetzen. Baumusterpriljung
Wiihrend der Zeit der Eingriffe sind geeignete betriebliche Projektingenieur, Inbetriebnahme-
Mal3nahrnen zu treffen. Die Zeitspanne fur Eingriffe sollte auf person, PLS-Programm, SPS-
eine Arbeitsschicht begrenzt sein (normalerweise nicht Ianger als Programm
8 Stunden) oder an der Bedienerkonsole sind festverdrahtete
Anzeigen (eine pro SPS oder pro Prozel3teil) fur den
Wartungseingriff vorgesehen.
153
TOV
Rheinland
TDV
PRODUCT SERVICE
Requirements for maintenance override handling Responsibility

Already during the software configuration of the PLC system it Project engineer and
is detennined in a table or in the application program, whether commissioner responsible for
the signal is allowed to be overridden. correct configuration
The configuration may also specify by a table, whether A: Project engineer
simultaneous overriding in independent parts of the application is
B: Project engineer, Type
acceptable.
approval
Maintenance overrides are enabled for the whole PLC or a Operator or Maintenance engineer
subsystem (process unit) by the DCS or a hard-wired switch
(e.g. key switch). B: Type approval
A: The override is activated via DCS. A: Operator, Maintenance
engineer
B: The maintenance engineer activates the override via the
programming environment. B: Type approval,
Maintenance engineer
As an organisational measure the operator should confirm the
override condition.
Direct overrides on inputs and outputs are not allowed. A: Project engineer
Overrides have to be checked and to be implemented in relation
B: Project engineer, Type
to the application. Multiple overrides in a PLC are allowed as
approval
long as only one override is used in a given safety related group.
The alarm shall not be overridden.
The PLC alerts the operator, e. g. via the DCS, indicating the Project engineer, Commissioner
override condition. The operator will be warned until the
override is removed.
A: The override is removed via DCS. A: Operator, Maintenance
engineer
B: The maintenance engineer removes the override via the
programming environment. B: Maintenance engineer
A: There should be a second way to remove the maintenance A: Project engineer
override condition.
B: Ij urgent, the maintenance engineer can remove the override B:Maintenance engineer, Type
by the hard-wired switch. approval
During the time of override proper operational measures have to Project engineer, Commissioner,
be implemented. The time span for overriding shall be limited to DCS program, PLC program
one shift (typically not longer than 8 hours), or hard-wired
common maintenance override switch (MOS) lamps shall be
provided on the operator console (one per PLC or per process
unit).
154
TOV
Rheinland
Empfehlungen
Die folgenden Empfehlungen sollen die Sicherheit bei Wartungseingriffen erhohen.

=> Ein Programm des Prozel3leitsystems (PLS) iiberwacht kontinuierlich die
Obereinstimmung der Eingriffe durch das PLS mit den von der SPS mitgeteilten
Eingriffen.
=> Die Wartungseingriffe sollten durch das PLS und das SPS-Entwicklungssystem
dokumentiert werden. Der Ausdruck sollte beinhalten:
Zeitstempel tiber Anfang und Ende des Wartungseingriffes
Identifikation der Person, die den Wartungseingriff aktiviert - Wartungsingenieur
oder Bediener (falls die Information nicht ausgedruckt werden kann, sollte sie im
Arbeitsauftrag enthalten sein)
Bezeichnung des beeinfluBten Signals
=> Kommunikationspakete, unterschiedlich von typgepriiften MODBUS-Protokollen, sollten
mit CRC-Priifsumme, Adresspriifung und einer Oberpriifung der Kommunikationszeit
verbunden sein.
=> Kommunikationsstorungen sollten zu einer Wamung fur den Bediener und den
Wartungsingenieur fiihren. Nach einer Wamung sollte der Wartungseingriff zeitverzogert
aufgehoben werden.
SPS
Geber
_/.,
-- Slchefheitsgefichtetes -- steJigrieder
- Anwendungs.-
Programm -
I
.
Handhabung der Wartungseingriffe ..... Bedlener·
(Anwendoogsprogramm) / wamungan
fest-
~ I~
-drahteter
Schafter
serielle Schnlttstelle / \ seriejje Schniltstelle
Prozell- SPS-
leitsystem
Entwicklungs.-
(PLS)
system
Ausgabestand
Diese Version 2.2 ersetzt die Version 2.1 vom 24. Juni 1994.
!55
TOV
Rheinland
TDV
PRODUCT SERVICE
Recommendations
The following recommendations are given to improve the primary safety as described by the
list:
=> A program in the DCS that checks regularly that no discrepancies exist between the
override command signals from the DCS and the override activated signals received by
the DCS from the PLC.
=> The use of the maintenance override function should be documented on the DCS and on
the programming environment if connected. The print-out should include:
time stamp of begin and end
ID of the person who is activating the maintenance override - maintenance
engineer or operator ( if the information cannot be printed, it should be entered in
the work-permit)
tag name of the signal being overridden
=> The communication packages different from a type-approved MODBUS should include
CRC, address check and check of the communication time frame.
=> Lost communication should lead to a warning to the operator and maintenance engineer.
After loss of communcation a time delayed removal of the override should occur after a
warning to the operator.
PLC
--
---
Actualora
~ Safeguarding
Application
Program -
Jf /
Warning
Maintenance Override Handling ..... to the
/
(Application Program)
operator
~ I~
hard-wired
switch
&«<alline (e.g. Modbus) / \ seriaiNne
Dlsbribuled Engi,_;ng
Control System
wor1< station
(DCS)
Version history
This version 2.2 supersedes the version 2. 1 from 24. Juni 1994.
156
FACTORY MuTUAL
RELIABILITY
CERTIFICATION
For more information about Safety Related Product and System

Reliability Certification, according to IEC 1508, please contact:
Paris Stavrianidis
Manager, Reliability Certification Services
FM Approvals Division
1151 Boston-Providence Turnpike
Norwood, MA 02062
Tel: (617) 255-4983 FAX: (617) 255-4024
email: PARASKEVAS@AOL.COM
Improving management of
technological risk: reliability
certification of safety systems
by
P. Stavrianidis MSc
Factory Mutual Research Corp.
159
P. Stavrianidis MSc
Function:
Manager Reliability Certification Services, Factory Mutual Research Corp.
Experience:
Mr. Paraskevas Stavrianidis is a senior Research Scientist with Factory Mutual Research
Corporation (Norwood MA). He received his B.S. and M.S. in Mechanical Engineering
from Northeastern University in 1980.
Organisations:
• Voting member of the: ISA-SP84 working group for writing a national US Safety
Instrumented Standard
• Member of American Society of Mechanical Engineers
161
IMPROVING MANAGEMENT OF TECHNOLOGICAL RISK:
RELIABILITY CERTIFICATION OF SAFETY SYSTEMS
Paris Stavrianidis
Senior Research Scientist
Manager, Reliability Certification Services
Factory Mutual Research Corporation
Norwood , Massachusetts
and
The Netherlands
John Rennie
Vice President & Manager
Approvals Division
Factory Mutual Research Corporation
Norwood, Massachusetts
ABSTRACT
This paper discusses a Process Safety Compliance Framework (PSCF) used to evaluate process
risk consistently and systematically. The PSCF assesses the compliance of the process to existing
standards and provides opportunities to improve the management of technological risk. An
essential element of the PSCF is a Reliability Certification Program. The certification program
assesses the reliability of safety products and systems employed within the PSCF to reduce
process risk to manageable levels.
The a Process Safety Compliance Framework relies on a Comprehensive Process Safety Assessment
and Lifecycle Model (CPSALM), which identifies the process safety target leve~ or alternatively the
process risk profile. The model evaluates the safety level attributed to existing safety systems (safety
layer) and assesses the effectiveness of process improvements that are required to meet or exceed the
process safety target level. This target is determined by examining the compliance of the process to
industry, jurisdictional and company specific standards.
The CPSALM is applied to several systems performing the same function and using different
technologies. The performance of these systems is compared using reliability as the selection criteria.
The appropriate system is then introduced into the PSCF to assess the process risk.
163
INTRODUCTION
During the last decade, a great emphasis has been placed on the improved management of
technological risks in the United States. Improvement has occurred in many business
environments (chemical, manufacturing, utilities, commercial, and transportation) using safety
guidelines from professional societies, industry sponsored organizations, trade associations,
government agencies that have jurisdiction, international associations, and the insurance industry
(ISA96; IEC96; API9S ; OSHA92; EPA9S). The primary focus of these guidelines, rules, or
standards is to define an overall dynamic framework that allows the systematic identification and
evaluation of risks and the development of risk reduction methodologies based on sound
engineering principles. The basic concepts of this framework are a process approach addressing
risk for the entire life cycle of the process, and performance based criteria that set a safety target
level (in the form of a process risk profile) which can be used to evaluate the benefits of
alternative risk management solutions.
A safety life cycle model (ISA96; CCPS93} is comprised of the significant process evolutionary stages
(i.e., design, testing, installation, start-up, operation, maintenance and final decommissioning). The
objective of the model is to improve the management of technological risk by investigating some
important reliability considerations that appear throughout the entire life of the process and/or system.
This provides opportunities for: a) pro-active decision-making on significant process parameters (i.e.,
environment, operating conditions, testing, maintenance, etc.); and b) monitoring system/process
enhancements using accepted industry metrics such as availability, risk of environmental damage,
property loss, and health impairment of personnel.
Acceptable levels of risk have traditionally been addressed through the development and enforcement
of prescriptive standards which offer little or no flexibility in realizing compliance. An alternative
approach, gaining acceptability in some industries, is the creation of performance based standards using
system or process performance based requirements. These standards stress the compliance with the
objective rather than the prescriptive measures to achieve the objective. They are more flexible, allow
for the development, testing and implementation of alternative solutions, and can be used to
systematically define a system/process safety target level.
Some industries (chemical, nuclear, utilities) have cooperated mutually and with government agencies
to develop and implement various techniques and methodologies using the concepts of the
comprehensive process safety assessment and lifecycle and performance based standards (CCPS93}.
These techniques provide management with guidelines to define a process safety target level based on
hazard identification, inherent safety principles, prudent engineering practice, qualitative evaluations
and quantitative analyses of risk. The use of these techniques represents the forward thinking of the
leading practitioners in this field.
The objective of this paper is to briefly discuss a methodology that applies existing risk assessment
techniques to industrial processes and provides opportunities for improving the management of
technological risk using a new Process Safety Compliance Framework (PSCF). Within this framework,
the need for a Reliability Certification Program is discussed and its benefits and advantages are
outlined.
164
PROCESS SAFETY COMPLIANCE FRAMEWORK (PSCF)
The Process Safety Compliance Framework (PSCF) is shown in Figure I. It consists of three stages: a)
the identification and application of standards; b) the determination of the desired process safety level
(safety target level); and c) the application of a comprehensive process safety assessment and lifecycle
model that identifies the current safety level of the process, assesses the compliance of the process to
the standards, and provides information for further process improvements and risk management.
At the end of the PSCF, the process may be modified or abandoned. If it is modified, a new safety
target level may be needed, or the new process safety has to be re-assessed. The proposed framework
follows a "process approach". The ramification of this statement is a need to define and formalize the
process and its boundaries. This requires extensive knowledge of the process itself, a definition of its
physical and functional boundaries, and the collection and comprehension of operational and safety
experience with the process. Technological risk is managed successfully only when the focus of the
analysis is the process. In other words, the analysis must concentrate on all process elements, their
interactions, and on the ways they contribute to its success (standards compliance, achievement of
safety target level, etc.).
The remainder of this paper discusses the three stages of the PSCF. Namely, the role of standards in
establishing the process safety target !eve~ the evaluation of existing process risk and the contribution
to process risk reduction by an established safety system reliability certification program.
ROLE OF STANDARDS IN ESTABLISHING PROCESS SAFETY TARGET

Standards provide the foundation for the design, installation, start-up and operation of systems and
processes. They often provide general direction and guidance based on the consensus work of experts.
They do not necessarily offer distinct solutions for a specific process or safety concerns. Within the
PSCF, they are also used to define the safety target level of the process.
Information and data from professional societies, industry sponsored organizations, trade associations,
government agencies that have jurisdiction, international associations, specific companies, and the
insurance industry are used to develop safety standards. All of these sources are employed to develop
two types of standards:
• prescriptive standards
• performance standards
165
MODIFY PROCESS
I
I
I
I ABA NOON
I PROCESS
____ _ __ _ __I
Figure 1. Process Safety Compliance Framework
Prescriptive safety standards are traditionally developed on the basis of acceptable engineering
principles and practices. They are founded on past process history of undesired events and time tested
safety solutions. They constitute the current level of our knowledge and concentrate on prescribing
specific safety solutions to predefined deviations from normal operating conditions. Therefore, they are
general solutions to a set of abnormal conditions that are limited by past experience and available data.
Precisely for these reasons, they often do not propose the optimal solution to specific safety concerns.
Rather, they present a prescription to a general set of safety concerns, and attempt to deal with specific
problems utilizing safety factors.
Recognizing the limitations of prescriptive standards, some industries have begun focusing on the
development of performance based standards (ASME93; IEC96; ISA96; API95). The goals of this
approach are to improve the management of technological risk by setting process specific performance
based safety targets (such as process safety level or process risk level); and to identifY, evaluate and
certify the reliability of safety products and systems that can be used to achieve the safety target level.
This innovative approach is characterized by: a) the detail examination of a specific process; b) the
specification of safety solutions that account for the intricacies of the process; and c) the evaluation and
certification of safety systems based on objective performance criteria, such as system reliability.
The success of this approach does not depend on compliance to the minimum requirements of a
prescriptive standard. It requires a culture change that relies on a continuous and long term
commitment to understanding, evaluating and improving the process. This is achieved through the
process safety compliance framework and performance based criteria. The process safety target level
may be established using any of the following tools:
• Prescriptive standard(s) can be employed in accordance with the comprehensive process safety
assessment and lifecycle mode~ discussed in the following section, to obtain a baseline assessment
166
of the process risk profile. This baseline is achieved when the process is in full compliance to the
prescriptive standard(s).
• Performance based standard(s) that define a process safety target, or other performance criteria
such as process risk, without prescribing techniques or time tested solutions to achieve these
targets.
• Company specific standards and guidelines can be used to establish the process safety target or the
level of tolerable process risk.
COMPREHENSNE PROCESS SAFETY ASSESSMENT and LIFECYCLE MODEL

A comprehensive process safety assessment and lifecyc\e model (CPSALM) is shown in Figure 2
(IEC96). It separates the overall process lifecyc\e in three distinct regimes: the process safety
assessment cycle, the selection and evaluation of the reliability of a safety system and the operational
lifecycle of the new process. It is the intent of this paper to discuss some of the steps in the
comprehensive process safety assessment lifecycle model that are significant for the improvement of
management of technological risk and demonstrate the need and effectiveness of the reliability
certification program. The three areas that are considered in some detail are shown in Figure 2, and are
identified below:
• Assess Process Risk - perform a quantitative risk assessment of the process.

• Perform SRS (safety related system) Detail Design (i.e., select safety system) - evaluate and certify
the reliability of a proposed safety product or system.
• Re-Assess Process Risk - evaluate the process risk using the same techniques. Does the new
process achieve the desired safety level?
ASSESS PROCESS RISK

The evaluation of the risks associated with a process is accomplished through a Quantitative Risk
Assessment (QRA) procedure (CCPS93). QRA identifies and quantifies the risks associated with
potential process accidents. These accidents are generated using established dynamic accident sequence
modeling techniques (SIU94). The result, the process risk profile or safety level can be used to develop
• a better understanding of the process.

• the contribution of existing safety systems to the overall risk reduction or safety level of the
process.
• a comparison of process safety with the process safety target level.
The need for additional protection of the process can now be examined. This can be accomplished by
comparing the process risk profile obtained from the QRA analysis to the predefined target risk profile
or risk profile. If the comparison shows that the desired safety target level has not been attained, then
the process must be modified by either improving the reliability of existing safety systems or by
incorporating a new safety system. Any modification will ultimately change the risk associated with the
process. The degree and direction of change determines if the modifications are acceptable (i.e., if they
have achieved or exceeded the process safety target).
167
11 . Extern•l
Rl•k
•y•t•m • : Reduction
Othu T•chn . F•clllte•
Re•llz•tlo n
llh•llzatlon
of Othe r
Techno logy
Figure 2. Comprehensive Process Safety Assessment and Lifecycle Model
SIS DETAIL DESIGN -SELECT A SAFETY SYSTEM

The objective is to select a safety system, using reliability as a performance metric, that meets the
safety specifications defined through the PSCF. In other words, a system that will reduce the
process risk to or below the safety target level. The methodological step in Figure 2, perform SIS
detail design, is expanded to include all the necessary steps in order to identifY the required safety
system and certifY its reliability. The detail steps are shown in Figure 3.
168
Figure 3. Select a Safety System
The reliability of many safety systems is difficult to ascertain through classical techniques
(experience or statistics). These systems have not been in use for a sufficiently long time and in
large enough numbers. Therefore, a statistically significant population is not available to evaluate
their performance solely based on actuarial data. Advances in technology are made at such a pace
that a system may become obsolete by the time sufficient statistical information is available.
Performance data are specific for the system under investigation and may not apply to other
similar systems. With these limitations, a systematic evaluation of the performance of a system
may be obtained through the use of reliability prediction techniques.
Reliability analysis employs systematic methodologies that decompose a complex system to its
basic components. These components may be used in other systems and therefore, sufficient
performance data may be available. The performance and interactions of these basic components
are merged into reliability models to predict the overall system reliability (CCPS93; GOB92;
STA93). The procedure to evaluate the reliability of a safety system should be systematic, follow
established techniques, supported by good engineering practices. The outcome, safety system
reliability, must be objective, repeatable and certifiable by a third, independent, party (IEC96).
169
RELIABILITY CERTIFICATION PROGRAM
The performance of a safety system is typically established by three parameters (ISA96a; ST A92;
STA93):
• Reliability of the system is the probability that the system will perform its intended functions
under specific conditions within a time interval.
• The probability that the system will fail to respond to a process demand.
• The probability that the system will create a nuisance trip, i.e., the system operates without a
process demand.
Factory Mutual's Reliability Certification Program can objectively and systematically evaluate and
certifY these performance parameters. The program consists of two main functions: a) Safety Product
Reliability Certification; and b) Safety System Reliability Certification.
SAFETY PRODUCT RELIABILITY CERTIFICATION

The Safety Product Reliability Certification Program uses established technologies and techniques to
evaluate the reliability of electrical/electronic/programmable electronic safety products, EJE/PE, (i.e.,
the logic solver with specific input/output module configuration) and issue a product reliability
certificate. The section of the comprehensive process safety assessment and lifecycle model that
addresses specifically the certification of the safety product is shown in Figure 3. The program can also
assess the contribution to product reliability by sensors and final elements that are typically used with a
specific product. The analysis focuses on the product in a controlled environment, scrutinized under a
specific configuration and known operational conditions (e.g., manufacturer testing reconunendations).
The program employs well established reliability modeling techniques to identifY the safety critical
components and functions of the product. It then re-examines and tests these elements, in detail, in
order to establish the product reliability parameters. The program uses state-of-the-art reliability
modeling and testing techniques to address key reliability areas such as:
• component data (generic, military handbook, manufacturer's, field, data merging techniques)
• hardware modeling
• diagnostic coverage
• conunon cause modeling (modeling, avoidance techniques, collection, screening and use of data)
• functional failures (design errors, etc.)
• software reliability (software development process and firmware examination/testing)
• inspection and proof-testing interval
• standard compliance and adherence to accepted engineering practice
• functional testing (component, product, functions)
• opportunities for improvement of product
170
SAFETY SYSTEM RELIABILITY CERTIFICATION
The second major function, the Safety System Reliability Certification, is the site specific reliability
evaluation and certification of a safety system (Safety Related System) that incorporates the safety
product with a specific arrangement of sensors and final elements. The section of the comprehensive
process safety assessment and lifecycle model that addresses specifically the certification of the safety
system is shown in Figure 4. The analysis focuses rigorously on the safety system and incorporates site
specific conditions that may impact its performance, such as applicable plant specific inspection,
imperfect testing and repair/replacement policies and other organizational issues (e.g., training of
personne~ operating, emergency and testing procedures, etc.) that define the existing, site specific,
organizational safety culture. It focuses on the electrical/electronic/programmable electronic (FJFJPE)
safety system and the associated safety functions. It does not assess the effect of other safety systems
on the process safety target.
Figure 4. New Process Evaluation
BENEFITS OF RELIABILITY CERTIFICATION

The benefits of such a program to the Petrochemical industry are:
• users can make informed decisions when choosing a product for a specific application.
• users can have their system certified against national and international standards (ISA96;
IEC96)
• users will have a certified product installed and therefore achieve a recognized level of process
safety (JEC96; ISA96).
• users will have the potential for improved operations and profitability by:
0 fewer losses
0 fewer process interruptions and therefore start-ups and shut downs
0 high process utilization and productivity
171
The benefits of such a program to the manufacturers (OEMs) of the safety products are:
• OEMs will identify specific and practical opportunities to improve the performance of their
product.
• OEMs will have a competitive advantage through documented and demonstrated product
quality and reliability
• OEMs wiiVcan increase their market because of user reliance on certified products
RE-ASSESS PROCESS RISK

The new safety system has been selected, and its reliability has been evaluated and certified. The
system is included in the process safety layer and the comprehensive process safety assessment
and lifecycle model is revisited. The process safety level is re-evaluated using the QRA analysis
and the new process risk is detennined.
If the new process and its associated risk is below the process safety target level, then the new
safety system has met its safety specifications and is in compliance with the standard(s). If
however, the new process risk is not acceptable, then additional areas of the process safety
compliance framework and comprehensive lifecycle model must be examined to detennine their
potential contribution to further risk reduction. An iterative procedure is then followed until the
process safety target level is achieved.
EXAMPLE APPLICATIONS
There are two significant benefits that result from the application of the aforementioned methodology.
The first benefit, a direct result of the Process Safety Compliance Framework, is the detailed
examination of the process, the identification of process hazards, the establishment of a process safety
target level and the assessment of the process risk profile. The second significant benefit is the reliability
certification program which can assist users to make informed decisions as to which safety system to
use for a specific process in order to meet the safety target level.
Safety System Selection using Product Reliability Certification

The electric power generation industry has been using conventional low-water fuel cut-off systems
(LWFC) and water level indicators (sight glass) to protect against low water level conditions in the
steam drum. Existing ASME Code (Section 1, PG-60) (ASM£92) mandates the use of at least one
sight glass and pennits the replacement of one conventional water level indicator by two remote level
indicators. No ASME guidelines are available for automatic low water cut-off systems for attended
utility steam generators.
In recent years, some of these safety needs in the industry are being met by the use of sophisticated
electronic gauging systems (EGS). These solid state systems allow users to quickly identify and repair
failed components or systems and to implement more extensive control or safety logic. Several
systems, including a single programmable electronic system (PES), that can perform this function were
examined and were evaluated using the reliability certification methodology. The probability that a
172
system will fail to respond to a process demand (low water level conditions in the steam drum) is
presented in Figure 5 (KAR87; STA92; ISA96a).
From the results in Figure 5, the electronic gauging has a lower probability to fail to respond to a
process demand (low water level conditions in the boiler drum). This example demonstrates the
benefits of this approach. It allows for the objective selection among several systems, of different
technologies, using reliability as the basis of comparison. The selected system can be incorporated into
the process safety layers. The comprehensive process safety assessment and lifecycle model can be
used to evaluate the new process risk profile and determine if the safety target level has been achieved.
Management of Technological Risk using a SIL 2 Safety System

The Process Safety Compliance Framework was exercised on a specific facility that uses a flammable
gas, (CRA94). In Figure 6, the solid line provides the risk profile for the existing facility. All safety
systems and their contribution to process risk reduction have been identified and incorporated into the
risk profile. Corporate and plant management assessed that the process safety did not meet their safety
target level (these criteria were established by relevant codes, standards and regulations, as well as
safety goals set by corporate policy and insurance industry recommendations).
A new safety system, a Programmable Electronic System (PES) with a Safety Integrity Level (SIL)
Level 2 (IEC96) was used to further reduce the process risk to manageable levels. The dotted line in
Figure 6 represents the new process risk profile, reduced strictly by the application of the new safety
system.
CONCLUSIONS
A Process Safety Compliance Framework is proposed that pennits the consistent and systematic
evaluation of process risk, provides opportunities for improving the management of technological risk
and assess the compliance of the process to a safety target defined by standards. The PSCF relies on a
Comprehensive Process Safety Lifecycle Model which is applied from the design phase through the
installation, start-up, operation and decommissioning of the process. The model is used to define a
baseline process safety target level by examining the protection scheme consistent with the appropriate
standards. It then compares the certified reliability of alternative safety systems and provides
information for objective and prudent risk management decisions.
The methodology was exercised on a specific process that complied with eXIstmg prescnpt1ve
standards. The process risk profile was evaluated. An alternative protection scheme was examined,
using a PES with a certified reliability for SIL 2, and the risk profile was determined.
The reliability certification program, was also used to evaluate the reliability of several low water fuel
cut-off systems of different technologies, clearly identifying the more reliable system available to
respond to a process demand.
173
1.E+00
...()
1 .E-0 1
~
1.E-02 ~- ..
.c 1.E-03
~ -.-LWFC
-
_._EGS
ns
.c -o-- Single PES
~
a.. 1.E-04
0 5 10 15
Time Between Inspections (months)
Figure 5. Comparison of Safety Systems based on Reliability
1.0E+OO
1.0E.01 - - Existing Process

...u
...cI:
1.0E.o2
1.0E.o3
""" ~
.......
Process With Proposed
PES
:I
u
u
0
1.0E-04
·· ... "
'c;
~
:c
1.0E.OS
1.0£.00
·....
" \
\
1l 1.0E.o7
e
g. 1.0E.o8
. ~
1.0E.o9
1.0&10
1.0E+01 1.0E+02 1.0E+03 1.0E+04 1.0E+05 1.0E+OO
Flammable Gas Concentration [ppm)
Figure 6. Evaluation of Process Risk Profile
174
REFERENCES
API95 - "API Recommended Practice 752: Management of Hazards Associated With Location of
Process Plant Buildings", American Petroleum Institute, Washington, DC, 1995
ASME92 - "ASME Boiler and Pressure Vessel Code", American Society of Mechanical Engineers,
1992.
ASME93- "ASME Risk Based Inspection Guidelines-Volume 3. Fossil Fuel Fired Electric Generating
Stations Applications", American Society ofMechanical Engineers, New York, NY, 1993.
CCPS93 - "CCPS - Guidelines for Safe Automation of Chemical Processes", Center for Chemical
Process Safety of the American Institute of Chemical Engineers, NY, 1993 .
CRA94 - J. T. Cranefield, D. M. Karydas, P. A. Stavrianidis and V. Ley, "Case Study Of A

Quantitative Risk Analysis To Compare Process Alternatives" PSAM II International Conference,
San Diego, CA, 1994.
EP A95 - "EPA 40 CFR Part 68; Risk Management Programs for Chemical Accidental Release
Prevention; Proposed Rule" Environmental Protection Agency, Washington, DC, 1995.
GOB92- William M Goble, ''Evaluating Control Systems Reliability", Instrument Society of America,
1992
IEC96 - "IEC - Draft 1508; Functional Safety of Electric/Electronic/Programmable Electronic

Systems", International Electrotechnical Commission, Draft Report, 1996.
ISA96 - "ISA dS84.01; Application of Safety Instrument Systems for the Process Industry",
Instrument Society of America Draft Standard, SP84, 1996.
ISA96a - "ISA - Programmable Electronic Systems used for Safety Applications; Technical Draft
Report 4", Instrument Society of America, SP84, 1996.
KAR87- Karydas, D.M., ''Probabilistic Analysis for Low Water Level Conditions in Boilers", Factory
Mutual Research Corporation, J.I. ON1E3 .RU, Norwood, MA, 1987.
OSHA92- "OSHA 29 CFR Part 1910; Process Safety management of Highly Hazardous Chemicals;
Explosives and Blasting Agents; Final Rule", Occupational Safety and Health Administration,
Washington, DC, 1992.
SIU94- Siu, N., ''Risk Assessment for Dynamic Systems: An Overview", Reliability Engineering and
System Safety, Volume 43, 1994.
STA92 - Stavrianidis, P.A, "Reliability and Uncertainty Analysis of Programmable Electronic

Systems", Reliability Engineering and System Safety, Vol. 39, 1992.
175
STA93- Stavrianidis, P.A, and Karydas, D.M., "Methodology to Evaluate the Reliability of a Safety
System", SERAD Volume 1, Safety Engineering and Risk Analysis Division, ASME, 1993.
STA93 - Stavrianidis, P.A, Karydas, D.M., and Richards, P., "Reliability Analysis of an Electronic
Gauging System Used for Safety in Power Boilers", lASTED International Conference, Boston, MA,
1993.
176
In g. R.J. Tiezema
Function:
GTI Industrial Automation BV, Germany Business Development
Experience:
With over 30 years experience in the development and application of both Onshore and
Offshore Safety Systems Worldwide, Rein Tiezema, a Safety Systems Manager with GTI
Industrial Automation bv Apeldoom in Holland, is currently working at GTI, Germany
Business Development. By always being at the forefront of safety innovation, Rein
Tiezema's knowledge on this subject has led to him giving countless safety presentations
throughout Europe. Then, back in the 60's, he developed and patented succesfully
"Inherently Fail Safety Magnetic Logic", now known as "MagLog".
Organisations:
• Member of the NVvB (Dutch association of reliability engineers)
• Member oflnstrumented Safety Assessment
181
Elintinating the unexpected
Part 4
The Dedicated Safety Processor

R.J. Tiezema
GTI Industrial Automation BV
Apeldoom, the Netherlands
Moving
forward
and
same
time
DSP: Time windows for failure detection
SECTION 1: INTRODUCTION 184

SECTION 2: CONCEPT CONSIDERATIONS 186
SECTION 3: THE STATE-MACHINE 188
SECTION 4: LOGIC HANDLING 190
SECTION 5: THE LAOS-LOAS LOGIC EXECUTION 192
SECTION 6: INPUT FETCIDNG 195
SECTION 7: DSP SAFETY ASSESSMENT 197
SECTION 8: SUMMARY 198
SECTION 9: EPILOGUE 199
SECTION 10: REFERENCES 201
183
Section 1: Introduction
The improvement of the efficiency and quality of industrial processes and the need for
more "flexibility" during engineering, as well as during operation, have introduced PLC's
as safety device in to the industry. Today, most safety-PLC's employ 11-processor
technology and software. Most designers of the current safety-PLC's have recognised the
limitations of the computer. Therefore they have tried to overcome this by introducing
hardware redundancy and additional software for self-diagnostics. Very often the result
is rather complicated, whereas the uncertainty in reliability of software
rernains.[Littlewood 92]
Why employ complex p-processors with millions of semiconductors to execute a couple

of hundred safety functions, when this causes difficulties in defining and verifying the
safety levels?
The Dedicated Safety Processor (DSP) however has been designed towards the objective
of a safety-PLC with an eminent and verifiable safety level. [Brombacher 92] The robust
safety achievement originates from its internal architecture and inherent self-test
hardware. Also the elimination of all system software is a unique property of the
programmable system using the DSP.
Regarding the main design requirements, it obviously appeared that failures in the logic
should instantaneously be detected to enable the outputs to function safely.
Here, the first point of focus is the PLC-input. Current input-circuitry requires a latch
function to convert the parallel data into serial data. Since PLC's operate sequential, a
stuck at one (or zero) should not occur.
The second point of focus is the correct decoding of the instruction- and address codes.
Faulty decoding input "X'' instead of input "Y" with both inputs in the same state will
stay undetected until input "X'' changes. Also incorrectly decoded instructions can only
be detected at the change of an input value.
Both problems can be solved by dynamic logic processing and diverse data handling to
eliminate these undetected failures: two unique features of the DSP.
184
This paper is not indented explain all the technical details of the DSP. However it
presents the considerations and principles of the DSP as part of a safety-PLC. It shows
the use of state-machines to avoid the need of operating software, the principle of
dynamic failure detection with time-windows and a method justification to produce a
quantitative reliability assessment.
The DSP: programmable without system software.
185
Section 2: Concept Considerations
Today, most safety applications can be divided in a number of smaller, independent

acting tasks. safeguarded by one powerful safety-PLC.
Sub-division however, in a number of smaller safety-PLC's may improve the safety.
Smaller PLC's can be equipped with a low number of inputs and outputs and have to
execute only rather simple safety functions.
The PLC-processor used to perform the safety logic, requires a program with a very
limited set of instructions. Execution of codes will be sequential in time. The processor
design shows a code memory, address- and databus. First the processor evaluates the
input status, secondly the logic functions will be performed and finally the outputs will be
set. Figure 1 shows this basic principle, which looks very similar to the design of the
earlier Texas Instruments's general purpose PLC: The STI.
The scheme clearly indicates the safety problem of this design. If one of the "switches"
acts at the wrong moment or does not function properly, the output(s) are not able to
control the application in a safe way.
Fig. 1: The PLC architecture
The DSP however, has been designed to eliminate this unsafe behaviour with unique fault
detection (hardware) to locate both (internal) processor faults and (external) code
memory faults.
As a result the DSP checks for the following possible failure modes in this manner:
• selection of the correct input upon input fetching, to avoid address mismatch,
• selection of the correct output upon output setting, to avoid address mismatch,
• selection of the correct instruction upon its fetching, to avoid address mismatch, or
incorrect decoding,
• stuck-at failures on input latches, internal registers or logic operator gates (AND, OR
etc.).
186
Further, the final design has a transparent structure to assure a high reliability confidence
factor.[Tiezema 95]
At DSP level, mastering of the complexity is achieved by chopping the functionality of

the safety processor into very small basic elements that are coupled via a dynamic
principle outlined below, using 'state machines' technology, This dynamic principle not
only provides a uniform interfacing mechanism between basic functions within the DSP
but is at the same time an essential ingredient in the inherent dynamic self-test of the
system. This serves both the elimination of systematic faults and the detection of
hardware failures. This has been demonstrated during the design verification studies
performed by an independent scientific technical institute in parallel to the design process.
[Wal95].
Before going into detail factor on the DSP design, the next section will first explain the
operating principle of the state-machine.
187
Section 3: The State-Machine
A state-machine is an abstraction of a device that can be assumed to be in one 'state' out

of a limited number of such states at any point in time. The device can be prompted to
jump from one state to another by external events or conditions. In turn, by assuming a
certain state or by jumping between them, the device can create such events or conditions
for other state machines. A state machine can be realised in silicon hardware, by
representing states in flip-flop circuits. State machines and some more detailed
illustrations of their utilisation in the DSP are further explained below for the interested
reader.
A simple example is given in figure 2.
0 •state
It relates to a person moving inside or
outside, depending on the weather
conditions: illy and rain respectively.
An observer watching the "scene"
l!!M • condition
sees a person moving inside and
outside dependent on weather
Fig. 2: The "state-machine"
conditions. Also the spectator can
conclude that something may be
wrong, when there is no movement at all. For instance: it stays dry continuously; the
person concerned is not able to move; etc. In other words: the state-machine remains in a
defined state and does not show any transition. This is defined as:
A stepping state-machine shows a healthy situation and a ~ machine indicates a

failure.
This property of the state-machine is used for the required dynamic fault detection of the
DSP-processor:
Atry steady state will arrest the DSP 's processing!
The state-machines used to perform the processor

functions are more complicated than the machine shown
in figure 2. Actually the states of specific machines are
defined to be the conditions of other machines. In this
way the so-called coupled-state-machine is originated.
Figure 3 reflects what happens. The dotted line and/or
the added text behind the &-sign shows the coupled
conditions. The observer gets a different picture. From
now on the person concerned just moves outside when
the weather is dry and the person is awake.
Flg.3: The coupled "state-machine"
The state-machine principle has already been utilised in

earlier applications to improve safety. A wellknown mechanical model is presented by
figure 4, showing the two control knobs of a water boiler. To turn the ignition knob into
the ON-position, the main gas(flow) knob should be in the OFF-position. With the
ignition knob ON (and of course a detected pilot light), the gas flow is released by
turning the gas knob into the ON-position.
188
The examples above are very simplified
indeed. In practice the use of state-
machines with multiple states and cross-
coupled conditions are required. These
machines are indicated as Cross-Coupled-
State-machines: CCSM's.
Fig.:4 Boiler control

Converting the CCSM into logic is a straight-forward procedure. Every CCSM is formed
by a number of Flip-Flops and a number of input gates. The conversion of the machines
given in figure : 3 is presented in
figure: 5. Besides the change of the
applied symbols, the only significant
difference with the original examples
is the addition of a clock-pulse (cl)
Designing procedures for CCSM's

are more or less identical with
software development programs.
However keep in mind that the final
design in the DSP is hardware only
and hardware contrary to software
can be tested and simulated Fig.:5 logic conversion
completely![Littlewood 92]
Each basic building block inside the DSP is implemented via one or more CCSM's. Every
CCSM is continuously in motion, jumping between states according to a limited number
of possible sequences, dependent on the actual task in execution. Subtle time
synchronisation between the building blocks (time windows) is used to mould the
separate building blocks into an integrated functional unit. Timing also takes care to
merge operation and test for every processing step. Interfaces between basic building
blocks are realised via events and conditions, that force the CCSM to stay in motion and
at the same time serve to convey calculation results between them. Upon any failure in
any part of the processor, the timing relations necessary to synchronise the generation of
events and conditions (and their effect 'downstream') get disturbed, resulting in a full
stop.
Regarding this section it will be clear that the use of CCSM's is an excellent method to
detect stuck-at-one and stuck-at-zero failures in electronic circuitry's.
The CCSM principle is also of great importance to realise dynamic fault detection of the
logic handling. The next section describes this foremost part of a safety-PLC.
189
Section 4: Logic handling
Looking back to the PLC principle in figure : 1, a reliable failure detection of the
"switches" is the main objective in developing a safety-PLC. Especially the "logic
switches" (L: Load, A: And, 0: Or, S: Set and N: Inversion) should be designed with
the utmost care to protect the PLC against "stuck-at" failures.
Regarding the basic safety design problems with inversions the DSP design is based on a
concept where the "N-switch" has been eliminated. So, the DSP uses the LAOS (Load,
And, Or, Set) functions only. This does not mean that inversion functions are not
handled by the DSP, it simply means that the method used to process inversions in a safe
way has been changed. Inversions are executed by means of the so-called "time-
window" method.
To explain what this method implies, a review of the CCSM of figure: 3 is needed. Here,
as said previously, the observer watches a person
moving in a defined way, depending on the
weather and time conditions. In particular the time
condition becomes most interesting. Up to now it
was assumed that the observation took place
locally. Now, suppose the observer goes on a
journey to the opposite side of our globe watching
the scene again. However, in this situation there
will be a time shift of twelve hours! The time shift
causes a "mirrored" view. The person is still
moving, but obviously displaying a totally different
behaviour.
In other words, watching something through a
different time-window offers a new perspective.
Fig.:6 The 4~tate-machine
Returning to the DSP inversion- and logic
functions, these can be represented by a 4-state-
CCSM as shown in figure : 6.
For example, using the 4-state-machine to test an
AND-gate, the output of the AND-gate can be either in the 1-state or in the "0-state"
depending on the (logic) conditions. Transitions from 1 to 0 will take place only when
("stuck-at") errors are not detected. Of course referring to the previous section:
In case of an error the machine shall stop.
In practice the situation is more complicated. The states given in figure: 6 are not
"processed" by the DSP directly. The DSP needs the time-window principle to decide
which state either the "1" or the "0" should be used to execute the program.
What does this mean?
In a healthy situation, the 4-state-CCSM steps with a frequency defined by the clock. A
second CCSM, stepping with a 4 times lower frequency samples the 1-state or the 0-
190
state. Which one is sampled, depends on the time-window. The time-window itself
consists of a third CCSM that is able to shift the phase of the sample signal.
This means that the DSP is free to process either the "logic-I" or the iTTVerted value (the
/ogic-0), depending of course on the program requirements.
clock
sample
Fig. 7: Inversions by time windows
The example in figure: 7 explains what happens. Starting in the 1-state, clock-pulse I
moves the machine into the "no-error'' -state, pulse 2 causes the 0-state, pulse 3 the "no-
error'' -state and pulse 4 moves the machine back into the !-state. Pulse 5 and 8 will cause
the same cyclus.
In this example the sample-pulses will generate logic- I 's only.
Then the time-window machine (TW) causes a phase shift of two clock-pulses.
Following the same procedure as for clock-pulse 0- 12, only logic-O's will be generated,
starting with pulse 18.
Resuming the above, inverted input values, iTTVerted AND's (NAND's) and OR 's (OR's)
are executed in a safe and simple way using the 4-CCSM architecture.
However, the capability of the DSP handling logic inversions by means of this
configuration was not the only objective that has been achieved. Inversions are also used
to test the logic functions.
The method used to test these functions concerns the "LAOS-LOAS" logic execution
procedure.
The next section provides more information about this subject and explains how it is
achieved.
191
Section 5: The LAOS-LOAS logic execution
The previous section made mention ofthe DSP being a hardware device only. Hundreds
of logic gates are used in the DSP. Figure: 8 shows a small part of these gates. The
A
B
G
Fig. 8: A simple logic diagram
picture represents the inputs A, B

and D, the output G and a couple of
AND- and OR-gates with their
outputs C, E, F, respectively. The
matching truth table of this logic
diagram is given in figure: 10.
Of course there are more

configurations possible to solve this
particular logic function.
A special one is shown in figure : 9,

which can be found with the help of"De Morgan' s" theorem. Its truth table is also stated
in figure: 10. Analysing the table by comparing the input combinations (A, B, D,) and
matching outputs (G) for both circuitry' s, the logic results are fully identical. Comparing
the gate outputs: IR (C, E, F and CC, EE, FF), the results obtaining are the inverse of
one another! But there are more differences.
A B 0 c cc .E EE F FF G GG Look at both diagrams closely, it appears that
0 0 0 0 1 .0 . 1 ··a· 1 0 1 all AND-gates have now changed into OR-
0 0 1 0 1 0 1 0 1 0 1 gates and vice-versa. That is just the principle
0 1 0 0 1 1 0 0 1 t .0
0 1 1 (} 1 1 0 ..o·· 1 •• I);
1 0 which is used to test the DSP hardware .
1 0 0 0 1 0 1 0 1 1
1 0 1 0 1 0 1 0 1 Q . 1
1 1 0 1 0 1 0 0 1 1 0
1 1 1 1: 0 1 0 1 0 1 0
Suppose that the DSP is loaded with the
program as shown in figure: 8. The instruction
Fig. 10: Logic: table or the logic: diagram 1 & 2
set to execute this program is very lirnited:
DO, WITH, OR, AND SET. Figure: II presents all the instructions.
192
The DO- and WITH-instructions are directly coupled to the 4-CCSM to select either the
logic-! or the logic-0 of the related functions as described in the previous section. So, the
result is a safe execution. But what about the remaining executions for
OR, AND SET? DO A
WITH B
AND-IR C
DO IR C
The answer is already there for the taking, loading the DSP with the WITH B
OR-IRE
program of figure: 8 (the LAOS-code),or figure: 9 (the WAS-code) DO IRC
WITHD
will result in the same conclusion. AND-IR F
DO IRE
WITH IR F
Loading the LOAS-code (figure: 12) proceeds as follows: OR-IR G
SET G
Fig.11 : LAOS code
- Select the reversed input signals (A, B, D)
DOA
WITH B - Change all OR's into AND' s and vice-versa (CC, EE, FF, DD)
OR ~ IRCC
DO IR CC
- Select the reversed output (G)
WITH B
ANO~IR EE
DO IR CC If all gates are able to execute, the OR- as well as the AND-function
WITH D LAOS-LOAS, they must be healthy! This also means that the results
OR~ IR FF
DO IR EE will show the same output value enabling the safety-PLC to set its
WITH IR FF
AND ~ IRGG respective system output. It also means that:
SET G
Fig.:12 LOAS code This concept, based on CCSM 's and Time Windows, forces the same
silicon gates to be operated both in an active "high" and in a
"low" mode during every processing cycle. Therefor the DSP is defined as a device
with: Virtual hardware diversity.
Figure: 13 shows the timing ofthe LAOS-LOAS sequence. Between the two functions is
a tiny period to execute the AND-OR conversion. An attentive look at this picture also
provides information about the remarkable short execution time for the whole sequence
compared with ~ -processor based PLC's. The total sequence time just counts 1 millisec.
The LAOS-LOAS sequence itself to execute the logic functions, takes 0.9 ms as
indicated. The remaining time is used to fetch/strobe the in- and outputs and execution of
timer and other functions to complete a safety-PLC.
9SOua Fig.:13 The LAOS~OAS
CLKA CLKA
..IL _fL
Isn~• ~~npuh
fetch lnputa load u~
snooze I Fbt I pylpull do_LAOS I do_LOAS
0 30ua 50us 500us !160us 1oooua

(not to .aiel)
Flg.:13 The LAOS~OAS sequence
It is not the intention of this report to draw parallels with safety-PLC's, although
similarities do exist. But one significant difference will apply to the DSP-l/0. The DSP is
special developed to interface with inherent safe l/0, based on core-transistor-logic
(CTL) technology. There is no need for redundant l/0 in order to meet the highest level
of safety requirements used by other PLC' sl Single CTL- l/0 keeps the safety-PLC
193
simple and therefor reliable. For highest availability dual I/0 may be a requirement,
whereas other PLC's require triplicated I/0 at least.
In summary of this section the following points of the DSP are:
- a sequence of 1 msec
- a 100% dynamic self-test as part of the operation
-decomposition into small junction blocks using CCSM's
- an interface to inherently safe 110
Referring to the CTL-interfacing, the next section presents a brief introduction about
CTL. It also shows the DSP using CCSM's to select the correct input and to define the
right input status.
194
Section 6: Input fetching
In general all PLC's use input circuitry to convert and to condition field signals into logic
signals and output circuitry to provide the opposite: drive capability for solenoids,
contactors etc. It will be clear that the conversion circuitry also requires a safety integrity
level as high as the level of the DSP.
The inherent fail-safe CTL (core-

transistor-logic) technology fulfils this
requirement. By means of the diagram,
a CTL-input circuit (figure: 14)
explains what is meant by: inherent
fail-safe.
The heart of this circuit consists of a

magnetic core with two inputs with one winding each. As an example one input is
connected to a 24 V de field device. Defined by R the input current (Ii) biases the core to
a value at which the core (rectangular hysteresis loop) is saturated. The second input is
connected to a clock (I KHz) generating current pulses. During the pulse time, the core
is de-saturated, causing a flux change in the core. The flux change creates a voltage in the
secondary windings of the core, switching-on the amplifier for approx. 3 Jlsec. In this
way two types of output signals are generated: a current pulse with a frequency of 1 Khz
and with the same frequency a voltage pulse output (fig: 15) which is used by the DSP.
Now, why is this circuitry called inherent fail-safe?

The answer is as follows:
"With the field device in the off-position, a spurious pulse

output signal will never be generated!"
Vee
This property is independent from all possible failure modes
of the components used and applies even far beyond their
specified ambient conditions!
Then, as a result the DSP recognises the "pulsetrain" from

figure :15 as a valid input, but is also able to detect a faulty
Fig.:1& CTL pulse output
one. Of course this is executed by means of a coupled
CCSM's and based on the CCSM of figure: 6. An
impression of what is happening is given by figure : 16 showing an 8-state-CCSM within
the centre of a 4-state-CCSM.
After the start-up of the Safety PLC, the DSP generates the condition (time delay): dell
(figure: 15). This function measures the value of the CTL pulse output, being either Vee
or Grd in case there is no active output or a faulty one. The same variable is executed
after del 2 (2 JlSec) where as a result Vee represents a faulty signal.
195
Following the CCSM of figure:
16, condition del 1 causes a
transition from the inactive-state
to the off-state or the on-state,
depending on the variable
measured, being Grd and Vee
respectively. Del 2 causes the
transition from on- to the 1-state
(or error-state) and from off- to
the 0-state (or error-state). As
explained before, the 1- or 0-state
can be selected by the DSP to
execute the logic functions
(LAOS-LOAS). Obviously the
Fig.16: Input fetching
error-state will stop the CCSM
and because of this will halt the
PLC.
The machine itself shows more conditions derived from other states such as:
- snooze/not snooze
- unprobed
- filter
These states are part of a number of CCSM' s used to avoid address mismatch. They
operate in the same way using the Time Window principle and show more or less the
same structure as the example presented in figure: 16.
196
Section 7: DSP Safety Assessment
During the design of the DSP, a new analysing technique is developed to analyse complex
digital safe-guarding systems, which is called RIFIT (Random Internal Failure
Technique). The results are expressed in the failure probabilities which have to be known
to be able to calculate the safety level of a safe-guarding system.
To be able to detennine these safety probabilities it is necessary that a full description of

the safe-guarding system is available. The more accurate such a description is the better
the safety effect probabilities approximate the real values.
This accuracy is exactly what the DSP provides by using jl-Chips with known
composition and specification.
Internal failures
n • 6.E+10 (gatelenl)
Therefore a high confidence
level of the results is obtained
by simulating the effects of the
internal failures in de DSP with
Safety functions
RIFIT.
n •1.E+3
Input
values Figure 17 gives an idea about
n• s.e.1•
what RIFIT can do.
Flg.:17 Random Internal failure injection technique The results, the safety effect
probabilities, can be used to
calculate the safety integrity levels. To calculate the level it is necessary to know the
probabilities of the existence of one or more undetected failures in the safe-guarding
system. It is possible to calculate those probabilities with help of a Markov model.
The results of the calculations to define the effect probabilities are as follows:
With a confidence level of99.95% can be stated that the probability that internal failures
are observed is larger than 32%. With a confidence level of99.95% can be stated that the
probability that internal failures result in a safety failure is smaller than 1.42%. This is
much smaller than the maximum probability of 10%, which the TiiV allows.
RIFIT is therefore a very valuable technique during the development of new safe-
guarding systems, because it gives insight in the causes of the safety failures. If these
causes are known it is possible to improve the safe-guarding system. In addition it is
possible to detennine safety effect probabilities of complex safe-guarding system which
are needed to apply for safety certificates and to calculate the probabilities of undetected
failures.
197
Section 8: Summary
The DSP has been designed towards the objective of a programmable safety device with
an eminent and verifiable safety level. Its design therefore departs from the well-known
schemes. The design intends to avoid the majority of systematic failures in the first place
by eliminating unnecessary complexity and by incorporating simple provisions for design
verification and inherent self-test.
The key properties achieved are:
• decomposition of the processor into small function blocks

• 100% dynamic self-test as part of the operation
• virtual hardware diversity
• design for verification, verification during design.
Decomposition of the processor into small function blocks

The functionality of the DSP is divided into small basic elements using "state machines"
technology. This dynamic principle provides both the elimination of design faults and the
detection of hardware failures.
100% dynamic self-test as part of the operation.

The DSP features an inherent dynamic self-test, based on CCSM' s and Time Windows.
The same hardware gates inside the chip are used for producing both the calculation
results and the test results at the same time and under actual operational circumstances.
This process is repeated every millisecond and any defect, no matter its size or location,
causes the entire DSP to stop.
Virtual hardware divenity

The dedicated safety processor eliminates effects of all 'stuck-at' type failures by using
virtual hardware diversity, based on the LAOS-LOAS principle. This concept forces
exactly the same silicon gates to be operated both in an active high and in a low operating
mode during every processing cycle.
Design for verification, verification during design

The described processor architecture leads to immediate detection of virtually all faults
inside the DSP or inside the EEPROM that stores the application program steps. This
has been verified and acknowledged by an independent scientific technical body in parallel
to the design. The verification, known as RIFIT, involves the random insertion of faults
into the silicon design data, and simulation of the results. This analysis technique confirms
the remarkable safety integrity performance of the DSP.
198
Section 9: Epilogue
Eliminating the Unexpected, part 4, shows the properties and features of the DSP; a
processor with a verifiable safety level. The article could be considered as not complete
without mentioning the safety-system in which the DSP is used.
The DSP is used successfully in the safety-PLC, which is known as ProSafe-DSP. The
ProSafe-DSP is part of the ProSafe family, which covers a wide range of applications.
The complete ProSafe family consists of:
ProSafe-DSP: Safety PLC

ProSafe-SER : Event Recorder (I msec.)
ProSafe-RIO : Remote in- output system
ProSafe-MMI : Man Machine Interface for Supervisory systems
ProSafe-CTL : Inherent Fail-safe system (AK-7)
ProSafe-PLC : PLC for control systems
ProSafe-CAE : ProSafe engineering software
Regarding ProSafe-DSP, the key properties employed are:
• use of the Dedicated-Safety-Processor

• segmentation in relatively independent hardware units
• use of inherently fail-safe technology
• simple application program, driven directly by hardware
Segmentation
ProSafe-DSP aims towards segmentation of a safety system into simple units with
straightforward interfaces between them. This leads to lower complexity and therefore to
better technical mastering of the system. It also keeps operational problems from
propagating into unrelated system parts and allows maintenance and repair to be done
more easily. Therefore this design principle leads to higher safety integrity, higher
availability and lower operational costs.
Use of inherently fail-safe technology

Everything beyond the safety processor in ProSafe-DSP applies robust, inherently fail-
safe technology with a proven track record of tens of thousands of module operation
hours in the field. This is not only true for input and output circuits but also for the voter,
which is a potential source of common mode failures in all redundant architectures.
Simple application program, driven directly by hardware

ProSafe-DSP necessarily allows the use of software as it is a programmable safety
system. Safety applications exhibit only a very limited range of behaviours that can be
specified in a very straightforward manner and do not require interrupts or branching and
looping. It is key to safety applications that their behaviour is consistent, reproducible
and verifiable.
199
Therefore ProSafe-DSP:
• eliminates the operating system by running the application code directly on the
hardware;
• limits application programs to a limited series of instructions that will always execute
in exactly the same linear order, every millisecond,
• allows historic information only in runrung timers and for feedback loops (such as
memory cells) and refreshes all other calculations in full during each cycle,
• does not include interrupt provisions, even at hardware level.
This results in a high degree of certainty that, when correct operation has been observed
during a single test, the same behaviour will be exhibited upon the same input stimuli
under all possible circumstances. Moreover the application program can be easily verified
manually against its specification in FLD function blocks.
200
Section 10: References
[Brombacher 92] Brombacher, A.C.: Reliability by Design-New York 1992

[Littlewood 92] Bev Littlewood,: The risks of software. Scientific American-
November 1992
[Lippevelde 90] Lippevelde, R.I.L. van: Eliminating the Unexpected, part 1:
Introduction to MagLog 24 - June 1990 GTI lA NL
[TOv 93) TOv Rheinland, 945/EL 199/93- Test report of the DI-511
module according to DIN V 19250 AK. l-7
[Tiezema 95] Tiezema R,J. : Eliminating the Unexpected, Part 2: Safety
Assessment - May 1995 GTI lA NL
[Wal95] Wal J van der,: Safety Analysis ofProSafe's logic Solver,
University ofTwente- May 1995
201
Tebodin is an independent, multi- and abroad . Our services cover consul- Tebodin B .V., Laan van Nieuw Oost-
disciplinary firm of consultants and engin- tancy, project management, design and lndie 25, P.O . Box 16029, 2500 BA
eers whose expertise spans a wide range engineering, procurement and construe- The Hague, the Netherlands, telephone
of industries and technological areas . tion management. We also undertake +31 70 348 09 11, fax +31 70 348 06 45.
Tebodin tailors quality solutions for both turnkey and Engineering/Procurement/
large and small projects, constantly Construction projects over a wide range
building on the skills and experience of its of industrial sectors including oil and
talented and dedicated workforce, some gas, chemical, food, pharmaceutical ,

TEBODIN
1,750 people based in the Netherlands environmental and water. Consultants & Engineers
~
Offrces l,e Hague . Henge iO G•orun9e11_ M aa strocl"'t Ern()T'l ove.-.. Sorrk enossE: Flush11'19 Beverw•l"- - Unrted l( n'I900m . Betgrum Germa ny
:::1ecn Reouo••c Hvngar'\- CroahJ . Bosn ra Herl ean " '" il '-'Q1,1n.:. Lrtnu anra L31v•a R ~,; :;:;,..; Ul(rarne Urute<J Arao E,m!1 31C':.. Ne tf'l er tanos. An\<ll es
.
A corporate perspective of
industrial safety
by
Ir. F. Van Woerden

Tebodin Consultants & Engineers
203
Ir. F. van Woerden
Function:
Environment & Safety Department Manager, Tebodin Consultants & Engineers, The
Hague, The Netherlands
Experience:
Frank van Woerden has 10 years of experience of advising industry and national
authorities on matters related to industrial safety. Expertise in the field of industrial safet)
comprise risk identification techniques, quantitative risk assessments, cost benefit analyses
and risk management systems.
205
A Corporate Perspective of
Industrial Safety
Introduction
It is not uncommon to see industrial safety as a matter of applying the correct techniques;
therefore, as a rule, the issue is left to safety specialists who are capable of selecting the
correct measures. However, there is a growing awareness that not all issues related to
industrial safety are taken into account this way and that not all opportunities are grasped
for optimum integration of safety with companies' policies.
A corporate view on safety is essential not only to minimise loss prevention but also to
achieve a higher up-time for installations and therefore higher production.
The choice that has to be made is all to clear. If a manufacturer invests little in safe
production the initial costs can be minimised but the risk of production failure and
damages are increased. Aternatively, maximum safeguarding may incur high investments
and may jeopardise a company's profitability. It is obvious that a production facility can
never be l 00% safe. A residual risk will always remain after various measures are taken.
Which residual risks and the extent to which they are acceptable is determined by societal
and economic demands. Some manufactures stop at what is prescribed by law and legal
permits or by what is incorporated in design and operating standards. However, it should
be noted that recently in many countries the nature of legislation in this respect has
changed: legislation and permits used to consist of detailed descriptions of safety measures
which had to be implemented. Nowadays, is has become more common by law to define a
framework within which necessary actions are defined. Additionally, safety issues are
related to other aspects of corporate management such as insurances, prevention of
production losses, professional diseases, occupational health, working conditions and the
image of the company. For the full validation of all these aspects it is essential to have a
clear insight into the organisational structure and human behaviour and issues such as a
sound streamlining and tuning of working procedures, personal attitude and the sense of
responsibility of employees. These are all issues that do not belong to the prime concern of
the technician but determine the safety of an installation to a high extent. These
207
observations require a company's management to clearly fonnulate its policy on safety, so
that the required measures can be based on this policy.
The main question is how these developments can be incorporated in the establishment of
a company's safety level. If this is based on the reduction of production losses, it may not
necessarily lead to the required working conditions. Some measures are generally good,
others conflict with each other.
How can a manufacturer make balanced decisions where all these aspects are sufficiently
taken into account? How should one distinguish between safety optimisation for existing
facilities and new installations? How should the increased knowledge over the last ten
years of industrial safety matters be integrated? To what extent should newly developed
management techniques be incorporated, which for example, by means of Business
Process Redesign (BPR), indicate how employees can be motivated best?
With this presentation I would like to introduce a project approach taking into account all
developments mentioned for achieving a balanced safety strategy. Firstly, attention will be
paid to some accidents of the past. Subsequently, the above mentioned management
aspects will be dealt with together with how improved knowledge can be applied to actual
situations, both for existing and new facilities. Finally, the approach is presented based on
a real-life situation.
Accidents
Looking at a large number of accidents in the past demonstrates that fires and explosions
are the most important incidents in industry. The release of toxic material (gases) is also a
major hazard. Fires are the most frequent accidents of these three categories, explosions
cause the highest number of fatalities and cause most damages. Characteristic of toxic
releases is the large number of fatalities that can be caused at greater distances from the
source of the accident.
Major explosions occurred in Mexico City where an accident with oil products (petrol and
LPG) cost the lives of 550 people and on the Piper Alpha, an offshore platfonn for oil and
gas production, where 165 people were killed. The disaster of Flixborough is one of the
most discussed and investigated gas explosions. In a cyclohexane production plant a
leakage occurred in a bypass. The bypass was temporarily installed during maintenance
activities. The leakage caused the release of cyclohexane gas. The subsequent vapour
cloud reached the burner of a hydrogen installation and exploded with the loss of 28 lives,
the complete destruction of the plant and major damage for several kilometres. The
investigation reports of this accident show that the disaster was not simply related to
design errors, but that many other factors including at management level had a role. The
installation of the tempory bypass was not made subject to stringent safety procedures and
many departments were involved in this.
Theoretically, toxic releases have the capacity of causing larger number of fatalities but
fortunately accidents at this scale are quite rare. The largest disaster involving toxic gases
took place in Bhopal (India, 1984) in which 2500 people were killed.
208
These are a few of the major accidents that have been recorded. Less spectacular accidents
have a much higher frequency. Accidents in general are an important risk to a company.
The research reports produced for large scale accidents normally show that causes are
very complex and that the last link in the safety chain, the operator making an error, is not
the only element responsible for the event. Examples of this are the above mentioned
accidents but also the Estonia and the Herald of Free Enterprise ferry accidents.
In the event of an accident, a company is effected at several management levels. Roughly,
a distinction can be made between economic and human or societal aspects, although this
distinction is not always a sharp one.
Economic aspects
An important economic aspect is the physical damage of installations. For safety
measures, the costs of the installation can be compared with the costs of the protective
measures and the chance of occurrence of an accident with the installation. Another aspect
is loss of production. The (partial) failure of the installation to produce will temporarily
effect the production output. Obviously this will seriously affect relationships with clients,
loss of income, penalties of supply contracts and image as a reliable supplier. Tht rd"'".:!
costs will also determine the level of required safety provisions. This aspect can be
investigated by looking at the up-time of the installation and the nett time that the
installation is productive. The up-time depends on a number of aspects such as
maintenance, but also on the level of safety precautions.
Another aspect is insurance. A company can insure many things: damage to installations,
liabilities (health cost claims, supply problems). Basically, insurance companies can insure
anything. However, the general rule applies that if a risk of the occurrence of certain
events is not known very well, insurance premiums will be high. It is therefore in the
interest of the company to be able to judge well which risks should be insured and how
premiums relate to the costs and mitigating effects of safety measures.
Corporate image is important as an economic aspect. A company certainly cannot afford
to have its corporate image damaged by a 'accident prone' reputation.
Human and societal aspects

A relevant human aspect is occupational health or safety of employees. A company has to
comply with legal requirements for occupational health enforced and inspected by local or
regional inspectorates or health and safety executives. In many countries legislation is
changing or has been changed. Often inspections focused on identifying unsafe situations
and modifications were carried out after incidents or near incidents. Nowadays in many
countries the responsibility for identifying and implementing required measures is to a
larger extent left with the industry. The inspections of the competent authorities
concentrates less on identifying unsafe situations and more on whether a company has a
systematic approach to paying continuous attention to labour safety. This is for identifying
and evaluating risks and taking necessary actions to minimise these risks.
209
Also external safety is a relevant issue. In particular, the Seveso accident prompted the
European Union to consider risks for the public from hazardous industrial activities. A
European Directive for the Control of Major Accidental Hazards from industry came into
force in 1982. Its integration with national legislation has made many European industries
compile safety reports with an inventory of risks and control measures and descriptions of
emergency procedures. Also relevant is the changing attitude towards sickness leave and
occupational illness. Also in this case more and more responsibility is being put onto the
employer for the level of sickness leave and in particular problems in this related to the
nature of the industry's activities. It is therefore important to identify the risks of the work
for employees and to have good insight into how these risks can be reduced.
For all the aspects mentioned two parameters, strongly related, are important for their
evaluation: what is the effect of the accident, e.g. in terms of killed or injured people and
what chance of occurrence is related to the accident. For accidents with a small chance of
occurrence and little impact, special measures are not always required. For accidents with
a small chance of occurrence but with large effects measures are often necessary.
However, much attention in this case may be given to the effect of the accident leading to
an 'overkill' of safety precautions.
For a balanced approach these parameters should be recognised. The great number of
achievements in risk analysis tools in recent years has made this possible and the
knowledge and analysis tools are now readily available. A wide range of analysis tools
exists, from quite simple to very complex. The most complex analyses take great effort
and are normally applied to situations where the effects of accidents can be very large and
control measures are costly. The first level of analysis is the identification of hazards. A
higher level of investigation involves the evaluation of the resulting effects. Finally, the
failure rates of these incidents and the subsequent risks can be quantified. Often in the
latter case the incidents with small effects remain to a certain extent short of attention.
Sequence of safety measures

There is a 'natural' sequence of safety measures. The higher the measure is in this
sequence, the more the measure affects the installation but also the smaller the failure rate
will be. In short, the sequence of measures show the following possibilities. Firstly the
management measures are mentioned such as operating and maintenance procedures and
frequent technical inspections to prevent accidents or reduce their consequences.
Emergency procedures belong to this category. As mentioned previously, safety is not
restricted to the technical state and level of control of the installation. The company's
organisation and human behaviour play an important role. The personal attitude and sense
of responsibility of the operators determine to a large extent the safety of the installation.
The next step is active technical measures. This concerns additional safety devices such
as pressure relief valves and control valves to prevent the release of hazardous material.
This isstep is followed by passive technical measures. This is the use of specially
designed equipment which reduces the chance of accident without using special additional
safety devices. Examples are equipment that can endure very high pressures and
installations with increased distances between process equipment. Finally the inherent
210
safety measures are mentioned. In this case risks are eliminated by substituting hazardous
with non-hazardous substances. This step deeply affects the production process. An
example is the substitution of inflammable solvents with water.
The best possibility for including measures from a level as high as possible in the sequence
described is during the design of new installations. This is not normally possible for
existing plants. The latter case would require the replacement of equipment that is fully
written-off and a temporary production stop. An economic evaluation of these measures
needs to include disinvestment, demolition costs and the costs of production loss.
In the assessment of the measures sequence it should be noted that causes of accidents
often include human failure: lack of operator knowledge, a design error or incorrect
operation. It is estimated, depending on how human failure is defined, that at least seventy
per cent of accidents are related to human failure. This does not mean that solutions for
this problem should only be sought in operating routines and procedures. It is useful to
improve the operability of the installation by means of technical measures. The operator
should not be a tight rope walker in the plant, he needs to have all the information and
technical facilities at hand to make him adequately respond to incidents. On the other hand
it is not wise to design an idiot-proof production facility, this reduces awareness of the less
frequent incidents.
Knowledge
The last decade has seen many technical and organisational developments in the field of
industrial safety. These developments have given detailed insight into how incidents occur
and what their consequences are. With this knowledge industry is not restricted to
measures that minimise the effects of accidents. Also prevention of accidents can be
incorporated more efficiently. These developments in knowledge technically enable
industry to improve the level of safety. An example of technical development is the
increased insight into ignition mechanisms such as static electricity. Techniques to prevent
static electricity can be found across the full sequence of measures: in some cases the
operating instructions should prescribe the use of special clothing and shoes when certain
handling operations are carried out. Passive technical measures are inertisation of gas or
increasing air humidity, but also the reduction of transport or drop velocities (friction
reduction). Inherent measures are the application of conducting materials. Another
technological development concerns the knowledge of dust explosions applied in food
industries, such as flour, dairy and sugar manufactures and cereal handling. A final
example is the largely increase knowledge on run-away reactions and other special process
conditions.
In relation to organisational measures the Business Process Redesign should be
mentioned. This is a technique applied to the whole production process which tries to
achieve streamlining of the provision and distribution of information within the company.
Involvement of all employees in the achievement of improvements is a vital aspect of the
BPR to accomplish acceptance and commitment for the new system. These techniques can
211
also be applied in the introduction of organisational modifications and a safety
management system.
Project approach
The project approach is discussed by using a concrete project that Tebodin carried out
with Raffineriegesellschaft Vohburgllngolstadt (RVI) as an example. This is a refinery
complex in Southern Germany with 24 plants and production installations which are
strongly interrelated. This company, formerly part of the British Petroleum Group,
decided in 1989 to review the safety aspects of all its production facilities, initiated by a
number of major accidents that occurred worldwide with oil companies. Additionally, the
introduction of computer controlled automation of all the production facilities was another
reason for the safety review.
In a complex situation like this a thorough approach is required which includes all the
previously mentioned aspects and which is able to monitor progress and costs at any point
in time. The following project phases were identified.
Phase 1 - Start-up
The first step is the identification of the scope of work. Which installations and which
parts of the organisation should be included in the review? What level of detail is
required?. The answer to these questions can be used to select the type of analytical tools
that will be used. For example, is it necessary to compile a full qualitative overview of the
total complex or can quantitative risk analyses immediately be applied to some of the
installations. A preliminary budget and planning is prepared and the project team
composition is determined. In the case of RVI the HAZOP technique was selected as the
most appropriate review instrument, including a review of operating procedures and safety
aspects of the computer control system. A programme was established for the review of
four to five installations per year. With an average review time of 4 weeks per plant the
project team was actively involved in the review for about 20 weeks per year. The
sequence of the plants under review was determined using some criteria. The first criterion
was the hazardous potential of raw materials and products, such as LPG, hydrogen and
hydrogensulphide. The second criterion was the complexity of the plant. It was decided
that the catalytic cracking unit should be reviewed first because of the risks of mixing air
and hydrocarbons. Also the history of certain plants was studied in view of incidents and
production stops. The presence of sensitive objects in the vicinity could be another reason
for prioritisation. An important issue was the presence and the quality of documentation
particularly those describing the interfaces between various installations. The availability of
staff can also be an issue with the execution of reviews with the intensity of HAZOP
studies. RVI decided to make two employees fully available for the project both with
many years of (operating) experience, so-called 'alte Hasen'. Furthermore the HAZOP
chairman and his secretary were hired externally, not in the least to ensure sound progress.
The plant managers and also specialists of various disciplines (inspection, maintenance,
instrumentation, management) were available during part of the mornings to participate in
212
the review sessions. With this involvement the acceptance of the recommended measures
was high .
Phase 2 - Analyses
The execution of the review will provide insight into the safety level of the concerned
plants. Recommendations are made for components which fall short of the standards used.
All important operating modes were taken into account. Naturally, standard operations
were reviewed but also special conditions such as the regeneration of catalysts, decoking
of furnaces. Startups and shutdowns are also examples of vital modes of the review.
Finally, a number of failures were investigated that may affect more that one installation
component: failure ofutilities (steam, power, plant air, nitrogen, cooling water etc.) and of
control systems specifically those for active safeguarding and the failure of computer
systems or parts of them.
Organisational aspects such as fire fighting, occupational health, security and
recommendations for new projects were included and linked to the reviews of individual
plants.
Phase 3 - Recommendations
In this phase the preliminary recommendations are analyzed resulting in a list of measures
to be taken with their priorities.
For R VI reports were prepared with cost estimates of all the recommended actions.
Subsequently, a costJbenefit analysis was performed including a indicative estimate of
costs involved if it would be decided not to implement the recommendation. Finally, a
planning for the execution of the authorised measures was made, which could be
problematic since some plants have a continuous production period of several years
without planned stops for maintenance.
Phase 4 - Implementation
For the implementation of the authorised control measures it is important to identifY clear
steps that can be easily monitored . A periodic report on the state of the implementation
program is essential for which one person is responsible. The results can be summarised as
follows. For each plant, depending on size and other aspects, between 50 and 200
recommendations were formulated . About 30% of these were dealt with after one year,
50% after two years and 80% after 4 years. Costs vary widely. For the catalytic cracking
unit with 150 recommendations this was about USD 150,000, the vacuum unit had 50
recommendations worth USD 300,000. About USD 600,000 was involved for the
implementation of recommendations of the somewhat older combi-cracker.
For RVI the safety review and the implementation of measures had an important impact
on the safety awareness of the company's management and operators. The awareness has
been increased significantly over the years resulting in a high level of safety at present.
213
R VI's management is permanently involved in maintaining this awareness through the
recommended measures related to training and audits. The company safety campaign has
resulted in one accident in three million production hours. It should be noted that this one
incident happened during a safety training session of the company's fire fighting crew.
Obviously it is difficult to measure the success of a safety project. The accidents that
should have happened if measures would not have been implemented do not take place.
This will always be the paradox for the safety conscious conscience.
Frank van Woerden, 4 September 1996, with thanks

to the main authors of this paper, Mr Rien Scholing
and Mr Piet Rieff of Tebodin Consultants and
Engineers, The Hague, The Netherlands
214
SIEMENS
Make quite sure~

With the fail-safe
SIMATIC S5-95F
Fail-sa fe PLC techn ology doesn't have to
be m ore expensive than co nventional
safety techn ology.
Best proof: the fail-safe SIMATIC®
S5-95F, w hich is wort h its price
even rn sm all safety applications.
The low-cost sma ll con trol ler
is supplied w rth every thing you
need on board for fail-safe con tro l'
This mean s you can sa ve your-
J~ : ~ o...:Jrtlonal w iring that would
otherwise cos t a lot of time
and money. A nd later modifica-
trons and expansions are carried
out eas rly and quick ly, thanks
to PLC technology.
And w rthout question, th e sm all
fail-s afe con trol ler can be used
anywhere . On roll er coast ers
or elevators or for the cont ro l
of chem ica l processes and
cen trifuge s. And beca use the
SIMATIC S5-9 5F has been
approved by all releva nt stan-
dards committees, rt rs the first
truly fail-safe PLC for escalators,
pres ses and emergency stop
ci rcurts .
So, if you w ant to play it quite
sa fe . JUSt send us a fa x.
W e' ll let you have more
information by return
Srcrnens AG. lnloscr vrcc AUT/ Z401

P 0 Box 23 <18. D -90 7 13 Furth. Fodsrol Republrc of Germany
FM ..• 49J911 !978-332 1
Cornoan ttDepartment
Street
To,·m/Postcode
SIMATIC: Defining
Automation Technology
The Seveso-11 directive
a brief overview of contents and
consequences for major hazards plants
by
Drs. G.C.M. Lommers

Ministry ofHousing, Physical Planning and Environment
The Netherlands
217
Drs. G.C.M. Lommers
Function:
Head of External Safety Division, directorate for Chemicals, External Safety and
Radiation Protection, Directorate-General of the Environment, Ministry of Housing,
Spatial Planning and the Environment.
Experience:
Experience with City Planning for about I 0 years, worked 6 years as a coordinator of
environmental policy in the directorate-general of housing and contributed in this role to
the VROM-policy of more environmental friendly and more healthy building and planning.
For more than two years he contributed to the development of energy-saving-instruments,
like the energy-tax, in the directorate-general of the environment.
Since March 1994 Mr. Lommers is heading the external safety division of the Directorate-
General and as such responsible for the development of the external-safety-policy of the
ministry. He is also chairing the interdepartmental group that is responsible for the
implementation of the Seveso-11-directive in the Netherlands.
Organisations:
• Member of the Committee of Competent Authorities for the Seveso-directive of the
EU.
• Member of the Expert Group on Chemical Accidents of the OECD.
219
The SEVESO-ll direcme
a brief overview of important changes and consequences for major har.ards
plants in the Netherlands
G.C.M.Lommers, A.J. Muyselaar

Ministry of Housing, Physical Planning and Environment
External Safety division (655)
PO Box 30945, 2500 GX The Hague, Netherlands
Summary
After an introduction to the current external safety policy and practices in the
Netherlands an overview of relevant articles and changes in the new European Seveso
directive is presented. This also covers the relevance of certain of the new Seveso articles
to Dutch target groups.
In relation to the above some of the intentions of the Dutch authorities on
implementing the Seveso-JJ directive are highlighted. This also covers a general
description of intended changes to the Dutch Major Hazards Decree, through which the
Seveso-11 will be implemented, and descriptions of projects to produce guidances br
industry and local authorities.
221
1. Introduction
ln the Netherlands, there are about 4500 potentiaUy hazardous activities (cstablish:11eots),
ranging from relatively small LPG filling stations for motor cars to large chemica. sites
involving chlorine and ammonia production and storage. Risk acceptability criteria are
firstly used to detennine which risk reducing measures are necess<II)' for specific hazardous
activities. Secoruily risk criteria are used to determine generic or specific safety distances
for standard or complex establishments (e.g. LPG filling station vs oil refinery), b.lSed on
geograpic risk contour maps. The external safety policy is implemented at practical level
through strict regulations for cases where straightforward generic risk modelling can be
applied and through more sophisticated procedures for complex cases. In either case, risk
reduction at the source has priority over zoning. In many cases, risk canno[ be reduced
sufficiently at the source to mect the criteria for acceptable external risk levels outside
plant premises, and consequently zoning is required.
The methodology and policy used for 'fixed installations' is presently being adapted to
make it suitable for situations involving risk in the transport of dangerous chemicals. Tne
parameter.; of individual risk. and societal risk used in the policy for fiXed installat10ns, are
used in a sliglrtly modified framework, but along very parallel lines. This new approach
makes it possible to effectively deal with the problems of transport of dangerous
chemicals, that many countries are presently faced with, or will be in the near future.
Two of the topics central in the discussion of this sympol>ium \\ri.U be at the core of this
paper:
• What is an acceptable risk to the involved parties and who makes the decission?
* Can new safety criteria protect the world against major industrial disasters like
Cbemohyl, Bhopal and Piper Alpha?
The first part of this paper is a description of the risk management and control ba-;ed
philosophy used in the Netherlands to deal with external safety around 'fixed' hazardous
establishments. The p<.>!icy described is based solely on preventive environmental
protection legislation. The second part covers relevant sections of the new Europea.1
Seveso-ll directive which impacts on legislation on environmental protection, labou
protection and disaster planning. In relation to this the outlines of the way the Dutch
authorities intend to implement the Seveso-11 directive into Dutch legislation is pre,;ented.
2. Dutch legislation on external safety
The development or, what is known in as, the external safety policy with quantification of
risks in its current form in the ~etherlands originated in the beginning of the 1980' s, when
it became clear that the use of LPG would increase considerably. The other imporu111t
clement for the development o r an external safety policy was of coun;e tile Seveso
Directive from 1982. Obviously the occurrence of a number of major hazards -
Flixborough, Beek, Bhopal, Mexico City and Los Alfaqucs - catalysed the process I)[
developing policies aimed at improved prevention of accidents. The external safety policy
is based on environmental legislation and covers prevention of dangeroll<; accidents. Policy
222
on workers safety, mitigation and repression of accidents full under different legislation
(see section 6).
The basis for the Dutch quantitative risk approach was formed twelve years ago, in 1982,
with two large studies which were undertaken to fmd ways of managing risks connected
with hazardous activities:
0 The LPG integral study (performed by TNO) which determined risks of aU LPG
activities in quantitative tenns.
0 The COVO study, which covered six industrial activities in the Rijnmond area and
which showed the viability of quantitative risk assessments for determining tht extent
of hazards in activities with dangerous chemicals.
In these studies quantitative assessment of risks was found to be the most effective instru-
ment for dealing with the hazardous activities considered. In fact it enabled to arrive at an
effective policy lo control (major) hazards with these activities.
The LPG integral study led to a Memorandum that was accepted by the Parliament in
1984 and which laid down essentially three important elements for the Dutch external
safety policy:
0 The use of quantitative risk assessment to determine risks.
0 The adoption of two risk-determining measures:
o individual risk: the chance of death per person per year al a location armmd the
hazardous activity
o societal risk: the chances of death per year for groups of persons around the
hazardous activity
0 Acceptability criteria for both the individual risk and the societal risk.
These developments have resulted in an external safety policy in the Netherlands, which
can be summarised briefly as follows:
In the external safety policy, hazardous activities are evaluated with respect to their
risks, both in terms of individual risk and societal risk. For an activity identified as
dangerous, these risks are compared with acceptability criteria. If risks are foutld to be
WUJcceptable, risk reducing measures or zoning (or both) are applied to bring s'he risk
fo an acceptable level.
As a result of developments in recent years the status of criteria for acceptability or'
individual and societaJ risk have changed. There is mention only of one level of
acceptablitity', for both individual and societal risk, beyond which only the ALARA-
principle' for taking appropriate measures at the source is used and eX1emal developments
are not acceptable; furthermore the formal status of the acceptability of societal risk levels
is considered differently from that of the individual risk.
In the Netherland~, since march 1993 most of the environmental protection legislation is
I called the maximum allowable risk level (MTR) for individual or societal ruk:
2
As Low As Reasonable Achie\·able
223
either replaced by, or integrated in a new law, the Environmental Protection AcL :'\n
important principle of this new Act is that an establishment will obtain one single
Environment Protection Licence which covers all types of environmental protection (air,
water, soil, noise, risk, etc. ; in the 'old' situation for each type of environment protection
a separate licence was required.) A licence under the Environmental Protection Act also
covers measures to prevent major accidents. The Environmental Protection Act gi"es
general requirements for establishments, amongst which fall aJ! the Seveso establi~.hments,
that apply for a licence. For many of the establishments that come under the Seve:;o
criteria, an external safety report (EVR) is to be submitted together with the licen<:e
application. This EVR, including a description of safety measures, forms an integral part
of the licence. The obligation to submit an external safety report is imposed by thL: Major
Hazards Decree (1988).
The relationships between legislation, external safety reporting and risk acceptability
criteria are presented schematically in Figure 1.
Risk acceptability Legislative system Risk infonnlltion

criteria
External Safety Policy Seveso directive
u u
( Manual on risk crirz:ria ) Environmental ==> Major Haz.an:ls Deaec
Protection Act
Decision on risk ==> EnvironmmtaJ

reducing measures and Proa:ction ACI
and u~ rlenrUng LiCCR!I(:
Figure 1 ScheJDlltic overview of Dutcb legislative system with respect to enemal safety
(legislation and formal regulations are print:ed in italic).
A guidance manual on the practical applicati.on of risk acceptability criteria by the ~ocal
competent authorities (i .e. licensing authority, labour inspectorate and fire brigade) as
mentioned in this scheme is now available. It is intended that the criteria for individual
risk will be formalised by a pertinent Decree. Acceptability criteria for societal risk , which
will be regulated by the same decree, will have a somewhat different status in that
permitting authorities will be enabled to accept higher risk situations, provided that the
decisicn is properly motivated and a thorough balancing of interests has taken plllCI'.
In addition to the Major Hazards Decree standard generic regulations and guideline:; serve
to impose requirements on safety management for hazardous activities:
224
1. Administrative Decrees, e.g. for LPG filling staiions
2. General circulars, e.g. on pipeline transport
3. CPR guidelines on activities e.g. with dangerous bulk chemicals or pesticides
CPR guidelines are general guidelines on risk-reducing measures to be considered when

producing, storing, handling or loading/unloading dangerous chemicals like energy gases,
ammonia, chlorine, pesticides, etc. These guidelines are used to formulate and gwnt
licences for individual esrablishments. These licences are granted both by municip;u and
provincial authorities, depending on criteria which are indirectly related to the 'size' and
location of the establishment.
3. QRA and the risk management approach
The risk management approach can be characterised by a management cycle whid.

comprises five steps:
a . Identification of risks.
b. Measurement of the identified risks.
c. Evaluation of risks on the basis of acceptability criteria.
d. Imposing risk reducing measures.
e. Maintaining the acceptable risk.
We shaU briefly consider each of these steps.
a. Identification of risks.
Generally, risks are identified by the nature of chemicals that are being produced, handled,
stored or used: chemical installations producing dangerous chemicals in larger quantities,
storage of gases under pressure or otherwise in large quantities, storage of pesti.cidt:s and
other chemicals in warehouses, tank storage, transhipment activities, transport by p1peline,
use of toxic gases in production or as a (cooling) medium, explosive materials, etcc:teras,
are well known. Within this broad range of hazardous activities, the industrial acti' ities
which come under the Seve:;o directive criteria obviously get considerable attentioc . Apart
from that, general hazardous activities receive attention in the Dutch external safety policy:
0 Most LPG activities (e.g. filling stations)

0 Pipeline transport of natural gas
0 Pipeline transport of flammable liquids
0 Pipeline transport of other dangerous chemicals
0 Storage of pesticides in warehouses
0 Storage of chemicals in warehouses
0 Use of ammonia in cooling installations
0 Railroad yard activities involving dangerous chemicals
0 Transport of dangerous chemicals by road or by railroad cars
0 Transport of dangerous chemicals over inland waterways
1be way to control the risk of these activities is dependent upon the type of risk in valved,
225
though the criteria for acceptability are the same for all cases, with the exception •)f
pipelines, for which the societal risk criterion is not applied'
b. Measurement of the identified risks.

Quantitative risk assessment (QRA) is used in the Netherlands as a tool to 'measure' the
risks involved in a hazardous activity. The hazardous activity is analyzed with respect to
aU the contairunent systems which bold - or can hold - dangerous chemicals. For t:acb
containment system, the release of these chemicals is modelled and the risk contribution is
calculated.
The use of QRA is institutionalized in the Major Hazards Decree (BRZO), which
implements (part ot) the Seveso Directive from the European Communities in the Dutch
legislative system. For activities identified as hazardous, which would not come OJ',der the
Major Hazards Decree, QRA is used to calculate safety distances. A QRA of an
establishment results in two quantitative parameters: individual risk and societal ri~. The
individual risk is dependent oo the geographic position and is displayed in the form of iso-
risk contours on a geographic map of the site. The societal risk gives the relation with the
actual population around the establishment and is displayed in the form of an F-N graph,
where the frequency (per year) is plotted for the group size of people killed due to any
accident at the site. These are the two parameters for which the acceptability must be
evaluated.
c. Evaluation of risks on the basis of acceptability criteria.

Hazardous activities arc evaluated with respect to their individual and societal risks on the
basis of acceptability criteria (see figures 2 and 3). Till now, the applied criteria ar~ not
formalised in actual legislation. This has worked well to a certain extent, but the
balancing of interests between industry and the community asks for a more formal
regulation in the longer term. Since it was agreed between the Minister for Environment
and the Parliament that risk acceptallility criteria should preferably have a legal baois
legislation imposing risk acceptability criteria is under development
d. Risk reducing measures.

If an activity is evaluated, and it is concluded tl"..at the risks are not acceptable, risk
reducing measures must be reviewed. The first question of course, is whether there are
possibilities for risk reduction. These possibilities must be determined by means of a study
which quantifies the influence of po~sible risk reducing measures. Such studies mu.•;t not
only be differential in nature, but should also give the total risk for the whole of the
activity in the situation that the most viable risk reducing measures have been applied.
Applying the ALARA principle a differential scheme of risk reducing power versm cost of
conceivable measures can be helpful in selecting optimal risk reduction strategies. If it is
decided between the authorities and the operator of the hazardous establishment that
further risk reduction is not possible, safety zoning must be imposed by taking acccunt of
zones in official land use plans. This means restrictions to new housing construction plans
and to existing housing in relevant safety zones.
3 n,e regimes for these activities are summarized in Tab!~ 2
226
c. Maintaining the acceptable risk.
The risk situation considered to be acceptable could change without being noticed if the
oprerator of a site identified as hazardous, would e.g change the way the plant is •:Jperated
or inspection schemes or the nature or quantities of the chemicals present at the site. Ibis
can be avoided by clear regulations, and a good inspection scheme by the compeetent
authorities. If there are important changes in the activities, the risk should be re-evaluated.
Figure 2. lndivid.aJ uo risk cootoun Oil a geographic map, indicating tile risk situation at
an industrial site {DSM, Geleeo - 1989).
·,
l
Individual risk contours for DSM 1989
I
I
I
I
---J
227
4. Criteria for tbe acceptability of risk
The quantitative risks calculated in the external safety report, are evaluated again!>: risk
acceptability criteria, for both the individual risk and the societal risk.. The individual risk
criterion protects individual persons against hazards and does nor distinguish betwo!en the
size of accidents that may occur. The societal risk criterion on the other hand, pro~ects
groups of persons (society) against the occurrence in particular of major ('large scile')
accidents. This latter criterion is based on the consideration that even when the individual
risk criterion would be fully met, if a high population density is located close to the
'safety distance' which is to be kept to a hazardous activity, it is still possible that a major
accident could result in a large number of victims. The probability of such accidCI:ts need
therefore also to be considered in order to decide about its acceptability.
The basis for the calculation of the individual risk and the societal risk is also somewhat
different. The individual risk is calculated, regardless of the existence of people and
vulnerable objects around the hazmdous site. Also, contrary to the societal risk the chance
of being killed in an accidents at a certain location is calculated for a person prese at at
that location without any form of protection.
This is different for societal risk: in the calculation of societal risk the actual average
presence of persons is taken as the basis for the calculation, and a difference is made
between persons inside a building or in the open air with respect to their vulnerability in
the damage assessment.
In figure 3 and figure 4 the risk acceptability criteria are displayed. In the current external
safet}' policy only the maximwn acceptable risk (MTR) serves as a criterion. Beyond that
risk level it is required to use an ALARA approach to minimise risks.
ln figure 5 the policy for using acceptability criteria for individual risk and societai risk is
summarised schematically for the situation of Seveso establishments.
Figure 3. Acceptability criteria for

individual risk
<-- Above MTR for existing situati<,ns
<-- Above MTR for new situations
<-- application of .A.LARA
,.~L
- -- -
228
Figure 4. Acceptability criteri ll for
sociel31 risk .
Societal risk curve

!Ill! if curve in this area t'len risk
unacceptable
-> N: 1111111bc:r of C&SI811ico
Figure S Schematic overview of using

risk a.cceptability criteria in tl1e Dutch
external safety policy
229
Source oriented meausun:s or risk reduction measures at the hazardous site, alway; has
priority over effect oriented measures like zoning or keeping of safety distances. Only in
the case, that this can not bring the risk down to an acceptable level, land use phmning is
considered. For non-Seveso establishments a similar consideration can be followed, be it
that the formal structure is different in the sense that a specific risk analysis is not
formally requested. In such cases, generalised risk studies can lead to either specific or
generalised safety distances, on the basis of a specifically designed 'standard' set <,f safety
provisions for the activity. The current system of risk acceptability criteria for new and
ex.isting hazardous establishments or housing developments are summarised in tab!~ I.
Table 1
Overview of tbe risk aceeptability criteria sy.~tem used i• the Netherlands for new and
existing hazardous establisbmentli or housing developments. Risk parameter values are
frequencies (per year) for lethality (individulll risk) or cumulative accide•t probabilities (per
year) for N (ur more) casualties.
Acceptability criteria for Acceptability criteriafor

individual risk societal risk I
Current criteria system w-s for MTR existing I0-3 I N2 MTR new&
10~ for MTR new existing plants but pennitting
always ALARA applied authorities may accept a
higher value
5. Current situation
Seveso establishments are of primary interest when applying the external safety policy. As
stated the Major Hazards Decree imposes the obligation to submit a quantitative risk
assessment which indicates on a geographic map, how risk contours are positioned around
the establishment, and where housing and other objects to be protected, are situated with
respect to these risk contou.'"S. This directly allows the application of acceptability criteria
for the individual risk.
If (further) risk reduction at the source, i.e. the establishment where the hazardous chemi-
cals are stored, processed or handled is not possible,the risk contours implicitly define
safety zones around the establishment
For a number of hazardous activities, specific.: legislation and specific guidelines have
been adopted. In some of these ca~es., risk assessment forms the basis of the decision on
acceptability of an activity in a specific situation. In other cases, in particular for mr>st
LPG activities and pipeline transport, this is achieved by using pre calculated safety
distances based on the same (maximum) risk acceptability criteria. In table 2 an ovtTView
of safety distances and safety zones used in relation with various hazardous activities in
the Netherlands is given_
230
For pipeline transport, safety distances are dependent upon pressure and pipeline diameter,
in particular for K I liquids. These distances are based on generalized model calculations
for conceived accident scenario's and a maximtnTI acceptable risk level of 10-<> per year.
For LPG tank filling stations, safety distances are based oo the same maximum oc::eptable
risk level and on risk versus distance calculations performed within the LPG Integral
project, of which the policy results were reported in the LPG Integral Memorandu-:n.
For pesticides storages and chemicals storages, the situation is slightly different. lr_ a
circular which defJ.D.es amongst others siting aspects of the external safety policy, distances
are based on the l o·7 rather than the 1o.o per year individual risk contour, calculakd for
modelled ·average storages' . If these distances to nearest housing can not be maintained,
the company has the option to present a quantitative risk assessment for the specific
situation, which shows that the nearest housing is not within the t o.o risk contour.
Table 2.
Overview of safety zoning systems adopted in the Netherland§ in relation with various
hazardous activities.
Hazardous activity No housing Pertinent regulatiou

within
Seveso establishments lo-t' IR contour Major HazanJs Decme
(BRZO)
High pressure Natural 5m Circulaire on HPNG
Gaspipelines 20m (16",20 bar) pipelines
Hydrocarbon pipelines 5 m (K3) CircuJaire on Kl ,K2,K3-

(KI, K2, K3 liquids) 16m (Kl, 12") liquids pipelines
. LPG tank filling stations 80 m (50m 3 ) LPG tank filling stat.J ons
Decree
Railroad yards I 0-G IR contour Circulaire on railroac
yards
Pesticide storage's (> 10 50 m (100m 2 ) CPR 15-3 circulaire nn
tonnes) 200m (500 m 2 ) pesticides storage's
Chemicals storage's (> 10 50m (100m 2) CPR 15-2 circulaire on

tonnes) 550 m (600 ml_} pesticides storage's
The current situation in the Netherlands can be briefly reviewed as follows :

D LPG activities are effectively regulated by several pertinent Decrees. A national
enforcement action in 1991 has shown that the majority of LPG tank filling stalions
meet tile legal requirements. A number of LPG tank filling stations (15%) was dosed
partly in view of the problems to meet tbe legal requirements. Wi.th respect to a
limited percentage of stations, not meeting the requirements of the pertinent leg .slation,
further action is taken.
0 In the Netherlands currently 112 industrial establishments come under the criteria of
231
the Seveso directive and thereby under the criteria of the Major Hazards Decn~ (as
these criteria are identical). The criteria of the Seveso directive were modified by the
EC in 1988 in view of the conclusion that the Sandoz accident of November 1986
could not have been prevented in an EC country by the implemenrntion Seveso
directive 82!50 I . Most of these establishments have submitted external safety reports to
the authorities. From 1990 1991 the Ministry of Environment bas evaluated the
quality of safety reports submitted to the authorities and has reviewed the risk situation
in the Netherlands based on the risk indications from these safety reports. In Utble 3 a
summary of the risk situation is presented for 66 Seveso establishments.
Table3
Summary of risk situation for 66 Seveso establishments in the Netherlands: number of
sites involved in the indicated risk situation, as oonduded from safety reponing in
1989 and applying current risk acceptability criteria.
Housing Societal risk Societal risk TOTAL

inside/outside acceptable exceeds 'MTR'
individual ruk
contour
Outside I Q- 6 51 3 54
Inside 10-6 6 2 8
Inside to-s I 3 4
Total 58 8 66
From the evaluation executed by the Ministry of Environment, it was found tba the
majority of industrial sites do not pose considerable risks to the surrounding
envirorunent., due to their location ic industrial zones at a distance from nearest
housing. A limited number of industrial sites exceed the maximum tolerable individual
risk for cew situations. A few sites exceed the maximmn acceptable individual risk for
existing situations. It should be emphasized that table 3 is based on risk data fr•>m
several years ago, and that the risk has been decreased in several of these cases . either
by risk reduction at the source e.g. by lower inventories of hazardous chemical~: or by
safety zoning, or both.
0 Risks associated with transport of dangerous chemicals by rail are considered within
the external safety policy in co operation between the Ministries of VROM
(envirorunent) and V&W (transport). A distinction is made between 'free track' risks
and risks caused by marshalling yards. Tills latter aspect is of particular import<nce for
the following reasons:
marshalling yards are very often located quite near train stations in cities, wi1ich
are locations which ' attract' botiJ housing and office buildings, because of efficient
and envirorunenrnlly preferable possibilities for passenger transport.
a nurnher of llUirs.halling yards deal with the temporary presence and shunting
activities involving dan~Z.erous chemicals
232
because of nearby housing and increased concentrations of persons in office
buildings near to the marshalling yards, increased risk levels are effectively caused.
For these reasons, railroad marshalling yards are treated as Seveso type establi'lhmeots
in the Netherlands, regardless of the question whether they would formally be qualified
by the criteria of 82/501/EC. This means in practice, that 80 possibly hazardous
marshalling yards have been considered with respect to the quantities of dangerous
chemicals that can be present ate any time. It was found, that about 20 marshalling
yards could present risks that have to be considered further. For these identified sires,
quantitative risk assessments have been performed and reported. lt came out, that l 0
marshalling yards currently cause a societal risk: that exceeds the level considered
acceptable for industrial sites. Exceedance of the acceptability criteria for individual
risk plays a much lesser role in these cases. The majority of the risks is causec by
LPG and chlorine rail tank cars. The safety problems with marshalling yards are
considered in a national project called PAGE, in a co operation betwee:n the two afore
mentioned ministries and tile national railway company (NS). This project is armed at
solving on a national scale the risk problems for the marshalling yards which cause
high risk levels. The project runs since !993 and wifl be finalised this year.
C Stevedoor establishments which meet the criteria given in the annexes of the S::veso-
directive are considered as relevant with respect to possible risks. They have tc submit
external safety reports to the authorities. A generalized methodology facilitating the
quantitative assessment of risk bas recently been developed for those sites, whl;:h are
characterized by a rapidly changing variety of goods as well as chemicals, some of
which are dangerous. In the Rijnmond area, 30 stevedoor establishments have hecn
identified in addition to the very large establishments that had already previously been
identified as meeting the Seveso criteria. A recent risk study for establishments of this
type has indicated that neither individual risks nor societal risks for these
establishments in the Rijnmond area are likely to exceed MTR levels, due to
sufficiently larges distances to populated areas.
0 Ammonia refrigeration units are another class of possibly hazardous activities. For
these activities, a specific CPR guideline is available as a basis for the safety a-~pects of
licenses. This guideline is currently being improved in order to provide a better tool
for managing the pertinent risks. In addition., it will beconsidered whether a synem of
safety distances can be introdocuced for these type~ of installatons.
0 The Minister of VROM considers tbe possibility of formal legislation for the risk
acceptability criteria. Actual draft legislation is currently foreseen for l995/199r5. In
support of this legislation an overview of the use of risk criteria in the Netherlands in
comparison with other countries will be given along with an overview of the a.L1ual
risk situation in the Netherlands and an identification of the establishments whc are
likely to be affected by the legislation. Furthermore, a proposal for setting standard
requirements for performing risk assessments, and institutionalisation of these
requirements will be marle, in support of the draft legislation.
0 Our national airport, Schiphol (Amsterdam) has in the past few years been the o>bjcct
of extensive safety studies within the framework of plans to expand the airport. In
1993 a report on the external safety around Schiphol ( related to civil airplane
233
movements) was prepared by the RAND corporation. ) On the basis of this wport an
action plan aimed at improving the safety around Schiphol was presented to tbe
Parliament. In addition to this, in a study conducted by the NLR, safety zone:; have
5
been detennined to limit the risk for people living around Schipbol. Within the 10·
risk zone new construction of housing as well as other dwellings is prohibited. Within
the 5xl0'5 risk zone, existing housing will even be 'closed down' on the longer term.
Within the 1O-'~ contour area an overall risk policy is adopted, aimed at a stand-stiJ in
the development of the risk in the contour area. In an even larger area the con;truction
of dwellings is restricted to a certain extent. This also involves a policy with n:spect to
societal risk. As from 1999, the external safety situation around Scbiphol airport will
be re-evaluated every 5 years. )'
6. Future developments: The Seves(}-U directive
The Seveso-li directive is a fundamental review of the current Seveso directive. 1l1e
European Commission proposes a considerable revision. Under this revision, sbarp.=r
definitions of the scope and requirements of the directive are foreseen. Apart frorr: the
revision of existing articles, new articles are added.
Like Seveso-1 the Seveso-II directive obliges operators of fixed hazardous establishments
to supply the competent authorities with information on internal and external safety mat-
ters. Topics like process safety management systems, land use planning, safety me2sures,
safety assessment studies, domino effects and disaster planning are important infonnation
requirements. Furthermore the competent authorities have obligations towards the
reviewing and handling of safety reports and in the physical inspection of bazardo\:S instal-
lations.
In march this year the European Council approved of the official translations of tht: texts
of the Seveso Directive and bas had it published in the EC publication paper. It is :1ow up
to the European Parliament to give her final comments (3 months). The Commissicn then
haS got one month to work out the amendments of the Parliament. If all goes well this
year the Seveso-II directive will receive force of law. Th.is implies that 24 months ;rfter the
notification of the CoWlCiJ the directive has to be implemented in the national legislations
of the EU member countries. The Dutch legislation therefore has to be ready by tht: end of
I 998. The safety reports new style then can be expected two year later, i.e. by the •:nd of
the year 2000.
Important changes in the Seveso directive

A number of fundamental changes in Seveso-ll as opposed to Seveso-11 by themselves
give enough ground to consider integration of policy. The most important changes •:an be
found in the following articles:
article 2 clearer definition of installations falling under the requirements; selection based
Meanwhile, tbe risk assessmCD!S perfo~ for Schiphol airport have attracurl inlematiorul
attention resulting in simil;:r as.e.ssmcnt for airport~ in otber countries
234
on classes of dangerous substances with two threshold values for the selection
of establishment falling (only) under the 'light' (art 617) or (also) the ho:avy (art
9) obligation; concentrated on classes of dangerous substances; furthermore
restricted to only a few selected substances mentioned by name and no
distinction anymore between the miminum amounts for storage and pro-::ess;
article 6 obligation for all selected establishments to provide written information on
general accident prevention provisions
article 7 requirement for operators of establishments to draw up a document stating their
Major Accident Prevention Policy as it is enforced by their Management
System. The MAPP must be reviewed periodically by senior management and
must be available at all times for the competent authorities;
article 8 domino effectS: requirement for tbe Competent Authorities to take nece~ISarY
steps for the exchange of information between operators of hazardous
establismemts with the potential of domino effects and to cooperate in t.he
preparation of Emergency Plans and the provision of inionnation to the public;
obligation for art 6 and art 9 establishments to as much as possible take
account of domino-effects due to neighbouring facillities, in tbe MAPP, the
Safety Management System, the safety reporting and the internal disaster
planning;
article 9 safety report: clearer requirements for the operators to submit reports on the
subject of the Major Accident Prevention Policy, risk assessment and internal
and external emergency planning;
requirement for tbe legislator (member countries) to develop hannonised criteria
for the selection of relevant ha7Mdous installations within one hazardotc:
establishment
article 12 siting and land use: requirement for the Competent Authorities to properly take
account of hazards in siting and land use issues, like e.g. housing developments,
use of ground and allocation of functions; the necessity has to be taken into
accoWJ.t that in the long term sufficient distance between the art 6/9
establishments and vulnerable functions, like living and natural habita1, must be
realised; (it will be clear that due to the described existing situation in the
Netherlands this new element can easily be facilitated in the current legal
system in the Netherlands);
article 18 the obligation to local competent authorities to set up an inspection system or
other coordinated control mechanism.
Implementation route
The implementation of the Seveso-II directive into Dutch legislation is done by the three
departments involved. The Ministry of the Housing, Spatial Planning and Environment
(VROM) has a key role as coordinator. VROM is primary responsible for legislation on
external safety. The Ministry of Labour (SZW) is primary responsible for the safety of
workers in hazardous plants. The Ministry of Internal Affairs (BIZA) is primary
responsible for matters concerning emergency planning and the Fire Brigade.
The current Seveso-1 directive implementation is based on the Major Ha7Mds Decn:e
(BRZO) of VROM and specific legislation of the other departments SZW and BIZA. At
present it is the intention to implement all the new information requirements of Seveso-II
235
in a new version of the Major Hazards Decree (BRZ0-11) and 1D restrict information obli-
gations to one notification/safety report. This integration thought comes from industry,
which is al present confronted by often overlapping reporting obligations. These
obligations originate from the Seveso-1 implementation in the Netherlands. The BRZO
obliges plant operators to submit an Exn:mal Safety Report (EVR) for the local Pt:rmitting
Authority, in order to perceive risks to nearby population and environment. The Llbour
Inspectorate requires a Labour Safety Report (AVR) to assess workers safety. The regional
Fire Brigade at last needs information from the plant operator on emergency and c.isaster
planning issues.
It will be clear that integrated reporting on safety issues in one Safety Report, however
advantageous to industry, also implies close(r) collaboration between local compett!nt
authorities. In this case it is intented that local permit authorities (mwricipal or provincial)
also responsible for disaster planning and physical planning perform a key role receiving
the Safety Repon. The permit authority then coordinates further action to the regicnal
Labour Inspectorate and the regional Fin: Brigade.
The future BRZO-H will contain the formal requirements to plant operators for informa-
tion notification on safety issues covering all the relevant articles of.Seveso-H. To aid
plant operators producing the requested Safety Report (VR) and the local competent
authorities in judging these reports a project has been started to produce a guidance
document for integrated safety reporting. Major effort will be the integration of th~ cu.rrent
requirements for EVR and A VR, also taking into account the new requirements of Seveso-
n and new development<;. like certification of environmental and safety management care
systems.
A nwnber of EC working groups, with representatives of competent authorities of the EC
member states, have produced concrete guid1111ce documents on different aspects of the
directive. One of these guidance docwnents gives an extensive overview of descriptions of
possible methodologies for safety assessment. The guidance documents however arc: not
obligatory for member states in the implementation of the directive. Member count.-ies can
use its own choices for policy instrumentation.
Regarding the above said at present nothing defLDitive can be stated about the shapz: of the
end product.
To aid the competent authorities, i.e. the permitting authority also responsible for land use
and disaster planning, the labour inspectorate and the fire brigade, with performing their
public administrative duties a project will start next year, producing a administrativ·~
guidance manual. In this project different organisational models of cooperation between
the local competent institutions, regarding the tasks of BRZO-II will be examined.
In policy deveJopments currently under way, the expected revision of the Seveso directive
is already being considered. Three studies have been conducted to determine the ex!ent, as
far as the number of plants involved is concerned. of the re.,;sion the Seveso-II:
I. An inventory of establishments which will come under article 9 of this directivt:
2. An inventory of establishments which will come under articles 6 and 7 of this cirective
3. An indication of the risk situation existing around establishments coming under these
articles.
These studies have lead to the foUowiog indicative results for the Netherlands:
236
o The number of establislunents that come under article 9 of the proposed revision of the
Seveso directive is expected to be around DO, as compared with II2 th:lt come under
article 5 of the current directive.
o The number of establishments that come under articles 6 and 7 of the proposed
revision of the Seveso directive is expected to be between I 00 and 150.
o The individual risks expected for the establishments that come under articles 6 and 7
of the proposed revision of the Seveso directive may exceecl the MTR in roughly an
equal number of cases as for establishments under article 9. From a viewpoint of risk
it is therefore relevant to consider these establishments under articles 6f7.
7. Concluding remarks
In the Netherlands the risk management approach provides an adequate tool to ass.~s risk
from major hazards sites in relation to its (populated) environment. The system is uses the
weighting of quantified risks to set acceptability criteria allowing for the evaluation of the
hazardous activity by considering risk reducing measures at the source and the apt: lication
of r.oning distances to vulnerable external objects.
With the Seveso-II directive new elements have to be implemented in national legislation.
a. o. in the field of safety management of potential hazardous establishments. For the
Dutch administration this provides a wellcome opportunity to increase effectivenes; and
efficiency of regulation by combining existing and new information requirements. The
intention is io have operators of hazardous plants in future submit only one form of
integrated safety reporting to the local competent authorities. At this moment the involved
ministries of Housing, Spatial Planning and Environment, responsible for legistlation on
external safety, the Ministry of Labour, responsible for legislation on labour safety . and
the Minsitry of Internal Affairs, responsible for disaster and emergency planning,
collaborate very closely in the implementation of Seveso-ll, with the integration of policies
pla}'ing an important role.
In one project, a guidance manual for setting up and reviewing of Seveso-H notification
requirements into one safety report will be produced. Another project will produce a
guidance manual for the required organisation of public administration.
Apart from the obvious obligations to implement articles of Seveso-11, at present it is too
early to give definite information on where the present initiatives will lead us. The two
projects mentioned will produce assessments of what will be possible.
237
Literature.
l. Council Directive 82!50!/EEC on the major-accident hazards of certain indu:;trial

activities. Commission of the European Communities.
2. Major Hazards Decree: Besluit Risico's Zware Ongevallen, Staatsblad 291 (1992)
3. "Methods for the calculation of physical effects", report CPRI4E from the CJmmittee
for the Prevention of Disasters, 2nd Edition ( 1992), issued by the Ministry of
Labour, The Hague.
4. "Methods for the determination of possible damage", report CPR16E from the
Committee for the Prevention of Disasters, 1st Edition ( 1992), issued by the Ministry
of Labour, The Hague.
5. Report on the COVO study to the Rijrunond Authority, Netherlands (Reidel pub!.
1979)
6. LPG Integral, TNO 1983.
7. LPG integral Memorandum, Netherlands, Staatsuitgeverij 1984.
8. B.J.M.Ale, Dealing with risk of fixed installations in the Netherlands, Cryogtnics, 33
(8) page 762-766 (1993)
9. C.J.van Kuijen, Pays-Bas, La quantification du risque, Preventique, 28, pages 23-29
(1992)
10. P.H.Bottelberghs, Evaluatie van de externe veiligheidsrapportage (1992), Ministerie
van Volkshuisvesting, Ruimtelijke Ordening en Milieubeheer, rapport SVS l ~ 1 92/J.
1 I. P.H.Bottelberghs. "QRA in the Nethermnds", lBC Safety Cases conference, London,
February 23rd, 1995.
12 'Gemeenscbappelijk sumdpunt (EG) nr. 16/96' door de Raad vastgesteld',
Publicatieblad van de Europese Gemeenschap, 19 maart 1996
13 'Handreiking Ext erne Veiligbeid voor inrichtingen ', Netherlands, VNG Uitgeverij
!986
238
The study association "dispuut dQ"
The "dispuut dQ" is a study association, which aims for higher quality and skills of its members
of the department "Design and Construction", faculty of Mechanical Engineering at the
Eindhoven University of Technology.
General
The study association wants to achieve its goals through:
• Arrange contacts between industry and university.
• Promoting of social contacts and relationships.
To achieve this the study association organizes study tours and business excursions to take a
look at the industrial practice. Future engineers can take knowledge of the management in the
Netherlands and in foreign countries, which results in interesting comparisons. Besides this the
study association organizes symposia for students, university employees and industry. These
contacts between the different groups can result in productive relations as graduating
assignments, product innovations etc.
Composition
The study association is formed by students and employees of those sections of the
department, which deal with research, design and reliability of equipment of heat and mass
transfer processes. All student members are in the final stage of their study.
The supporters of the study association "dispuut dQ" can be distinguished as follows :
• The industry
• Students who are graduating at the above described sections
• Employees of those sections
Concern
If you, or your company, are interested in the activities of the study association "dispuut dQ",
then you can become a supporter. The supportership offers a contact with the Eindhoven
University of Technology, especially with the specific sections, its students and employees.
For more information:
Stichting "dispuut dQ"
Technische Universiteit Eindhoven, W-laag 1.19
Postbus 51 3 teL +31 40 247 2110
5600MB Eindhoven fax . +31 40 243 3445
241
"Reliability of Mechanical Equipment"
Faculty of Mechanical Engineering
The relatively young section 'Reliability ofMechanical Equipment' is active since 1993
with the following mission:
Research on -and implementation of- methods and tools for reliability and safety
assessment and optimisation of industrial products and processes.
This mission is being realised by assisting industry in the development of safe and reliable
products and processes by means off:
• Assisting companies in realising an infrastructure which allows safety and reliability

assessment
• Finding backgrounds of actual failures in products and processes
• Developing methods and tools for reliability and safety assessment and optimisation
• Embedding the resulting methods and tools in industry by means off:
• Working together with industry in actual industrial projects
• Giving courses and training
Areas in which this research is performed can be split into main fields:
• Reliability of high volume consumer products ('cold reliability').

Basically the work in this area is directed to assist industry in improving (mechanical)
reliability (reduce production fall-off and field call-rate) especially for products
produced in high volumes (consumer products).
• Reliability and safety in (process) industry (' hot reliability').
The work in this area aimed mainly at providing tools and methodologies to evaluate
the safety, availability and reliability of emergency shut-down systems as used in
(process) industry.
Especially recent developments in this last research area were the main motive for
participation of our section in organising this symposium
ProfDr.Ir. A.C. Brombacher

Head of section 'Reliability of Mechanical Equipment'
243
Printing
"De Witte" Offsetdrukkerij B.V.
Eindhoven
Editing and design

R. P.A. den Boer
J.C. Barel
S.A.E. Ebben

Safety Process PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safety Process PDF

Uploaded by

Copyright:

Available Formats

Safety in the process industry : yesterday, today,

tomorrow : proceedings : 's-Hertogenbosch, September

Document status and date:

Please check the document version of this publication:

Take down policy

Download date: 07. thg 10. 2019

Mr. F.J.M. Houben

GTI Industrial Automation BV Apeldoorn

GASTEC: a professional and

GASTEC has extensive know-how and

Troditionolly GASTEC has o lot of customers

J.C. Barel sponsors & visitors

engineering department. Additional injonna-

Prof.Dr.Ir. A.C. Brombacher

Prof.Dr.Ir. A.C. Brombacher

TYVEK DELRIN Du Pont de Netr<llrs (Nederlard) BV

Dipl.-Ing. R.I. Faller

Aspects of TOV Type Certification

August 24, 1996

Table of contents ........................................................................................................... Page

TUV PRODUCT SERVICE GMBH 21 Presentation Eindhoven

1 Certification of Safety-Related Programmable Electronic Systems

2 Type certification following IEC 1508 versus type certification

2.1 Other important requirements for safety-related Programmable Electronic

TOV PRODUCT SERVICE GMBH 23 Presentation Eindhoven

EU-Directives: Machines, Gas I Fuel, Medical, Seveso, EMC, Low Voltage

... ---- ---- - ---------------------------------

Figure 1: Important Standards for Safety Related Programmable Electronic Systems

Safety requirements definrtkJn ...-- -

Project and V&V plan

System safely specification

Static + dynamic S/tN analysis

Circuit diagrams + FMEA

Figure 2: Development-Concurrent Testing and Certification

2.2 Impact of IEC 1508 on TOV type testing and certification

Figure 3: Inspection of safety-critical plant installations in Gennany

TOV PRODUCT SERVICE GMBH 26 Presentation Eindhoven

2.3 Deterministic and Probabilistic Fault Investigations

Safety Integrity Level corresponding Gennan Probability of Failure-on-Demand

2 4 >=1 o-3 to <1 o·2

TOV PRODUCT SERVICE GMBH 28 Presentation Eindhoven

repair time, life time, manual test interval, test duration

stl'lJcture of instrumented protect.ive loop, coverage rate

Figure 4: Combination of deterministic and statistical procedures

TOV PRODUCT SERVICE GMBH 29 Presentation Eindhoven

Figure 5: Simplified Markov model of a 2oo2 system

u unrevealed failure of one channel A. failure rate

TOV PRODUCT SERVICE GMBH 31 Presentation Eindhoven

• Faults introduced by inspection I maintenance

SIL AK Transduction Software

3 Pre-tested building blocks

Figure 6: Layered Software Safety Philosophy

Certified third-party RT-OS

SIFT Software Implemented

Pre-tested software building blocks

Safety-related User API

4 ISO 9001 and Product Type Certification

TOV PRODUCT SERVICE GMBH 35 Presentation Elndhovwl

Figure 7: Development-Assistant Product Evaluation and Quality Management

5 Conclusion and Outlook

TOV PRODUCT SERVICE GMBH 37 Presentation Eindhoven

ij van de Gasunie legden ruim 11 .000 kilometer transportleiding onzichtbaar

SAFETY IN THE PROCESS INDUSTRY Honeywell SMS