2 Introduction to Safety Systems

Copyright Ó2005 Yokogawa System Center Europe B.V.

Table of contents

2 Introduction to Safety Systems..................................................................................... 1

2.1 Safety System introduction ..........................................................................................3
2.2 Chapter objectives .......................................................................................................4
2.3 Safety Systems and their functions...............................................................................5
2.3.1 Safety System Operation...........................................................................................6
2.3.2 Safety System Applications ......................................................................................7
2.3.3 System Differences...................................................................................................8
2.4 Safety standards...........................................................................................................9
2.5 Hazard analyses and Risk classification .....................................................................12
2.6 Safety System properties............................................................................................15
2.6.1 Failures ..................................................................................................................16
2.6.2 Systematic failures..................................................................................................17
2.6.3 Process safety time .................................................................................................18
2.6.4 Reliability...............................................................................................................19
2.7 Safety System architecture.........................................................................................20
2.7.1 Architecture............................................................................................................21

2 RSWB rev 1.2

2.1 Safety System introduction
This section will introduce the student to the fundamental concepts and terms associated with Safety
Systems. Examples of how ProSafe-RS meets the requirements of Safety Systems will also be
provided.

RSWB rev 1.2 3

2.2 Chapter objectives
After completing this section, the student should be able to:
o Demonstrate an understanding of the basic terminology associated with Safety Systems.
o Identify the components of a Safety Instrumented System.
o Explain the major differences between a Safety Instrumented System and a Basic Process
Control System.
o Demonstrate a basic understanding of the Safety Life Cycle.
o Describe the different integrity levels of Safety Systems.
o Demonstrate an understanding of how system architectures are determined.
o Explain how ProSafe-RS meets the requirements of a Safety Instrumented System.

4 RSWB rev 1.2

2.3 Safety Systems and their functions
Basic Process Control System (BPCS) — A system that responds to input signals from the equipment
under control and/or from an operator and generates output signals, causing the equipment under
control to operate in the desired manner. Examples include temperature, pressure, level, and flow
control loops. Also referred to as Process Control System.

Safety Instrumented System (SIS) — A control system composed of sensors, logic solvers, and final
control elements designed to take a process to a safe state when predetermined conditions are violated.
Other terms commonly used include Emergency Shutdown System (ESD, ESS), Safety Shutdown
System (SSD), and Safety Interlock System.

RSWB rev 1.2 5

2.3.1 Safety System Operation
Figure 2.3-1 illustrates various different process conditions and operating states.
o While the process is within the range of normal behavior, the Basic Process Control
System (BPCS) will meet all requirements to control the process.
o As the process becomes more unstable and approaches the high alarm level, the BPCS
may or may not be able to regain control of the process value in time to prevent an unsafe
condition.It is expected that the operator takes action to control the process.
o If the process values continues in an unsafe direction, the trip level is reached. The SIS
executes an emergency shutdown action, preventing the process from exceeding safe
levels.

Boom? Mechanical safety level

Unsafe Condition ESD action Trip level

Alarm Condition
Operator takes action High alarm level

Normal Condition High level

Process value
Low level

Time

Figure 2.3-1 Safety Instrumented System Intervention

6 RSWB rev 1.2

2.3.2 Safety System Applications
Variations in processes and process risks have led to many different applications. Some of these
applications are:
o Shutdown systems designed to immediately, predictably provide for immediate shutdown
of a process.
o Burner Management systems designed to provide for safe operation interlocking prior to
and during operation of natural gas and oil fired burners in addition to shutdown features.
o Fire or Gas detection systems.

RSWB rev 1.2 7

2.3.3 System Differences
Fundamental physical and operational differences exist between a BPCS and a SIS.

Control Systems Safety Instrumented Systems

Degree of Flexibility

High flexibility needed to develop and maintain Fixed functionality, carefully minimized during
(complex) control and automation applications design

Improvements or changes in the configuration Rigid procedures to make any change

software are mainly implemented on-line

Failure Mode Prediction

No guarantee on state of outputs during failure of Predictable state of output on any revealed single
control system, most likely outputs on hold functional failure in the system

Fail safe design

Repair and Maintenance Strategies

Allow for a wide variety of on-line repair / Limited possibilities to repair the hardware while
modifications the plant is running

Accepted risk of plant disturbance in order to No modification of safeguarding functionality in

avoid a maintenance shut-down of the plant a running plant

Test strategy

No need to test control system regularly except Explicit procedure and strategy to test for
for some back-up / redundant parts undetected failures of instrumented protective
functions Automatic testing

8 RSWB rev 1.2

2.4 Safety standards
IEC 61508 – Functional safety for E/E/PES

IEC 61511 – Functional safety for the process industry

Safety Life Cycle — A sequential process used to evaluate the risks associated with a process,
determine the target risk reduction, define SIS design, commissioning, operation and maintenance.

Standards

The two most important standards for functional safety are the IEC 61508 and the IEC 61511. The
first one is mostly used to design and manufacturer safety systems like PLC's and safety instruments.
The IEC 61511 is normally used during the design, startup and operation of a complete plant.

The standards specify all kind of requirement for the complete life cycle of the plant, from cradle to
grave. It starts with the hazards analyses, risk analyses and definition of safety functions, then the
design and testing of the safety system, requirements for operation and maintenance, and finally it
describes who to demolish the (part of the) plant.

The standards have also requirements on the management of functional safety, on verification,
validation and assessments.

RSWB rev 1.2 9

The safety life cycle

The standards focus on the management of all activities that are needed to specify, design and
maintain a process that has an acceptable low risk for the people, environment and assets. There fore
it has define a safety life cycle model. In this life cycle all activities that must be performed are
described. In the figure below the Safety Life Cycle is shown.

Hazard and risk

assessment

Allocation of safety
functions to protection
layers

Safety

Verification, Validation and Assessments

requirement
specification Implementation of
Management of functional safety

other means of risk

reduction
Safety Lifecycle

Design and
engineering of
the SIS

Installation,
commissioning
and validation

Operation and
maintenance

Modification

Decommissioning

Safety Life Cycle (IEC 61511)

10 RSWB rev 1.2

The life cycle is broadly split into the following phases:
· Hazard analyses and Risk allocation
In this phase the risk of the process (without any protective measures) is investigated based on
the first global design of the plant. Then risk reduction measures are proposed and a
specification for the safety functions is prepared.
· Design, engineering and test of the SIS
In this phase the safety system is designed, built and tested.
· Installation and startup
In this phase the SIS is installed, the complete installation is tested and the process is started
up.
· Operation, maintenance and modification
Now the installation is running. Maintenance has to be performed, and also modifications are
un-avoidable.

RSWB rev 1.2 11

2.5 Hazard analyses and Risk classification
Process Risk — Potential for losses to equipment or production, personnel endangerment,
environmental impact, or any other dangers directly associated with the process.

Acceptable Risk — Level of risk considered to be low enough for the process in question. This level
may be set by the company, regulatory agencies, insurance companies, or any combination thereof.

Safety Instrumented Function (SIF) – a safety function implemented on a SIS.

Safety Integrity Level (SIL) — One of four distinct levels of a safety function related to the overall
safety integrity. The higher the SIL requirement for protection, the higher the risk reduction is, and the
lower the PFD

In the beginning of the lifecycle, a close look at the true process characteristics is performed. This is
called the hazard analyses. The (preliminary) process design is evaluated and all possible risks are
identified.
Evaluating the inherent dangers associated with a particular process is the responsibility of the
manufacturer/end user. This hazard analyses is mandated by various agencies, such as the
Occupational Safety and Health Administration (OSHA), the National Fire Protection Agency
(NFPA), the Environmental Protection Agency (EPA), and industrial insurance companies. This is the
first in a series of steps known as the Safety Life Cycle.

The second step is to quantify the risks and to determine the needed risk reduction. There are several
methods to do so. As an example the method using a risk matrix is given below.

Up to this point, all physical efforts to reduce the process risks should have considered. These efforts
include process design modifications, redundant process equipment, or the installation of safety
devices such as relief valves. The SIS is then responsible for reducing the remaining process risk to
the acceptable level.

12 RSWB rev 1.2

The risk has always two measurable factors:
o The frequency of occurrence of the risk. See Table 2-1.
o The severity of the consequences. See Table 2-2.

TABLE Qualitative Analysis: Frequency

DESCRIPTIVE
LEVEL WORD FREQUENCY OF OCCURRENCE

3 Frequent Likely to occur frequently once per year

Likely to occur sometime

2 Occasional in the life of the item once per 10 years

So unlikely it can be
1 Improbable assumed to never occur once per 100 years

TABLE Qualitative Analysis: Severity

POTENTIAL CONSEQUENCES
DESCRIPTIVE PRODUCTION
LEVEL WORD PERSONNEL ENVIRONMENTAL OR EQUIPMENT

Detrimental offsite
5 Catastrophic Death release Loss > $1.5M

Lost Time Non-detrimental Loss between

4 Severe Accident offsite release $500K and $1.5M

Medical Onsite release not Loss between

3 Serious Treatment immediately contained $100K and $500K

First Aid Onsite release Loss between

2 Minor Treatment immediately contained $2,500 and $100K

1 Negligible No Injuries No release Loss < $2,500

RSWB rev 1.2 13

In a meeting for each identified hazard the expected frequency and the resulting consequences are
determined.

Finally the target integrity level of each SIF is defined as the Safety Integrity Level (SIL). The range
is 1 (minimum) to 4 (high). The target SIL is determined by the matrix below. See Table 2-3.When
the expected frequency of the hazard increases, the target SIL will increase. Similarly, as the
consequence increases, the target SIL increases as well.

TABLE SIL matrix

Frequency

Consequence Frequent Occasionally Improbable

Catastrophic 4 3 3 -- = no safety function needed
Severe 3 2 2 1 = SIL1
Serious 2 2 1 2 = SIL2
Minor 1 1 - 3 = SIL3
Negligible 1 - - 4 = SIL4

The target SILs for each safety function, together with all other safety requirements are documented
in the so-called Safety Requirement Specification (SRS).
The complete Safety Requirement Specification (SRS) is normally composed of several documents
like:
o SIL classification report from the HAZOP, describing all SIFs and their target SIL.
o C&E diagrams or Logic diagrams, describing the functionality of the SIS.
o I/O lists defining all inputs and outputs to/from the SIS.
o Safety narratives, safety philosophy, MOS requirements, etc.

The SRS is the base of the engineering of the safety system.

14 RSWB rev 1.2

2.6 Safety System properties
Reliability — The ability of a system being able to perform a defined function under stated conditions
for a given period of time.

Process Safety Time — The maximum period of time in which the process will move from a safe
operating condition to a dangerous condition. This is a characteristic of the process.

RSWB rev 1.2 15

2.6.1 Failures
Failures can be divided into
o Hardware failures
o Systematic failures

Hardware failures are caused by malfunctioning of a hardware component. They are repaired by
replacing the faulty module. Hardware failures are often cause by a stressor

Industrial stresses originate in many different areas. These stresses all have the potential to cause SIS
failure. Examples of stresses are listed below.

o Heat - specifically, high temperature in the proximity of the SIS can accelerate electronic
component failure rates. Typically, the failure rate doubles for every 18 deg F rise in
temperature.

o Chemical Corrosion - chemical fumes associated with the process can dramatically increase
electronic component failure rates.

o Humidity - elevated levels of humidity will accelerate corrosion.

o Vibration - mechanical shock or vibration can loosen SIS modules from their mounting,
thereby preventing the module from performing its function properly.

o Electro-static Discharge (ESD) - static electricity voltages, which can be as high as several
thousand volts, can easily damage components designed to operate at voltage levels as low as
3.3 volts.

o Operational and Maintenance Errors - the human error factor. Examples include placing the
incorrect module in a slot within the system or applying an improper voltage level to an I/O
module.

16 RSWB rev 1.2

2.6.2 Systematic failures
Systematic failures are related to errors in the software, design omissions etc. They cannot be repaired
by replacement, but only by redesign or re-programming.

Methods to minimize the amount of systematic failures are: design reviews, testing, education of
engineers, functional safety management.

RSWB rev 1.2 17

2.6.3 Process safety time
Process safety time is the maximum time between a demand and the necessary shutdown action. E.g.
form the moment a high pressure is detected to the moment that the fuel valve is completely closed. It
is a property of the process, and must be defined by the end-user.
For the engineer it is an important figure, because the reaction time of the safety function (including
sensor delay, 2 x logic solver scan time, valve travel time and other delays) must be within the process
safety time.
The engineer has to check this during the design of the SIS.

18 RSWB rev 1.2

2.6.4 Reliability
Reliability must be split into 2 properties:

Safety integrity: what is the change that the safety system will act when it is necessary.
Safety integrity is specified as a SIL.

Availability: is the system available to do its job. Availability is calculated from the False Trip
Rate or Mean Time Between Failure. When the repair time (Mean Time To
Repair) is known the availability can be calculated as a percentage.

RSWB rev 1.2 19

2.7 Safety System architecture
Redundancy — The use of multiple components or modules to achieve a higher integrity or a higher
availability of the system.

Diverse Redundancy — The use of different technology or design of components to reduce the
likelihood of a common cause failure. An example would be using two different methods of
measuring the same process value and comparing the results.

Voting System — The property in a redundant system which requires x out of y channels to be in
agreement prior to the SIS taking action. When the validity of the input signals are verified and the
operation of the output circuitry is supervised, the system is referred to as having diagnostic capability.

Fault Detection — The ability of a system to detect (internal) faults and to execute a safety action to
protect the process. Factors influencing fault detection include hardware diagnostic, software routines
etc.

Fault Tolerance — The built-in ability of a system to provide continued correct execution of its
assigned function in the presence of a limited number of hardware and software faults.

20 RSWB rev 1.2

2.7.1 Architecture
The simplest architecture of a safety function is shown in figure 2-3: which is 1 out of 1, or 1oo1. The
input is sensed by a single input circuitry, evaluated by single the processor, and the output is placed
into the desired state. There is no real way of determining the validity of the input signal, nor is there
a means to verify proper operation of the logic solver or the output function.

FIGURE 1oo1 Architecture

The use of redundancy and voting is most common in SIS applications. A voting system accomplishes
a much higher overall system integrity or system availability.

The ProSafe-RS is designed with an internal architecture of 1 out of 2 with diagnostics (1oo2D). See
figure 2-4. Note that this figures shows a single processor module. The achieved SIL capability is
SIL3. That means that the single module can be used in SIL1, 2 and 3 rated safety functions.

RSWB rev 1.2 21

 input micro memory out
processor put

input micro memory out

processor put

diagnostics

CPU module

FIGURE 1oo2D Architecture

If an undetected failure occurs in one of the systems parts (input/processor/memory/output), the

redundant part will still work and will be able to shutdown the process in case of a demand. Should
on-line diagnostics detect a failure in one of the system parts, it will automatically shutdown the
complete module. This will force the process to go to the safe state.

Availability

To increase the availability of the system redundancy can be applied on module level. See figure 2-5
below. As this redundancy is on module level, the system can tolerate 1 or more failures without the
need to shutdown.

22 RSWB rev 1.2

 × ×
Input CPU Output
Circuit, MPU MPU, memory Circuit, MPU

Circuit, MPU MPU, memory Circuit, MPU

×
Input CPU Output
Circuit, MPU MPU, memory Circuit, MPU

Circuit, MPU MPU, memory Circuit, MPU

FIGURE 2-5 High availability

With ProSafe-RS we use the term "PAIR & SPARE". PAIR to indicated the redundant internals of the
single modules, and SPARE to indicated the second module used when high availability is required.

RSWB rev 1.2 23

 This page intentionally left blank.

24 RSWB rev 1.2