Protect your assests

October 24th, 2013, Published in Articles: EngineerIT

 Make sure you understand the do’s and don’ts of process safety, including safety instrumented systems, PLC redundancy, fieldbus technology, field devices, standards and employee skills.

Changes in technology have led to a variety of recent developments in process safety, with many suppliers releasing new systems that depart from the past significantly. These do’s and don’ts can help you choose the right safety-instrumented system for your process.

Do take advantage of scalable systems

The first popular safety programmable logic controllers (PLCs) introduced in the mid-1980s were triplicated. These systems naturally cost more than nonredundant general-purpose PLCs, and multiple distributed systems scattered around a facility were often considered to expensive.

The most economical implementation of such systems often was one large centralisd system. One large 1000 I/O system was less expensive than ten smaller 100 I/O systems.

However, not all applications need 1000+ I/O. That’s why some vendors have developed safety PLCs ideally suited for small I/O applications. Still, using one system for small applications and a different system for large ones in the same facility is hardly an ideal solution.

A number of suppliers recently launched systems that can scale from small and stand-alone to large and distributed–all using the same hardware platform.

Don’t settle for a single level of redundancy

Like the early Ford Model Ts that came in any colour you wanted–as long as it was black you could get an early safety controller system in any configuration you wanted – as long as it was triplicated.

This level of redundancy ensures that the system is fault-tolerant and can survive one or more possible failures. But not all parts of a process safety system require triple redundancy. Depending on the level of safety risk, some applications require only dual redundancy.

Three vendors have released safety PLCs that can be configured single, dual, or triple (one even offers quad). In one system, some modules can be single, others dual and others triplicated. Flexible redundancy within one system allows the system to more closely match your safety and reliability requirements for each loop, in a cost-effective manner.

Don’t assume two vendors are better than one

The traditional approach for control and safety systems has been to buy two separate platforms from two separate vendors. The trend now is to have one supplier for both systems. That’s because the control and safety systems often look very similar (although they’re not interchangeable), and usually are programmed using the same software. This means users only have to attend one training course, and communication between systems is effortless.

Technology for safety

Fieldbuses–digital networks for process instrumentation –allow multiple field devices to be connected on a single pair of wires. Features and benefits include reduced wiring, higher levels of internal diagnostics and lower costs.

Fieldbuses have been available for general processcontrol applications for a number of years, but many have questioned their use in safety. The concern is that a digital message could be corrupted, or the configuration and functionality could be changed by an unauthorised party. Safety standards state that busses are acceptable only if they meet the integritylevel requirements. No busses could meet such requirements in the past, but this is changing.

The Fieldbus Foundation has been working on Foundation Fieldbus for safety (Foundation Fieldbus SIF) for several years with a consortium of users, safety PLC and field-device manufacturers. Early field-device products were demonstrated in the summer of 2008, and final products (both field devices and logic solvers) are nearing release.

The primary benefit touted by safety fieldbus manufacturers is diagnostics: being able to better and earlier predict problems before they impact the process, and even lead to a shutdown.

But how can a sensor communicate extensive diagnostic information on a standard 4–20 mA signal? One such method is the use of HART (highway addressable remote transducer), which combines additional information –such as device diagnostics –with the standard 4 –20 mA signal. HART devices have been available for decades, but only recently have some safety PLCs been able to incorporate HART information directly.

Do use safety-certified field devices

A controller may be certified for use in SIL 3 applications, but that doesn’t mean the system will perform at an SIL 3 level. Like a chain, the system is only as strong as its weakest link. In most integrated safety systems, the weak links have been field devices.

That’s because of their lack of redundancy. One-out-of-two or two-out-of-three sensor configurations and one-out-of-two final element configurations are generally required for SIL 2. The total installed cost of a sensor has been reported as high as $10 000. Redundant final elements are even more expensive. This means implementing SIL 2 loops can be pricey.

However, redundancy isn’t always the magic answer for safety. Diagnostics also are an important factor. Dozens of new safety-certified field devices are available with much higher levels of internal diagnostics than devices of the past. Single devices with high levels of diagnostics usually offer similar safety performance to redundant standard devices, at much lower costs.

Don’t overlook the need for employee certification

While it helps, a certified safety system doesn’t automatically make a facility safe. Unfortunately, many systems don’t work effectively because they were incorrectly specified, designed, installed, operated or maintained.

A competent workforce is an essential defence against risk. However, achieving a high level of competency is easier said than done. After all, how do we know that all employees involved have the knowledge and skills they need? Thankfully, various organisations offer certification and certificate programs to help ensure employees understand what’s necessary to keep a plant operating as safely as possible. Organisations such as (certified functional safety expert), ISA (International Society of Automation), and TÜV (both Rheinland and SÜD) offer a variety of programs. Even if you think all your employees are competent, the best way to be certain is through certification. Even one uncertified employee represents a potential safety hazard.

Do say up to date on standards for fire and gas systems

Current safety standards covering fire and gas systems are prescriptive and focus on commercial applications, such as buildings. Many in the process industry believe similar standards are needed for industrial applications.

Unlike safety instrumented system hardware, however, claiming any integrity level for fire and gas hardware alone doesn’t allow users to determine if the overall system will meet the desired level of fire and gas risk reduction.

Despite these factors, it’s possible to apply performance-based concepts to fire and gas systems. It’s also possible to assign riskreduction targets for fire and gas systems, and apply quantitave techniques in system verification.

The ISA 84 committee published a technical report in 2010 on ways to account for detector coverage, mitigation effectiveness and other factors, thus allowing a quantitative, performance-based approach to fire-and-gas system design. Once the detector coverage and mitigation effectiveness limitations are better understood and addressed, focusing on the SIL rating of the hardware will be more meaningful.


Published in The Journal Rockwell Automation, October 2013 and republished with permission.

Contact Christo Buys, Rockwell Automation, Tel 011 654-9729,


Subscribe to our leading email newsletters


CLICK for other EE Publishers information products