A war of words is raging in the process control industry over the “integration” of safety and control systems. It’s a debate that has been ongoing for years, but the recent introduction of new integrated systems by several process controls vendors has lately added fuel to the fire. “This is a terribly controversial issue right now,” observes Bill Goble, principal partner at exida.com, a Sellersville,
On one side are those who warn that some controls vendors and their customers may be compromising safety by going too far with the concept of integrated process control and safety instrumented systems (SIS). This group says that the traditional requirement for separate and independent operation of safety and control systems may be violated by some of the newer integrated architectures that rely upon “functional” or “logical” separation of safety and control, instead of actual physical separation.
For one thing, the tight coupling of complex safety and process control systems—if not done correctly—could allow engineers, operators or maintenance personnel who are making control system changes or repairs to inadvertently make dangerous modifications to the safety system, these individuals suggest. For another, the approach could risk “common mode failures” that could affect both safety and control systems, they contend. A system that combines safety and control in the same hardware platform risks a failure “that could basically take out both your control and safety, and if that happens, then you must have a secondary means of shutting that process down in a safe and orderly fashion,” warns Lawrence Beckman, TÜV functional safety expert at SafePlex Systems Inc., a Houston-based safety systems integrator.
The traditional approach to separation is “like the belt and suspenders approach,” agrees Luis Duran, brand director for Triconex, a vendor of stand-alone safety systems that is an Irvine, Calif.-based unit of Invensys Process Systems. “But with what’s been happening lately, the problem is not so much the integration, but embedding the safety system into the controls, and making that fine [separation] line disappear,” Duran says. “Then you don’t have your belt and suspenders any more, so if you lose one, you lose them both.”
On the other side of the argument are those who tout the potential end-user benefits of integrated safety/control approaches; these include savings in engineering, training, maintenance and service costs, as well as reduced spare parts requirements. In all, these could add up to savings of 30 percent or more in total cost of ownership for an integrated safety/control system, compared to a separate systems approach, proponents say. This group agrees that appropriate separation of safety and control must be maintained, in order to avoid safety issues. But they contend that such separation can be accomplished through careful design of systems that integrate safety with control.
The safety separation traditionalists are spreading “fear, uncertainty and doubt,” or FUD, some in this group contend. And they are quick to point out that international safety standards including IEC 61508 and 61511, promulgated by the International Electrotechnical Commission, do not prohibit such control/safety integration.
“The standard does actually recognize that safety and non-safety functions can reside in the same system if ‘…it can be shown that the implementation of the safety and non-safety functions is sufficiently independent (i.e. that failure of a non-safety related function does not cause a dangerous failure of the safety related functions) –IEC61508-2 clause 184.108.40.206,’ ” says an opinion-editorial piece authored by Switzerland-based controls vendor ABB, which offers an integrated system.
Various integrated safety/control systems are on the market today that have met this requirement, say their vendors, as evidenced by certifications received from TÜV, an independent international certification organization. And once a system is TÜV-certified as meeting international standards for use at a specific safety integrity level, or SIL, that should end any debate, these vendors contend.
In the ABB op-ed piece, titled, “The Truth about Integrated Control and Safety,” ABB says that much of the public debate about the safety/control integration issue “is between suppliers with vested interests, defending their current product or technology, rather than between end-users on the merits and drawbacks of different acceptable approaches. There is a lot of disinformation being communicated on this topic,” ABB says. “Unfortunately, it only makes the issue more confusing to end-users.”
Putting it another way is Buddy Creef, sales vice president at RTP Corp., a Pompano Beach, Fla., vendor that received TÜV certification in October last year for its RTP 2500 integrated safety/control system. “I think sometimes the vendors drive the discussions,” Creef opines. “So if I’m offering integrated control and safety, I’m trying to drive things that way. And if I’m a Triconex or Triplex or Hima (other stand-alone SIS vendors) who only offer safety systems, then I’m certainly trying to say you should worry about common-cause failures, and you should worry about integrated systems.”
No matter which side of the issue they are on, most around the process control industry agree that wider use of integrated control/safety systems is in the cards. ARC Advisory Group Inc.,
Different vendors take different approaches to control/safety integration, of course, and some vendors offer multiple options for parsing or integrating safety and control. ARC identifies four basic categories in the progression from separate to integrated, says Asish Ghosh, ARC vice president, manufacturing advisory services.
The first level is “separate,” meaning no integration; at this level, the basic process control system, or BPCS, and the safety instrumented system, or SIS, are totally separate and work independently of each other.
The next higher level is what ARC calls “interfaced.” At this level, the two systems are still separate, and are typically supplied by different vendors, but an interface is configured to enable data transfer. This approach maintains separation and diversity, yet meets a major end-user need by enabling alarm data and other information from the SIS to be viewed together with control information by operators on a single, common screen.
The interfaced approach, which may rely on a gateway to handle protocol translations between the two systems, is common in the industry today, Ghosh observes. Indeed, according to estimates by Charles Fialkowski, national process safety manager for automation vendor Siemens Energy & Automation Inc., in Springhouse, Pa., the interfaced approach accounts for 60 percent to 80 percent of the current market.
SIS systems from Triconex and other vendors of stand-alone safety systems, such as Hima and ICS Triplex, are often interfaced in this manner to a BPCS, or distributed control system (DCS) supplied by a traditional automation controls vendor. With this approach, the diversity in hardware and software supplied by the two different vendors provides insurance against common-mode failures, explains Duran, of Triconex.
As a long-time player in the SIS market, Invensys Triconex still holds the worldwide market share lead, according to ARC figures based on 2005 revenues, Ghosh says. Though Ghosh declines to provide market share percentages, he does say that Honeywell and ABB rank second and third in global SIS market share respectively, followed by ICS Triplex, Hima and Siemens. Those rankings could change when 2006 numbers are available.
Over the years, Triconex safety systems have been interfaced to control systems from virtually every major process controls vendor, Duran says, including ABB, Emerson, Honeywell, Siemens, Yokogawa and Triconex’s sister Invensys unit, Foxboro. In many cases today, the interface method involves use of embedded communication boards in the automation platform that rely on standard protocols such as Modbus or OPC (an open communication standard), says Duran, an approach that he says can be more cost-efficient than a gateway approach.
The third level defined by ARC is “integrated.” At this level, the SIS and DCS are still separate processors, but they are typically made by the same supplier, with a closer integration between the two systems. They may have similar architectures, Ghosh notes, and “when we say integrated, we especially mean that there is some commonality in the software. That means the human interface looks similar, or maybe the configuration tools are similar,” he explains. “From a hardware point of view, they may be very similar, so that only one set of spare parts is needed.”
It is at this level that the separation traditionalists begin to object, warning that the added coziness between safety and control could lead to troubles caused by human error or common design failures.
Process automation vendors including ABB and Siemens have offered SIS systems for several years that can work in an integrated fashion with their own DCSs. More recent entrants include Emerson and Yokogawa, both of which rolled out new SIS entries in 2005 that are designed to be integrated with their own controllers.
Honeywell, for its part, also has its own line of safety controllers that can work with its own DCSs in a fashion that Scott Hillman, Honeywell’s global marketing manager for safety management systems, refers to as “operational integration.” But for classification purposes, Ghosh places Honeywell’s offering in the interfaced category, albeit “highly” interfaced. “You could call it integrated, but it’s not fully integrated,” says Ghosh. “They have their own safety system and controller system that I would say are highly interfaced.”
ARC’s fourth category is what Ghosh calls “common” systems. “Common means one single box is doing both control and safety,” Ghosh explains. Vendors that offer certified safety/control systems at this level of integration include ABB, RTP and Siemens.
The vendors of common, single-box integrated systems cite a variety of TÜV-certified methods that are used in their systems to meet the international safety standards, ensuring that the systems are safe. ABB, for example, stresses that its integrated, single-box 800xA High Integrity system was conceived and designed as a safety system from the outset, and was TÜV certified before it was released for sale. “Memory partitioning, separate execution contexts, firewalls and stack management techniques provide logical separation that ensures that safety and non-safety programs running in the same processing environment are actually separate and non-interfacing,” ABB says.
But some critics of the approach, such as SafePlex Systems’ Beckman, say that they just don’t buy it. “I don’t think its possible to do that because these systems are just too complex,” Beckman says. “The one thing that’s unique about safety systems is that they are inherently simple, because if it’s simple, the chances of it working are fairly high. The more complex it is, the less likely it is to work,” he declares.
Beckman also contends that the complexity of integrated control/safety systems makes them susceptible to problems caused by human error, during maintenance or testing, or when an operator makes changes to the control system. Mistakes in any of these operations could cause unintended changes in the SIS, he says. An added risk for integrated systems comes from terrorists and hackers, who might be able to access both safety and control systems, Beckman adds.
Beckman, a previous vice president of marketing at Triconex, and whose company also previously represented Hima exclusively in the United States, is a long-time member of the Instrumentation, Systems and Automation Society’s SP84 committee. That committee in 2004 adopted IEC 61511 as its latest version of the ISA-84 safety standard. The standard was subsequently approved by the American National Standards Institute to become ANSI/ISA-S84. Beckman says he strongly fought both adoptions because of terminology used; the standard allows for “functional separation” between safety and control, a phrase that Beckman believes should instead say “physical separation.”
So right or wrong, he concedes, the current standards do allow for the integration of process control and safety systems. “But I still feel very strongly that it’s not the safest approach when human life is at risk,” Beckman says.
So far, the verdict on integrated systems is mixed from process manufacturers themselves. “I’ve talked to a lot of end-users on this and I would say there’s a large chunk, maybe about a third, who believe that never, under any circumstances would you ever be justified in combining safety and control in the same system,” says Goble, at exida.com. Others are more open and enthusiastic about the idea, he notes. “So there’s a wide diversity of opinion.”
ARC is projecting strong growth for SIS hardware, software and services; the worldwide market will grow by at least 11 percent annually over the next few years, rising from about $1 billion in 2006 to about $1.5 billion in 2010, says Ghosh. But despite the availability of systems integrated at the single-box “common” level, ARC sees bigger near-term growth in systems that fall into its third category of “integrated” systems.
Vendors tend to agree. The idea of a single-box integrated system that handles both safety and control still “scares the heck out of a lot of people,” concedes Siemens’ Fialkowski. This is particularly true, he says, for older engineers who have been schooled throughout their careers on the absolute need for physical separation between safety and control. And so far, he adds, Siemens has seen little activity in sales of single-box safety/control systems.
But at the same time, says Fialkowski, business based on integrated systems using the company’s Simatic PCS 7 process controllers and TÜV-certified PCS 7F safety controllers operating separately, but in an integrated fashion, is on the rise. “That idea and approach has actually been growing more than the interfaced approach,” he says. “It’s probably 20 percent to 30 percent of the market now and growing.”
End-user response has been mixed to the latest integrated safety/control offerings from ABB, says Edgar Ramirez, safety systems business driver for ABB’s Process Automation Division, in
Ramirez says that major players in the Canadian oil and gas industry, such as ExxonMobil, Petro-Canada
and Shell, prefer separation of safety and control
systems—an option that ABB also offers. But an approximately equal number of oil and gas users who are newer to the use of safety systems are more willing to consider an integrated SIS/DCS approach, he says, and have launched projects with ABB products using varying degrees of safety/control integration.
So far, ABB has one project in
Other vendors also report growing end-user acceptance of the integrated control/safety concept. At Yokogawa Corp. of
Likewise at Emerson Process Management,
In the DeltaV/DeltaV SIS environment, information is shared seamlessly among the various subsystems, says Miller. “You no longer have to map your safety system into your DCS via Modbus or OPC. You no longer have to run a separate bus for time synchronization to the different subsystems, and you no longer need a stand-alone sequence-of-event system,” he explains. “All of those functional subsystems are built into our integrated BPCS/SIS environment.” The result, Miller says, is significantly reduced engineering integration time.
The integrated control/SIS architectures offered by Emerson and Yokogawa differ in many ways, of course. But one thing the competitors do have in common is that neither offers a “common” system approach that integrates safety and control in the same box. Both instead rely on more conservative, separate SIS and DCS systems that use integrated architectures for information sharing. And while both companies are cognizant of criticism from safety separation traditionalists, both are quick to assert that their integrated approaches were designed in strict adherence to international safety standards.
In the Emerson architecture, “our safety and control systems are completely segregated in all the ways that count,” says Miller. “The operating systems are different. The hardware is different. The only thing we do share are engineering tools, and even those are password protected for all safety integrated functions,” Miller points out. And while integrated DeltaV SIS and DeltaV systems are linked with a dedicated communications channel for information sharing, that link is one-way, he adds. “The SIS sends information out to the BPCS, and while the SIS can see information from the BPCS, that information does not alter the safety instrumented functions implemented in the SIS.”
Yokogawa’s de Breet notes that while the basic processors in his company’s CS 3000 controller and ProSafe RS SIS are the same, the safety system architecture “has been enhanced in order to meet the IEC standards.” By that, he means that “in the safety system, there is lots of diagnostic hardware and software, so the system diagnoses itself for possible unsafe failures in the system.”
Further, unlike some of its competitors, Yokogawa does not use common engineering software for the BPCS and SIS. “If you want to use the same engineering software for both, that means you need to have your control system software also scrutinized by TÜV, because you must be sure that it can’t feed back into the safety system,” de Breet says. So Yokogawa chose to go with TÜV-certified engineering software that is separate from that used for control system engineering, he notes.
At Honeywell Process Solutions, Hillman agrees that separation of control engineering software from safety engineering software is the way to go. A problem with common engineering software, he says, involves human error. A common engineering software approach puts the onus on the end-user to make sure that safety and control functions are segregated, and that those functions act independently if they fail, according to Hillman, who is based in ’s-Hertogenbosch, The Netherlands.
That’s why Honeywell relies on separate Safety Builder and Control Builder engineering software for use by customers who are linking the company’s current flagship safety controller, the Safety Manager, with the current flagship process controller, the C300, under the company’s Experion umbrella, Hillman says. In line with Honeywell’s reading of the international safety standards, this approach relies on separate and diverse processors that are linked in a way that provides “operational integration with secure data access, but no common failure modes,” as Hillman puts it. He believes that some of Honeywell’s competitors “have gone too far overboard on the integration side.”
Going forward, the debate over separate vs. integrated safety/control systems appears certain to continue, even as integrated systems gain a greater foothold in the market. The issue may come down to the degree of integration with which each individual end-user feels comfortable.
“At ARC, we say that this new class of safety systems offers different degrees of same but separate,” says Dave Woll, ARC vice president, consulting, for the process industries. “Our feeling from talking to end-users is that the attractiveness of these systems comes from their significantly lower cost of ownership. There’s no question that the market is moving toward different degrees of same but separate,” Woll adds. “The big question is, ‘How fast is it going to move?’ ”
For more information, search keywords “process safety” at www.automationworld.com.