Harmonized Standards: A Fruit of Globalization

Industry cultivates international safety and programming standards.

Aw 4891 Standard10

One of the fruits of globalization is the continuing harmonization of the various national safety and programming standards that exist throughout the world.

Because both builders and users of automation must navigate a confusing maze of national and international standards, they are advocating the internationalization of standards to streamline the integration of their worldwide operating units safely.

The harmonization of safety and programming standards is occurring around IEC 61508, the functional safety standard promulgated by the Geneva-based International Electrotechnical Commission (IEC). In the United States, for example, IEC 61511 now makes up most of the ISA-84 standard promulgated by the Instrumentation, Systems and Automation Society (ISA), in Research Triangle Park, N.C., and adopted by the American National Standards Institute. This standard applies IEC 61508 to the process industries.

The European safety standards for machinery are undergoing a similar transition. In the past, they centered on European Norm (EN) 954. “However, the whole picture will change because this standard will be replaced shortly,” reports David Arens, a food and packaging applications engineer at Bosch Rexroth Corp., in Hoffman Estates, Ill. “All newer ones—mainly IEC 62061 and IEC 61511—are based on the basic IEC 61508 standard.”

Find your way

To get your bearings in this maze of safety standards, make IEC 61508 your reference point. It is the umbrella standard for implementing and managing safety projects correctly, particularly for developing new devices and software. “It gives project engineers the procedures to ensure that the specifications they set for safety functions will work,” explains Bob Adamski, a long-time member of safety-standards committees, and director of Premier Consulting Services, the Irvine, Calif., division of Invensys Process Systems specializing in safety and reliability engineering studies, risk assessments and safety consulting.

The next level of standards specifies the details for installing and using devices and software in each industry. IEC 61511, for example, governs the process industries, and IEC 62061 guides machinery builders. The medical, nuclear, rail, and lift and elevator industries have their own sets of performance standards too. Such standards also exist for particular tasks, such as programming. IEC 61131 is the one that sets standards for programming safety and non-safety functions in programmable logic controllers (PLCs).

In the process industries, the guidline for deciding whether IEC 61508 or 61511 applies depends on whether you are developing a device or installing one. Part 2 of the seven-part IEC 61508 applies to developing new hardware devices, and IEC 61511 applies to installing and using them. Part 3 of IEC 61508 governs the development of embedded software, such as operating systems. “If you’re talking about developing application software using full variability languages, then you’re also talking about 61508, part 3,” says Adamski. “For application software using limited variability languages, or fixed programs, follow 61511.”

Although this guideline works well in many cases, remember that it is just that—a guideline. Things actually can be more complicated, especially for programming. When it comes to programming PLCs, for example, most standards say to follow the IEC 61131 standard, which requires structuring programs in a certain ways, such as without loops and proportional, integral, and derivative (PID) algorithms in safety functions. Some industries such as the nuclear industry contain even more rules for application programming.

Risk management help

One important reason for the interest in harmonizing international standards is to simplify risk management. Each country has its own laws, regulations and legal precedents on safety, so adhering to all of them can be a challenge. A simple example is the requirement in the United States to disconnect power electromechanically during an emergency stop. In Europe, a solid-state disconnection is allowable. So consulting experts on local standards is always necessary to ensure that you follow the applicable standards and their local variations.

Standards are an especially important part of risk management when laws either are vague or offer general principles, such as in the machinery industry. “Often, the adoption of a standard is an effort to show that safety has been considered in the machine design,” says Bosch Rexroth’s Arens. “In some companies, the insurance for both medical and workers compensation is related to the safety standards applied.” Often, so are any fines levied by courts and regulatory agencies after accidents.

In the process industries, the governmental regulations are much more than a kind of insurance policy for limiting liability from accidents. Rather, they are a kind of license to conduct business, and so have a much greater impact on a company’s ability to operate. “Our federal government, under OSHA 1910.119, requires businesses to provide a safe working environment for all employees working in their plants,” notes Charles Fialkowski, national process safety manager at Siemens Energy & Automation Inc., in Spring House, Pa.

He says that the Occupational Safety and Health Administration (OSHA) responded to the inquiries that it received for direction on compliance by recognizing the American National Standard Institute-approved ANSI/ ISA S84–2004 standard as good engineering practice. In 2004, ISA’s SP84 committee adopted the IEC 61511 as its latest version of ISA-84, replacing the earlier 1996 version and retaining the grandfather clause in the previous version. The grandfather clause exempts users who can show that their safety systems have proven themselves in use.

The standard describes a three-phase safety lifecycle that companies can use to manage their risks. In the first phase, the analysis, engineering determines the amount of risk in a design and how much safety is necessary. The second phase is realization, that is, coming to terms with the amount of safety that the design actually offers. The final operation phase entails keeping the design safe throughout all operational changes that might occur in the future.

“This risk-based method helps to take the guesswork out of plant designs and helps to prevent under- or overengineered solutions,” notes Fialkowski. “Studies have shown that many existing designs were actually overdesigned, but not properly managed and maintained. As a result, users spent too much on their safety systems without getting the full risk reduction that they were designed to provide.”

Don’t guess with safety

Engineers tend to overdesign because they can’t measure risk adequately. To understand why, consider a sensor monitoring the temperature of a furnace to shut off the fuel when the temperature becomes too high. The control system might consist of a thermocouple, a switch, a solenoid and a valve to shut off the gas. The reliability of the circuit depends on the components. So the question boils down to, how reliable are the components?

“In the past, the vendor used to say it’s a good system,” answers Adamski, of Premier Consulting Services. “When you would press, well, how good is good, the answer would be that it’s very good. Now, how do you know that it’s good enough to manage your risk?

“Moreover, what will the consequences be?” he continues. “Am I going to have a small fire or an explosion? Or will it be even worse, such as starting a sequence of events that might cause a Bhopal or Texas City-like incident?”

To help users collect the information that they need to manage their risks appropriately, the standards define today four safety integrity levels (SILs), or categories of risk, based on probability of failure. The risk of failure, for example, ranges between one in ten and one in 100 for SIL 1. It runs from one in 100 to one in 1,000 for SIL 2, one in 1,000 to one in 10,000 for SIL 3, and one in 10,000 to one in 100,000 for SIL 4.

So a user willing to accept a risk of one in 500 for a particular system will want the instrumentation and controls rated at SIL 2. “Now, the vendor or integrator has to validate that that hardware will meet that SIL level and document it to prove it,” says Adamski. These calculations are based the mean times between failure of the hardware and the testing intervals.

The only remaining step is to determine appropriate SIL levels for each function and risk that the company is willing to accept. “These determinations are like conducting a mini-hazard and risk reliability study on a process,” says Adamski. “But rather than looking at pipes, flanges, gaskets, vessels and fluids, an SIL study just focuses on the safety system.” The target in the petrochemical industry is 1 x 10-6 to 1 x 10-8 incidents per year when the consequences have the potential to be catastrophic. The nuclear industry wants the probability of having an incident to be 1 x 10-12.

Lean manufacturing tool

Besides managing risk better, another reason for the heightened interest in international standards is that they have been an important tool for lean manufacturing. Companies have discovered that adhering to existing international standards reduces the number of standards that they have to develop internally. In the past, large international corporations, especially, would employ hundreds of engineers to develop ways to do everything from measurements and electronic connections to control strategies and information management to streamlining installation, maintenance and training.

“They would push it out to the plants and say, ‘This is the way that we do it,’ ” says David Emerson, a systems architect at Yokogawa Electric Corp.’s U.S. Development Center, in Carrollton, Texas. “Now they have a very lean central engineering staff that doesn’t do that anymore.”

Greater use of international standards also creates efficiencies across entire markets, thereby reducing development and installation costs even more. Largely at the insistence of large users, vendors also have adopted international standards. “Now, they have a clear specification to implement,” says Emerson. “Then they can spend time on value-added enhancements, rather than on trying to specify basic functions.” The result is not only more innovation and greater power at reasonable prices, but also a larger measure of interoperability and the continuing expansion of the plug-and-play concept.

Interoperatability is not always the goal, however. Sure, IEC 61131-3 and the ISA-88 batch-control standard (adopted as IEC 91512-1 in 1997) define common terms and approaches for organizing the data so that users can understand sequential function charts from any vendor. “That doesn’t mean you can always export data from one device and import it into the other,” says Emerson. “But you might not always care about import-export. You might just want to have a common approach so that things are familiar and you know where to start when you sit down in front of it.”

He adds that, even when standards fail to provide enough detail for exchanging data among systems supplied by different vendors, they still provide a powerful means for end users and suppliers to talk using a common language.

Reusable code

Now that users are using standards such as Fieldbus to connect PLCs to distributed networks of intelligent field devices made by various vendors, these vendors have collaborated on a uniform method for passing data among the various devices. Using the concepts defined in IEC 61131-3, the committee for the relatively new IEC 61499 standard has begun defining a way to describe control software in terms of function blocks. “The goal is to fuse hardware and software combinations into encapsulated, reusable code presented in function blocks that are independent of the equipment vendor,” says Arens, of Bosch Rexroth.

The pre-validated blocks will be reusable pieces of software that users who are not software engineers can insert into algorithms for tasks ranging from working a valve to overseeing a production line. The IEC 61131 and 61499 standards ensure that the function blocks operate in the same manner, regardless of who is programming them.

For machine builders, PLCopen, the Netherlands-based organization devoted to solving control-programming problems, also is creating software and encapsulated programming elements based on IEC 61131-3. The organization’s Technical Committee 5 on safety has defined 20 function blocks, and has developed programming, operating and diagnostics guidelines. Arens believes that such standards will help the hardware and software used in different machines to behave predictably. So these standards are just another fruit in the basket of international standards being wrought by globalization.

For more information, search keyword “standards” at www.automationworld.com.

More in Control