Big changes are coming to the way that the process industry monitors safety, if the $4.7 million automation project on the De Ruyter oil and gas production platform is any indication. The offshore platform that Petro-Canada of Calgary, Alberta, is building in the Dutch North Sea will be integrating safety monitoring and process control into one architecture—the new System 800xA high integrity safety controller from ABB Inc., headquartered in Norwalk, Conn. The controller complies with the IEC 61508 and 61511 standards promulgated by the Geneva-based International Electrotechnical Commission and is flexible enough to either combine the control and safety functions within the same controller or keep the functions separate but within the same integrated network.
Automation vendors believe that the new standards will encourage the process industries to integrate safety and process control. “The recent IEC 61511 standard is the first time that the world has had a common standard for the implementation of safety instrumentation,” notes Charles Fialkowski, at Siemens Energy & Automation, of Spring House, Pa. “Since it came out in 2003, it has been adopted in the United States as the next generation of ISA 84 (a standard promulgated by the Instrumentation, Systems and Automation Society).” He believes that the resulting integration will bring tremendous cost advantages from common engineering tools, less maintenance and operator intervention, smaller spare-parts inventories and less complexity.
The impetus behind the new standard has been a series of incremental improvements in controls technology that have made integration feasible. For example, a better understanding of failure modes and more powerful central processing units (CPUs) has increased the diagnostics coverage of systems to better than 99 percent. Moreover, open communications protocols such as Ethernet and ProfiBus have allowed the industry to develop fail-safe communications that are certified to a safety integrity level (SIL). “The technology wasn’t really there before,” says Fialkowski. “You had to use communications gateways that didn’t support safety communications.”
Levels of Integration
As the process industries begin appropriating the new standards, they are showing interest in various levels of integration. The most radical is one CPU doing both safety monitoring and process control in one box. But first, says Fialkowski, “is having process control and safety in separate boxes running separate logic on similar, if not identical, components. Right now, the paradigm shift is going from completely diverse [and separate] systems to similar systems doing the process control and integration.” This integration occurs on three levels: hardware, operational, and engineering.
At the hardware level, integration means that the architecture of the PLCs, other computers, and peripheral devices are such that they can plug together and talk to one another with some elementary setup, not a special systems integration effort. Vendors offer methods for this kind of integration. Some suggest using the same hardware for both the safety system and process control; others recommend hardware that is either similar or pre-engineered to work together.
ABB is one vendor that advocates using the same model of controller—its System 800xA—for both safety and process control. “We can run safety applications and control applications in separate systems as well as separate controllers connected in the same system,” says Roy Tanner, manager of high integrity solutions at the controls business in Wickliffe, Ohio. “We also can run both safety applications and process control applications in the same controller with logical separation between them.” The idea is to simplify things so users have only one set of spare parts to stock and one set of systems to learn.
Scott Hillman, global leader for safety management solutions at Honeywell, urges users to examine the claims made by hardware vendors carefully, however. “Many are claiming that their hardware is the same [make], but segregated,” he explains. “Many are similar, not the same. So any savings that they might claim relative to spare parts are null and void.” And if the hardware really is identical, he points out that common mode of failure is a potential problem. The conditions that lead to a failure in the process controller or supporting electronics could cause the same problem in the safety system, thereby undermining the strategy of separating the two systems to add a measure of protection.
Although Fialkowski, at Siemens, agrees that the likelihood of a common mode of failure is much lower when each side uses different components, he points out that the tactic brings another set of problems as more users want the benefits of integration. “When you put the two systems together, no authority says it’s still safe,” he says. “There was often a lot of finger pointing when the interface didn’t work.” Now when a vendor introduces integrated control and safety products, it assumes the burden of ensuring that interface contains the proper safeguards to prevent the distributed control system from affecting the safety system and getting the appropriate certification from the TÜV safety agency.
Tanner, at ABB, adds that modern reliability standards often eliminate the problem. Distinguishing between availability and reliability, he notes that SIL ratings are assigned based on the reliability of the device. So if the electronics have built-in diversification, the probability for common mode of failure being a problem is less. Nevertheless, other modes of failure exist. So if ensuring availability is an issue for an application, “then you can add redundancy,” he says.
While Tanner acknowledges that some applications need various degrees of separation, he points out that others are more flexible. In fact, integrating both safety and process control into the same controller can be a cost-effective way for businesses that could not afford safety systems in the past to benefit from them now. “You can pick up a small amount of input/outputs (I/O) and put the safety I/O and regular I/O together on the same communication bus. Using the existing communication infrastructure allows more people to have a TÜV-certified, SIL-rated solution.”
More than Hardware
The next level of integration occurs at the operational level, which means the human-machine interface used by the operators controlling the plant. “The systems should be able to talk to one another, so the operator can operate the plant from one window into the process,” says Hillman. “That’s really what’s important for users.” For this reason, this level is the one that Honeywell has been emphasizing for the last nine years with its Experion Process Knowledge System and Safety Manager safety platform.
Hillman also notes that integration at this level can go deeper. If the safety system is issuing warnings, the operator or internal software might be able to send a signal to a controller to back off the set points, for example.
The third level of integration, the engineering level, is about the software and strategy for implementation. In other words, the integrator uses one software application to build control and safety strategies, program the proportional-integral-derivative (PID) controllers, connect transmitters to output, and set the correct control limit for the gates. “Engineering tools are key because a safety system is not modified very much,” says Tanner. “So over time, people forget how it works.” Relying on only one application and method helps users not only to maintain their corporate memories but also gives them a validated and proven solution that can streamline installation at other locations.
Although the software streamlines installation and cuts costs, Hillman again worries about the common mode of failures associated with it. To avoid the problem, he believes that the best approach for the engineering level is to use a different application for each type of hardware. The applications should come from the same vendor, however, so they are integrated and can exchange data easily.
Even though vendors vary in their emphasis on the different levels, a reasonable approach is to choose the method that makes the most sense for your application. “Take a holistic approach,” advises Hillman. “Pay attention to what you expect from your layer of protection and how it is interoperable with the other automation. Do due diligence on your engineering practices, but take the holistic approach as to how the layers of protection interact with one another, because some of those interactions are intentional and some are not. You want interactions to be intentional.”
For more information, search keywords “safety” and “controller” at www.automationworld.com.
See sidebar to this article: Productivity and protection go together
Leaders relevant to this article: