Yokogawa Corporation of America (2005) Control and Safety Seperate Tasks Integrated Operation

Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005

McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

Control and Safety, Separate Tasks for Integrated Operation

Jan de Breet Tadaaki Ando Technical Consultant Safety Systems SIS Marketing Leader Industrial Safety Systems dept. Yokogawa Corporation of America Yokogawa Electric Corporation Stafford, TX 77477 Tokyo, Japan KEYWORDS Control Systems, Safety Instrumented Systems, IEC 61508, ANSI/ISA 84.00.01 ABSTRACT The different nature of the requirements for control and safety systems and international standards such as IEC 61508 require separation of control and safety systems. Therefore, control and safety are mainly implemented as separate systems, providing a divided man-machine interface. However, divided control and safety system information is not convenient for operators. This paper will address that undivided information from an integrated control and safety system provides the best solution within the requirements of the standards.

contents



INTRODUCTION As a part of the total Plant management system, control and safety systems operate at the same level. Both connect to sensors and actuators/valves in the same process.

As far as the sensors are concerned often the same values are read from the process, using different sensors for control and safety system. This is because of the nature of the requirements for the signal quality. For a control system very accurate sensors are required to be able to optimally trim loop controls and for safety systems more robust and reliable sensors are used. The accuracy is of secondary importance. With respect to actuators and valves, the control system operates control valves that can be positioned very precisely to provide an optimal loop control. The safety system only operates safety valves that either close or open. The requirement for the safety valve is similar to the safety sensor requirement. Reliable operation is most important. When a safety valve needs to close one must be absolutely sure that it will do that completely. A more delicate control valve may fail a total closure while a safety system operated valve has been especially designed to close completely when required, i.e. when a dangerous process situation has occurred. The above not only explains that control and safety systems have a different nature but it also shows that control and safety systems are tightly related, namely through the process. Because of the different nature of the systems and requirements of international standards, such as IEC 61511, control and safety systems need to be separate entities. From an operator point of view however, operation of the process comes in the first place. The control and safety systems are his instruments to optimize and protect the process. The operator watches his graphic screens and alarm lists filled with process information, and makes his decisions upon that information. All that information needs to be displayed in a clear, easy to understand and unambiguous way. But a good quality information display is hard to achieve with two separate systems, which are in many cases obtained from two different vendors.

PLANT MANAGEMENT SYSTEM

CONTROL SYSTEM SAFETY SYSTEM

PROCESS

Other Plant Functions MAINTENANCE

OPERATION



Further, the design and implementation of the systems are extensive tasks. Two separate systems have to be designed for one process. Each system needs to be installed on separate networks, with separated man-machine interfaces. This solution is not so practical, because two data displays show the data in two different ways. To solve this problem, connectivity has been developed over the years between control and safety systems, based on existing technologies such as MODBus, Ethernet and OPC, rather than developing a solution from the functional requirement point of view, i.e. the operator requirements. The developed technologies only offer a part of the needs. Another important issue with separated control and safety systems is the effort required for the engineering coordination between the respective control and safety system engineers. As both systems are linked though their respective communication ports the interchanged data need to be available in a defined order. Normally a table with so-called aliases is used. Each signal that is exchanged will have its control system alias and its safety system alias in this table. It needs to be maintained by both control system and safety system vendor throughout the implementation phase and by plant maintenance after plant start-up. The (non-) accuracy of this table has been a major risk for project time schedules, especially when the systems are connected for the first time, i.e. at the Integrated Factory Acceptance Test, which is very close to the installation and commissioning phase. Errors can have major consequences for the overall schedule. CONVENTIONAL SYSTEMS Conventional systems are either separated or linked. Separated Systems A conventional solution uses two separate systems: a control system and a safety system. Each system built by dedicated parts, such as a controller or a logic solver to execute their functions, man-machine interface station and network.

FIG.1 - SEPARATED SYSTEMS



This solution is inconvenient from an operation point of view. Sometimes operators need to access two separate man-machine interface stations displaying data from each system and the information is displayed in a different way. They need to be trained on two different systems to be able to retrieve and understand all data. Moreover, they can be compelled to come and go between two terminals to understand what is proceeding in their plant. Separated systems are still used in older installations. Linked System Nowadays most control and safety systems have a basic architecture as in figure.2. A special interface card or gateway in the control system and the same in the safety system provide a means of communication.

FIG.2 - LINKED SYSTEMS Linked systems however do not provide all functionality the operator requires. Because the control – and safety system have different system protocols, proprietary networks and data format not all information can be shared, leaving the operator with only a cross section of the functionality both system offer.



INTEGRATED SYSTEM An integrated solution for the control and safety system should overcome the problems as described with separated and linked control and safety systems. Definition An integrated control and safety system is a system that provides both process control and –protection in separate entities to ensure integrity while offering the user a fully functional uniform operation and integrated data presentation for optimal decision making and process handling. The integrated system consists of field control stations and safety control stations sharing the same data highway and the same human-machine interface station. The field control station and safety control station execute their respective control and safety functions separately while the operator requirement for information integration is fulfilled.

FIG.3 – INTEGRATED SYSTEM In an integrated system control and safety system information is integrated while securing the separation of the functions. True integrated information monitoring for control and safety on a single window of a human-machine interface station is now possible because the data highway is shared. All (proprietary) protocols, networks and data formats are the same. Operators can monitor all information such as data, events and alarms using the one (set of) HMI station(s) they are accustomed to. Not the least important benefit is that this will enable the operator to react more accurate in critical process situations. Misjudgment is often caused by poor information. A single window view on control and safety system parameters will be a major improvement for the quality of information display.



FIG.4 – INTEGRATED WINDOW Figure 4 shows an example of a uniform view on process data. In this case a window with eight so-called faceplates is shown. Each faceplate represents a process value, together with its parameters, such as set point settings. The left four faceplates contain safety system signals and the other four control system signals. Operation and view of the faceplates is the same, yet the difference is clearly marked. Similarly the process alarm window will show both control and safety system alarms in the actual order they occurred. The integrated HMI function allows the operator to choose whether to view all alarms together or to view control- and safety system alarms in separate windows. If for example a process has been shut down an operator can analyze the cause more easy. This will quicken the beginning of the start up procedure and the start-up itself will be easier and quicker too. Production loss time will be much shorter. An integrated system is also easier and more cost effective to design. There is only one network, which saves not only design time but a lot of expensive fiber optic cables too. Maintaining a table with aliases for data exchange is not required. The integrated control and safety systems have all their respective data available for use in each other’s applications, of course with the restrictions the IEC 61508 and IEC 61511 have. The next section will discuss how IEC compliance is assured.



Compliance to Standards The integrated control and safety system should fulfill the safety systems related industrial standards, such as IEC 61508, though it has a lot of operational advantages. This section contains some examples out of a larger number of clauses that apply to integration of control and safety in general. IEC 61508-1 Clause 7.5.2.4 The international standard of functional safety, IEC 61508 (Functional safety of electrical/electronic/ programmable electronic safety-related systems) address “The EUC control system shall be separate and independent from the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.” This clause tells about the separation and independence of the system which execute only one function of control or safety. Precisely, the integrated control and safety system is a system executes control functions and safety functions to the process by segregated controllers (different hardware and software) to guarantee separation and independence of two functions while showing integrated information from control systems and safety systems for process operator. The separation is assured by proper evaluation by an independent authority during the certification process of safety system. Therefore, the integrated control and safety system meets the requirement of this standard. LOPA (Layer of Protection Analysis) AIChE CCPS publications; “Guidelines for Safe Automation of Chemical Processes” and “Layer of Protection Analysis” introduced the idea of “Layer of Protection”. The design philosophy considers Basic Process Control System and Safety Instrumented Function as two Independent Protection Layers or IPL. This also requires independency of two functions of control and safety. The IPL philosophy is complied by the integrated control and safety system. IEC 61511-1 Clause 11.2.4 If it is intended not to qualify the basic process control system to this standard, then the basic process control system shall be designed to be separate and independent to the extent that the functional integrity of the safety instrumented system is not compromised. NOTE 1 Operating information may be exchanged but should not compromise the functional safety of the SIS. NOTE 2 Devices of the SIS may also be used for functions of the basic process control system if it can be shown that a failure of the basic process control system does not compromise the safety instrumented functions of the safety instrumented system.



This clause tells us in the first place that a DCS, which is not qualified to the standard, should be separate and independent to the extent that the functional integrity of the safety instrumented system is not compromised. The integrated control and safety system meets this requirement. In the second place (see note 1) it allows exchanging operating information when it does not compromise the functional safety of the SIS. Exchanging operation information is the strong point of the integrated control and safety system. As explained the operating information is much more complete in an integrated system. When properly organized it even enhances the safety integrity, especially in the human performance area. Here also information exchange should not compromise the functional safety integrity. It should not be possible (assured by proper qualitative evaluation by an independent authority of the safety system) to influence the application behavior within the safety instrumented system from the operator or human machine interface stations. Only the (protected) engineering and maintenance interfaces should have that capability. In the third place (see note 2) SIS devices can be shared with the DCS, as long as doing so does not compromise the safety instrumented functions. An example of sharing devices is an application where the same (safety) input device is used in a safety instrumented function as well as in the control system. In the integrated control and safety system it is an easy matter to communicate the device value and status to the DCS application. (This application in itself already ensures the functional safety integrity because the DCS cannot influence the device value.) IEC 61511-1 Clause 11.2.6 The design of the SIS shall take into account human capabilities and limitations and be suitable for the task assigned to operators and maintenance staff. The design of all human-machine interfaces shall follow good human factors practice and shall accommodate the likely level of training or awareness that operators should receive. This clause emphasizes the need for clear information to the operator and maintenance staff and their training. The integrated control and safety system will not only facilitate the comprehensive information display, it will also reduce the amount of training required to operate it.



Key Issues of integrated system The integrate control and safety system enhances the functional safety integrity and control integrity. Control and Safety function separation It should not be possible (assured by proper evaluation by an independent authority) to influence the application behavior within the safety instrumented system from the operator or human machine interface stations. Only the (protected) engineering and maintenance interfaces should have that capability. The safety system operating system software can achieve this. It will not offer any functionality to that extent. It should neither be possible that the control application can influence safety related functions performed by the safety system. However, sometimes data from the control system is required in the safety application for proper process operation. Functional safety management together with the safety system application engineering software should assure the safety related function integrity adequately. Functional safety management should include a specific check for this and the application engineering software should have an automatic (mandatory) check. The unidirectional exchange of data from the safety system to the control system is free and provides a great part of the enhanced functionality of an integrated control and safety system. Maintenance overrides In an integrated control and safety system maintenance override functionality can be made part of the standard operating system and can therefore be part of the certification process, assuring that at least basic principles, such as announcement/alarming, are always made part of the required functionality. Network Integrity In case two or more safety systems need to transfer data, e.g. when one process unit equipped with a separate safety system needs to propagate a shut down signal to another safety system, the safety related data will have to be communicated through the network, which is shared by control and safety functions. Even in case the network is not safety-related according to IEC standards it is possible to use it for the communication of safety related data. A measure implemented in the safety system will assure the integrity of the safety-related data communicated via the non-safety related network. It consists of enveloping the safety related data by the sending safety system while the receiving safety system will use the envelope to assess whether the data integrity is maintained during transportation. The envelope consists, amongst others, of data contents integrity checks, time information and network availability information. Since the safety related data is sent continuously (at least at a frequency well within the process safety time) a watchdog timer in the receiving safety system can also assure the timely receipt. When the integrity of the data is harmed, e.g. no arrival inside the process safety time or the data contents integrity check fails to pass, the receiving safety system will take appropriate (safety) action.



The above method can be made part of the standard operating system of the safety system and the mechanism will have the same safety integrity level as any other safety related function in the application. In addition every aspect of the control system, i.e. each piece of hardware and software of all parts of the control system, the engineering workstation database and especially the communication between parts of the control system via the shared network, must be assessed as interference free player during the certification process according to IEC 61508. Integrity of operations The integrated information by the integrated control and safety system is very handy for process operators and improves integrity of his operation work. The operator HMI usually shows the control data, alarm and event in the normal operation even in the integrated system. However, once some abnormal situation occurs, alarms from safety function must be reached to operator without covering by alarm flood from control system. Therefore the operator HMI is favorable to have a special functionality to display the safety alarms and events with higher priority than the information of control systems. This type of functionality is very good help if the operator is positioned in safety-related functions, i.e. between receiving fire alarm to activate F&G system. CONCLUSION An integrated control and safety system offers the end user many operational advantages above separate systems. It not only meets the requirements of the standards but it enhances the safety integrity as well. REFERENCES IEC61508: Functional safety of electrical/electronic/programmable electronic safety-related systems IEC61511: Functional safety: Safety Instrumented Systems for the process industry sector ANSI/ISA 84.00.01: Programmable Electronic System for Use in Safety Applications “Guidelines for Safe Automation of Chemical Processes”, “Layer of Protection Analysis” CCPS of the AIChE, 3 Park Avenue, New York, NY 11016-5991

Yokogawa Corporation of America (2005) Control and Safety Seperate Tasks Integrated Operation

Documents

Transcript of Yokogawa Corporation of America (2005) Control and Safety Seperate Tasks Integrated Operation