FUNCTIONAL SAFETY AND REGULATORY CONTROL IN A SINGLE SYSTEM

Siemens 27/06/2012

228 6 minutes read

Listen to this article

Addressing functional safety and regulatory control in a single system has been a challenge for the past decade – even more so when systems are destined for use in hazardous areas. A unique and market-leading technical solution from Siemens offers these combined capabilities – delivering a number of key benefits such as a simplified safety verification process, tangible cost savings and scalability.

It has already been positively embraced by the oil & gas and chemical industries. Ian Curtis, safety consultant for Siemens Industry Automation, a division of Siemens Industry sector, explains more.

The worlds of functional safety and hazardous area protection are, of necessity, often closely associated. However, when it comes to meeting the requirements of these two complementary yet distinct disciplines in a distributed I/O system, there are many technical challenges to overcome.

With the release of the first SIL 3 capable failsafe I/O modules for the Siemens ET200iSP hazardous area remote I/O station, these obstacles have been comprehensively addressed – giving users the potential for new safety system architectures which boast dramatically simplified engineering and a reduction in the total lifecycle cost for automation and safety.

Early process automation systems were typically distributed but, ironically, with the advent of the Distributed Control System (DCS), system architectures actually became much more centralised. In recent years, there has been a shift back again toward a more distributed approach. This same trend has been reflected, albeit to a lesser extent, in distributed safety within the process industry but the recent addition of capability for integrated failsafe I/O in the hazardous area looks set to accelerate this trend.

Given the conservative nature of the industry there are still many users who prefer to stick to a centralised approach, particularly when intrinsic safety requirements are involved. The traditional practice of putting the controllers and I/O in the safe area and using IS barriers, is well understood and still in common use. However the tough economic climate of the last few years has prompted end users and OEMs to increasingly assess and adopt new concepts such as distributed failsafe systems which – far from making matters more complicated – actually solve many problems.

The scalability of such distributed systems, particularly those that combine control and safety in the same infrastructure, means they can also be used cost effectively for small process units, OEM skids or rotating equipment with smaller I/O counts.

The distributed approach reduces the need for multi-core cables carrying I/O signals; this means reduced installation effort; reduced risk of wiring errors and simplified bus connection of I/O stations.

SIL3 capability in a Zone 1 hazardous area is a step change that will strengthen the success of distributed I/O systems and really open up new possibilities. Users from the oil and gas industry, chemical industry, and other major hazard industries will look to benefit from the ability to combine configurations that include non-fail-safe modules, such as standard inputs/outputs and relay modules, alongside failsafe modules. Another key benefit is the potential for cost saving through the elimination of ex-barriers, less wiring and space optimisation.

Many OEM suppliers are also exploiting the possibilities of distributed automation in hazardous areas, particularly when they market their products to target emerging markets. If the end customer”s employees lack expertise, the use of a centralised configuration often leads to wiring errors – and a lengthy commissioning phase.

When the ET200 iSP remote I/O station is located directly at the machine, or process skid, commissioning is straightforward and the space savings are considerable. As complicated and space-consuming as the earlier approach was – with remote I/O cables, terminals, and ex-barriers – this marshalling effort can now be completely eliminated. It is also easier to achieve the redundancy required in many applications: The ET 200iSP is connected via RS485-iS in hazardous areas. The path from the CPU in the control room to the field can also be redundant. Digital and high availability requirements are covered thanks to bus use.

Because of an increasing popularity with the OEM market, if an end user does not start out with distributed safety as a strategy for their plant they often “inherit” it as process skids and OEM type equipment come equipped with their own safety systems.

New solutions

The ET200iSP is a remote I/O system that can be used in hazardous areas and Siemens has recently released three new failsafe capable I/O modules; the first SIL3 capable modules of a distributed I/O system on the market that are suitable for the Zone 1 hazardous area.

When employing a more distributed approach, one of the challenges is the scalability of the system. Distributed I/O stations often have to accommodate relatively small I/O counts in a cost effective manner. It is therefore advantageous if control and safety I/O modules can co-exist without any compromise in terms of safety. This integrated control and safety concept can also extend to the control and communications.

There are customers that seek to run standard and failsafe programs on one CPU and to handle standard and failsafe communications on one bus with PROFIsafe. The Siemens system can accommodate this, but users can maintain physical separation if they prefer. It is also possible to implement safety-related functions with a separate CPU and a separate bus – and many opt for this more conservative approach. But, in principle, separate hardware is no longer necessary to achieve safety.

To meet the requirements for SIL3 all that is needed in the chain is one controller, one bus, one station, and one I/O module. These components are developed and certified according to IEC 61508 up to SIL3. Redundancy of the entire system or portions of the system help to increase the availability of the system, but are not necessary to achieve SIL 3.

The integrated control and safety approach brings other wide-ranging benefits. It consolidates information from the control and safety systems, giving engineering, operations and maintenance staff a single window into the process and the automation system assets.

The first large customers for the ET200 iSP F-modules have been from the oil and gas industry. They have used the fail-safe modules in water-oil separating equipment and tank farms. Other early adopters have come from the basic chemical industry. Offshore projects generally also lend themselves to distributed safety and the combination of failsafe and hazardous area capability afforded by these new modules will be attractive for such applications.

When compared to standard I/O with barriers, the hardware costs with ET200iSP are reduced by up to 25%. Added to this are the reduced costs associated with engineering manpower, a reduced footprint (approximately 30% smaller), simpler documentation and explosion protection calculations. In addition, there are significant cabling and wiring cost savings.

Another benefit of a distributed approach is expandability. A standard centralised approach will normally have some spare capacity built in – but beyond this, further expansion can often be problematic. The ability to expand in a distributed scenario is effectively unlimited. Additional modules and stations can be added as required.

The ET200iSP distributed I/O subsystem with Failsafe I/O allows users to do away with conventional barriers – which often prove incompatible with the diagnostic functions of a typical failsafe module. The “internal barriers” of the new modules, on the other hand, permit diagnostics down to the sensor/actuator level. In addition, the safety evaluation is simplified. This applies in particular to the calculation of probability of failure on demand (PFD) for safety-related functions – also known as SIL verification.

SIL verification is perceived by some as being challenging and there may be a concern that an integrated approach may compound this problem. In this case, it is a simple combining of the PFD values for the individual components within the safety loop. This does not change when the configuration combines fail-safe and non-fail-safe modules. Fail-safe is becoming the new standard – and for this to happen – it must have usability to match.

For the more complex situations, manufacturers supply the safety parameters which are required, but it is no longer a case of simple combination. For more complex SIF architectures involving 1oo2, 2oo3 configurations of system elements standards and guidelines such as IEC 61511 and VDI 2180 provide simplified formulas.

The complex task falls to manufacturers of safety certified devices to determine the safety characteristic values using mathematical models, while simultaneously conforming to explosion protection requirements – not to mention obtaining certification from various certification bodies around the world, each having a different focus. This up-front work benefits the users because it simplifies the calculations from a user perspective and means modules will comply with standards worldwide.

This new development enables failsafe and standard I/O to be used side-by-side in a Zone 1 hazardous area with failsafe communication over PROFIsafe back to the Control layer. This brings many benefits, but importantly helps to simplify the task of ensuring safety by incorporating the barriers into the equipment, enhancing diagnostics and simplifying the SIL verification activity.

The issue of safety engineering involved in machine-based and process-orientated disciplines will be debated at Answers for Industry, a major conference and exhibition hosted by Siemens. The event takes place on 4 and 5 July 2012 at Central Hall 2, Manchester Central Convention Complex and will tackle UK industry’s key challenges. Entry is free.

To book your place or find out more, please visit: www.siemens.co.uk/afi