Safety instrumented systems: using single-loop logic solvers

When implementing safety instrumented systems, single-loop logic solvers provide an affordable option that delivers simple installation, easier validation and faster start-up.

The industrial process industries are experiencing a dynamic growth in process functional safety applications. Much of this growth has been driven by increased awareness of destruction of property, injuries and loss of life associated with tragic events that are widely publicised in the worldwide media.

Companies, of course, have a moral and legal obligation to limit risks posed by their operations. In addition to their social responsibilities, the costs of litigation measuring in the billions of dollars has caught the eye of risk management executives worldwide. As a result, management recognises the financial rewards of utilising a properly designed process system that optimises reliability and safety.

That’s why companies are now actively taking steps to comply with various national and worldwide safety standards such as ANSI/ISA 84 and IEC 61508/61511. To accomplish this, safety practitioners look to a new generation of equipment specifically designed and approved for use in safety instrumented systems that utilise electrical, electronic or programmable (E/E/PE) technologies.

Safety instrumented systems

A safety instrumented system (SIS) is defined as an instrumented system used to implement one or more safety instrumented functions (SIFs). A SIS is composed of any combination of sensors, logic solvers and final control elements for the purpose of taking a process to a safe state when predetermined conditions are violated.

A SIF is a function to be implemented by a SIS that is intended to achieve or maintain a safe state for the process with respect to a specific hazardous event.

Examples of SIF applications include:

• Shutdown in a hazardous chemical process plant.
• Open a valve to relieve excess pressure.
• On/off control to prevent tank overflow.
• Shut down fuel supply to a furnace.
• Add coolant to arrest exothermic runaway.
• Automatic shutdown when operator not present.
• Close a feed valve to prevent tank overflow.
• Initiate release of a fire suppressant.
• Initiate an evacuation alarm.

IEC 61508 provides guidelines

To help companies implement a SIS, the International Electrotechnical Commission (IEC) developed ‘IEC 61508: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems’. The main objective of IEC 61508 is to provide a design standard for safety instrumented systems to reduce risk to a tolerable level by following the overall hardware and software safety lifecycle procedures, and by maintaining the associated stringent documentation. IEC 61508 has become the benchmark used mainly by safety equipment suppliers to show that their equipment is suitable for use in Safety Integrity Level (SIL) rated systems.

For legacy products, suppliers are performing a Failure Modes, Effects and Diagnostic Analysis (FMEDA) hardware-only assessment which provides failure data for SIS designers and may also provide proven-in-use data. This does not include any assessment of the product development process which contributes to systematic faults in the device design.

New devices that are fully compliant with IEC 61508 address systematic faults by a full assessment of fault avoidance and fault control measures during hardware and software development.

Safety integrity level (SIL)

To determine a SIL, the safety practitioner team’s process hazard analysis (PHA) procedure identifies all process hazards, estimates their risks and decides if specific risks are tolerable. Once a SIL has been assigned to a process, the safety practitioner has to verify that the individual components (sensors, logic solvers, final elements, etc) that are working together to implement the individual safety instrumented functions (SIFs) comply with the constraints of the required SIL.

For any device used in a SIS, the team must pay close attention to each device’s safety failure fraction (SFF) and probability of failure on demand (PFD_avg).

Tables 1 and 2 provide additional information. Table 1 shows the required availability and probability of failure for the four SILs, where safety availability is the availability of a SIS to perform the task for which it was designed; the average probability of failure on demand (PFD_avg) is the likelihood that a SIS component will not be able to perform its safety action when called on to do so; and the risk reduction factor (RRF) is defined as 1/PFD_avg,: the number of times that risk is reduced as a result of the application of a safeguard.

Table 1: The SIL is a measure of the amount of risk reduction provided by a SIF, with SIL 4 having the highest level of safety integrity, and SIL 1 the lowest.

Table 2 shows that a more complex device (such as a device involving a software component) must achieve a defined SFF to be suitable for a specific SIL, where the Safety Failure Fraction (SFF) is the ratio of the average rate of safe failures plus dangerous detected failures of the subsystem to the total average failure of the subsystem; and the Hardware Fault Tolerance (HFT) is the level of required device redundancy. For example, an HFT of 1 means that there are at least two devices in the system and a dangerous failure of one device does not prevent the safety function from performing.

Table 2: To be considered for a specific SIL level application, a Type B ‘complex’ device (such as a microprocessor-based logic solver), must achieve a defined SFF rating.

For each device in the SIF, both the SFF and the PFDavg have to be compared to the rules outlined in the safety standards to ensure that they are sufficient for use in the required SIL of the SIS. If these devices are classified as Type B, such as microprocessor-based devices, the development process including software must also be assessed and approved for the required SIL level. While the standards do allow proven-in-use data as proof of a device’s reliability, such information is usually very hard to verify and document. For this reason many end users prefer devices fully assessed by third-party organisations.

It is always the responsibility of the end user to perform or verify the calculations for the entire safety loop. Since a SIF relies on more than one device, it is imperative that all devices in the loop work together to meet the required SIL levels. The device’s SFF and the PFDavg values used for these calculations can be found in an FMEDA report.

FMEDA reports

IEC 61508 requires a quantitative, as well as qualitative, assessment of risk. An FMEDA provides a systematic way to assess the effects of all probable and known failure modes, including online monitoring and error checking, of a SIS component. It is a detailed circuit and performance evaluation that estimates failure rates, failure modes and diagnostic capability of a device. This data is provided to be used by a competent functional safety practitioner to determine a device’s applicability in a specific safety-related application. It is best if the FMEDA report is certified by a well-qualified third-party agency that specialises in functional safety approvals.

Logic solvers

Until recently, the thought of a safety system conjured up images of triple modular redundant (TMR) systems that represent enormous capital expenditures. Today, however, manufacturers offer a wide gamut of safety-certified devices that can be integrated into very cost-effective solutions. One simple, economical, yet highly dependable option is using a safety trip alarm as a single-loop logic solver.

Figure 1: Single-loop logic solvers, with selectable dead bands to reduce false alarms, can be used to warn of unwanted process conditions or to provide emergency shutdown.

A single-loop logic solver monitors a temperature, pressure, level, flow, position or status variable. If the input exceeds a selected high or low trip point, one or multiple relay outputs warn of unwanted process conditions or provide emergency shutdown (Figure 1), or provide on/off control, such as in a level control application (Figure 2). Of course, such device would need to be certified to IEC 61508:2010 for SIL 2 and SIL 3 applications.

Figure 2: Safety trip alarms can be used as simple on/off controllers in level applications when filling, emptying or preventing overflow of a container or tank.

Increased sophistication

The sophistication of alarm trips, and their applicability in SIS systems, has increased exponentially since their introduction. This includes programmable inputs; local configuration using onboard controls; safe password protection; a process display; transmitter excitation (the ability to power a transmitter eliminates an additional possible point of failure); and comprehensive internal, input and sensor diagnostics.

Input and instrument diagnostics with fault alarms

Specially engineered safety trip alarms can check their own operation and configuration on start-up, and then continuously monitor this information, as well as the input signal. If internally diagnosed faults or external faults, such as loss of sensor or a bad quality input occur, the alarm will trip a fault alarm.

SIL 2 and SIL 3 applications

By using the latest generation of single-loop logic solvers, users can realise many of the same advantages of larger and more expensive safety-certified PLCs at a fraction of the cost. If a microprocessor-based single-loop logic solver has an SFF greater than or equal to 90%, and the PFDavg data falls within the required range, it is suitable for use in SIL 2 applications using a 1oo1 (no voting or redundancy required) architecture. In a 1oo2 architecture (redundancy) this same single-loop logic solver could be suitable for use in a SIL 3 application provided the software is assessed and suitable for SIL 3 applications.

Figure 3: Single-loop logic solver in a high integrity architecture.

Figure 4: Single-loop logic solver in a high availability architecture.

Typical examples of single-loop logic solvers in safety instrumented systems include:

• High integrity architecture: This configuration offers the highest trip integrity in a non-redundant application (Figure 3). Since all three relays are wired in series, any trip alarm or fault alarm will trip the final element or logic solver.
• High availability architecture: In this configuration, the safety trip alarm provides higher process or system availability (Figure 4). The fault alarm is wired separately to inform a safety system that there is a fault alarm and that this component’s ability to carry out its portion of the SIF cannot be performed. This configuration would be used in applications where it is desirable to keep the process running should a fault occur because of a bad input or instrument fault. The output process trip relays are connected in a 1oo2 scheme to trip, providing security against a single relay failure. However, should the fault relay become active, the fault should be removed before the safety trip alarm can provide proper safety coverage.
• 1oo2 redundant architecture: In this architecture, every component appears twice, and may be applicable for use in SIS systems up to SIL 3 (Figure 5). Advantages are improved reliability of trip action and reduced vulnerability to a single failure compared to a 1oo1 architecture. The logic in this configuration is an ‘OR’ statement for the safety function; if either sensor input reaches a trip condition or a fault relay is activated, the loop or function will reach a tripped state.

Figure 5: Single-loop logic solvers in a 1oo2 redundant/voting architecture are applicable for use up to SIL 3.

Third-party safety certifications

Today, some single-loop logic solvers are designed ‘from the ground up’ in accordance with IEC 61508. An essential requirement to verify their design is a third-party certification from TÜV, exida or a similarly accredited approval body. This certification provides unbiased, verified evidence that the unit is appropriate for use in specific SIS strategies. For example, the certification may verify that the device is appropriate for SIFs up to SIL 2 in a simplex or 1oo1 configuration. For increased process availability or higher SILs (such as SIL 3), the devices may be applied in 1oo2 or 2oo3 architectures (Figure 6). Hazardous area approvals, specifically Class 1, Division 2 for non-incendive (Type N) applications and Zone 2 applications, are a must.

Just the right fit

Today, there are solutions for SIS strategies with hundreds of I/O and there are those for systems with just a handful of I/O — and everything in between. The latest generation of safety-certified single-loop logic solvers fits into this scenario nicely. They provide an affordable option that delivers simple installation, easier validation and faster start-up. Perpetual benefits that last for the life of the system include less maintenance, faster testing, easier documentation of the safety management reports and modular replacement strategies.

Image credit: ©Giuseppe Porzani/Dollar Photo Club