Safety system aimed at SIL 2 applications

01 October 2006

By taking a careful look at the safety system market and available technology, one company has come up with a relatively low-cost solution for fire and gas, burner management, and emergency shut down applications.

The recently introduced SafetyNet product from MTL Open System Technologies (MOST) is a functional safety platform certified by TÜV for use in SIL 2 safety functions. Built with MOST’s open control architecture, it complies with the IEC 61508 and IEC 61511 standards.

‘SafetyNet hits a sweet spot in today’s market,’ says Dil Wetherill, Business Development Manager for MOST. ‘As safety system companies and end users apply IEC 61508, they find that they have many SIL 2 safety functions which do not require the initial expense and cabinet space of more sophisticated SIL 3
solutions. SafetyNet offers them a real process control solution to these lower level safety functions.’

He says companies have traditionally relied on programmable controllers (PLCs) for SIL 2 solutions, which greatly increases the cost. Not only is the cost of SafetyNet much lower, it has all the ‘recognisable process control features’ such as HART, hazardous area capability, and high levels of availability.

One of the main differences is that while PLC-based safety systems use redundant components to boost their safety levels, SafetyNet has been designed to meet these requirements with simplex controllers and simplex I/O modules. Redundant controllers can be added for improved availability, but they are not necessary to achieve SIL 2. The SIL 2 rating on SafetyNet is reached primarily by internal diagnostics; this is, in fact, the basis of the TÜV certification.

SIL 2 and SIL 3
Moving from SIL 1 to SIL 2 to SIL 3 places higher demands on the safety system. The average probability of having a dangerous failure is 10 times lower for SIL 2 than it is for SIL 1.

Users have increasingly demanding requirements as they move through the SIL bands. The level of testing on the application programme increases dramatically, and the amount of redundancy increases. SIL 2 will often be 1oo1 (one out of one), SIL 3 would normally require 1oo2 for valves, transmitters, and the I/O modules in the PLC.

Yet real world studies show that the significant cost increases aren’t the obvious ones when you move up the SIL levels, claims Mr. Wetherill.

‘Yes, the PLC is more expensive—as you would expect, since it’s 10 times less likely to have a dangerous failure. Yes, you might have twice the number of transmitters and valves. But experience shows that the really significant costs are the less obvious ones: the extra engineering effort that goes in to the review process for approving the initial design and any subsequent modifications. A study done by Prosalus Ltd., an independent consultant in the U.K., shows that the engineering cost of a SIL 3 system is about twice as much as a SIL 2 system.

The cost difference is so pronounced, some users will attempt to redesign their process to reduce its risk level and accommodate a lower-level SIL system. Other users will shrug off the costs and deploy a SIL 3 system where a SIL 2 system would do. Why do they spend the extra money?

Mr. Wetherill thinks that some users want to have a single safety solution and don’t want to mix of SIL 3 and SIL 2 systems in their plants, so they standardise on the safer SIL 3 solution. And then there are companies who apply IEC 61508 not just to personnel, as they are required to do, but also to the environmental impact. For instance, if a high pressure undersea pipeline splits it wouldn’t kill anyone, but it would dump crude oil into the sea, so it’s standard practice to apply a SIL 3 solution to the over pressure protection system, even
though from a pure IEC 61508 standpoint, a SIL 2 system would do.

SafetyNet vs. PLCs
Purpose-built SafetyNet is designed to be installed close to the process, whereas most PLC systems are designed for IP20 installations.

And, generally speaking, PLC safety systems provide their safety through redundancy, but this inevitably means more hardware and more cost. SafetyNet takes a different path. It uses comprehensive internal
diagnostics so that redundancy is not needed to meet SIL 2.

For example, the SafetyNet analogue input module is designed so that there are two independent (and different) circuits measuring the 4 - 20mA input. The primary circuit reports the value to the controller and the secondary circuit is used as a check on the first. If there is more than 2% difference, the channel is flagged as faulty.

By way of contrast, a standard nonsafety PLC analogue input implements this check by wiring in a second analogue input channel and the systems integrator writes code that compares the two. The code goes into the documentation, approval and checking procedure, and must be rigorously checked if a change is made.

So PLC redundancy doubles the cost and doubles the size. But an important hardware question remains: Since the second analogue circuit is likely to be an exact duplicate of the first, how do users know if they won’t have the same fault at the same time?

And how does a user detect that the application programme downloaded to the PLC hasn’t been corrupted? Every five seconds, SafetyNet checks that the CRC signature of the application programme hasn’t changed. If it has changed the system automatically enters failsafe mode. The system is certified to do this, so nobody needs to check it.

It is more difficult to do this on a PLC, says Mr. Wetherill. ‘You may not be able to access the CRC for this memory space. Maybe you set the application programme ‘tests’ for which you know the answer, but this could only check part of the programme, it wouldn’t be complete. And whatever you did would need to be checked and approved and if you had a modification.’

Integrate with process control
SafetyNet is built on the same architecture as the MOST Process Automation System, so it can be integrated with MOST’s Process Control Platform to build an integrated control and safety system. This
allows companies to address their process control and functional safety needs with the same basic platform.

‘The components may be applied in many different ways—regulatory and discrete control, emergency shutdown, fire and gas detection, burner management and combustion control—but we believe that there are many advantages when the engineering environment, the operator interface, the look and feel of the hardware are all be common. In particular, the cost of training and the risk of mistakes are reduced,’ says
Mr. Wetherill.

Contact Details and Archive...

Related Articles...

Print this page | E-mail this page