With built-in redundancy

Rein Tiezema

Programmable systems are now being specified routinely for safety-critical applications in all kind of industries. Where just a few years ago only solid-state equipment would have been considered reliable enough for these tasks, more and more companies in the process industries are now realising the advantages of programmable systems. Programmable systems are also cheaper to modify when the plant´s requirements change.

Built-in redundancy, high-quality construction and careful attention to avoiding common-mode failures mean that modern, specialized programmable systems are suitable for many safety-critical applications. Additional fault tolerance ensures that the process spends as much time as possible on-stream, yet without compromising safety. Diagnostic and reporting functions simplify maintenance and the exchange of information with other plant systems, such as distributed control systems (DCSs).

Oil and gas companies and petrochemical manufacturers have led the switch to programmable safety systems, and have validated these systems in accordance with national and especially international standards and guidelines.

Environmental protection is another area that can benefit from highly reliable systems, as more and more companies adopt formal environmental quality standards such as ISO 14000. Although currently small, this market is set to grow significantly during the next decade, as operators become aware of the need to validate the critical systems that prevent the environmental release of toxic chemicals.

There are important differences in the way different industries approach process safety. Oil and gas producers and petrochemical companies use mainly continuous processes, which are comparatively straightforward to shut down in an emergency (ESD). The usual approach in these industries is there-fore to keep the safety system and the DCS independent of one another. Consequently, the safety system can be validated to a higher level of integrity than the DCS, which simplifies the validation process and keeps costs down. Having used this principle for a long time, refineries and hydrocarbon production platforms meanwhile have many years experience with stand-alone safety systems.

Links between a stand-alone safety system and the DCS that controls the day-to-day running of the site simplify operation and maintenance without compromising safety. When a high-integrity programmable logic controller (PLC) is used in conjunction with a DCS, for instance, certain variables can be identified as not to be overwritten by information supplied from the DCS. In this way the PLC retains its integrity while still enjoying the benefits of full communication with the DCS.

In contrast to continuous hydrocarbon and petrochemical processes, many traditional chemical processes are batch-based. Safe shutdown of these processes often requires more care than with continuous systems. For instance, a batch reactor that is threatening to undergo a thermal runaway may need to be kept running, though with appropriate adaptations to the requirements for cooling and feed addition.

An additional complication is that the companies operating processes of this kind often lack good strategies for safety-critical control. They are less aware of the various international standards and codes of practice for this type of control, and more inclined to use their own experience as a basis for choosing a control system. A typical result is the use of a single DCS for safety-critical control – an application for which DCSs are not designed.

Unfortunately, complex batch processes can be difficult to shut down safely without the degree of control afforded by a DCS. If a PLC-based shutdown system is not up to the job, and a single ordinary DCS does not give a large enough margin of safety, there are two alternatives. The first is to validate the entire DCS system to the same standards as would be expected from a PLC-based safety system. This is more or less impossible. The second option is to duplicate the DCS, including sensors and actuators, which is very expensive.

For processes whose shutdown requirements are not too complex, specialist PLCs designed for safety-critical systems offer many advantages. With suitable attention to built-in safety at the design stage, they can combine a high, guaranteed, degree of safety with high availability.

The ProSafe-PLC is one example. The newest product in the ProSafe range, this dual-architecture PLC is designed to compete with both other dual-architecture designs and with triple modular redundant (TMR) systems. Its flexible design means that it can be configured to suit different levels of safety and availability.

Formal validation techniques have played a big part in making programmable systems widely accepted. The standards for plant safety include DIN V VDE 0801 Germany, the international draft standard IEC 1508 governing the functional safety of safety-related systems, which may succeed, and ISA-S84 in the USA. The standards for the safety of programmable systems include the four-level SIL and the eight-level German DIN 19250 AK classifications. The SIL levels are determined by calculation, including the field devices, based on IEC 1508/1511. The DIN 19250 classifications are based on a qualitative assessment and include only the safety system itself. The ProSafe-PLC meets SIL 1-3 and TÜV AK levels 1-6.

The basic ProSafe-PLC has two separate circuit paths for each output. One of these paths incorporates the standard control logic, which operates a solid-state switch to determine the state of the output. In series with this switch, however, is a mechanical relay controlled by a second circuit path, which in turn is controlled by built-in diagnostics from the logic circuitry in the first circuit path. If any part of the system fails in a potentially dangerous manner, the diagnostic function detects the failure and opens the relay, thus de-energising the controller output.

This “1001D” arrangement is complemented in the complete PLC by redundant power supplies and communication links, redundant watchdog timers using diverse circuit designs, and system diagnostics such as CPU instruction tests and exhaustive memory tests.

The 1001D architecture can be duplicated to provide a redundant, fault-tolerant “1002D” system. When one of the modules detects a critical failure, it shuts down, allowing the other module to carry on controlling in 1001D mode until the failed controller can be replaced. Each of the two sub-systems is located in a different rack, which greatly improves the system´s resistance to common-mode failure. This arrangement is safer and more reliable than conventional dual PLCs and TMR systems. It also allows redundant sensors to be connected without the need for additional hardware.

The other products in the ProSafe family include ProSafe-DSP SLS, a hard-wired system which continues to give the highest degree of safety (SIL 1-4 and TÜV AK levels 1-7) and the ProSafe-DSP PLS, a programmable solution for flexible implementation and maintenance, suitable for requirements which do not justify a ProSafe-DSP SLS but are too stringent to be handled by a ProSafe-PLC. There are also various ProSafe programming tools and interfaces. One example is ProSafe-COM, which includes an event recorder for monitoring process start-ups and shut-downs. Working to a time resolution of 1 ms, it monitors all events and communicates with user interfaces, the DCS and alarm handling systems.

Safety requirements for process plants are becoming more stringent, and the need for documentation, validation and adherence to standards is growing. Users in the process industries are increasingly looking for suppliers who can provide tightly-integrated control and safety systems. Working with the rest of the Yokogawa group, Yokogawa Industrial Safety Systems is able to offer a complete set of solutions and products for safe control and supervision of chemical processes.

Yokogawa Europe B.V.

Fax 0031/334631202

Further information cpp 201