Safety

I received a great question today about the safety integrity level (SIL) of a distributed control system (DCS). In this case, the question was specific to the DeltaV system:

Can you please advise if the Emerson DeltaV DCS has a SIL rating i.e. '0' or '1'? I understand that the DeltaV SIS has a SIL rating of '3'.

I turned to safety expert, Chuck Miller, whom you may recall from earlier process safety-related posts. I thought Chuck's response was great and asked if I could share it in a blog post for others who may have similar questions. Chuck agreed and here was his response:

Any basic process control system or BPCS (DeltaV DCS included) is a SIL 0 technology.

Applying an uncertified technology to a safety application with a Risk Reduction Factor, as defined in IEC 61508, of 10 or above is not supported by the safety standards or mainstream philosophies. The lack of diagnostic coverage is the main factor that precludes most users from considering BPCS technology even to most low-level safety applications.

Companies who do choose to take this approach employ redundancy and software configuration to create "comparative diagnostic capabilities." This often drives the cost well beyond purpose-designed safety technology. Even then, the Safe Failure Fraction may not be great enough to provide adequate risk mitigation without very frequent manual testing.

This in turn drives the lifecycle cost of the system up, up, and up. While the front-end costs (CapEx) may look good, the operations and maintenance (OpEx) cost cannot be supported in most cases.

This also creates implications on the Layers of Protection Analysis (LOPA) in more ways than can be described in this e-mail.

I hope this helps others with their IEC 61511 / ISA-84 safety lifecycle planning efforts.

MP3 | iTunes

We discussed the energy efficiency and other opportunities with fired heaters in past posts. I caught wind of a presentation that Emerson's safety specialist, Chuck Miller will be giving at the upcoming March 21-25 AIChE Spring National Meeting and Global Congress on Process Safety in San Antonio, Texas. You may recall Chuck from numerous process safety-related posts.

He'll be presenting, ICSS Systems Offer Advances in Fired Heater Operations, Safety, and Regulatory Compliance on Tuesday, March 23 at 9am. In his abstract, Chuck raises the questions:

Can the instrumentation, control, and protective systems for fired heaters as defined by the prescriptive API Recommended Practice 556 be reconciled with ANSI/ISA 84 (IEC 61511) by implementing an Integrated Control and Safety System? What cost savings can be identified and measured from both the CAPEX and OPEX viewpoint when applying advanced technology to adhere to these divergent standards?

If traditional approaches to compliance with process safety standards are driving costs up and yielding diminishing returns, which control architecture can provide cost savings while enabling the unit to be started-up, operated, and shut down safely?

Knowing that this conference is still a ways away, I asked Chuck if he had a "beta" version of his paper that he could share with me. Being the true professional and nice guy that he is, he forwarded me a copy of his work-in-process.

Process manufacturers have a common need to improve both safe operations and uptime through the avoidance of spurious trips in fired heaters and other fired units. Chuck notes that the professional associations have collaborated and developed a number of good engineering practices related to industrial flame management systems, such as NFPA 85, NFPA 86, API RP 556, ASME CSD-1, FM 7605, and API RP 14C. Each was developed from different perspectives from prescriptive design, to expected performance, to a practical experience viewpoint.

A prescriptive approach describes what process manufacturers should and should not do. A performance-based approach like the IEC 61511 global safety standard provides descriptions of methods without prescribing specific methods or suggestions to enact.

Chuck highlights the similarities and differences with respect to API Recommended Practice 556 (API RP 556), ANSI/ISA 84, and ISA-TR84.00.05 (ISA TR-5, Guidance on the Identification of Safety Instrumented Functions in Burner Management Systems). API RP 556 can be seen as prescriptive because it offers practical suggestions where S84/IEC 61511 does not offer specific recommendations.

He believes that API 556 will provide an excellent design specification for the process heater, primary measuring and actuating instruments, controls, alarms, and the associated protective systems. It is also sufficient to provide a starting point for an industrial flame management risk evaluation process and the basis for a Safety Requirements Specification (SRS).

API RP 556 also contains many references to requirements of ANSI/ISA 84 such as HAZOP requirements, nuisance trip avoidance, diagnostics & on-line testing, separation of control and safety functions, etc.

ISA TR-5 is currently in the process of development to provide guidance on how to Identify and classify safety instrumented functions (SIFs) within typical Burner Management System (BMS) for all operating modes of fired equipment including pre-firing, light-off, shutdown, and normal operation. Like API RP 556, the technical report states that due to the unique design criteria of every furnace, each heater/boiler will require that a HAZOP and layer of protection analysis (LOPA) be performed.

Chuck offers other similarities and differences as process safety professionals pick their way through the standards to manage the safety lifecycle of their operations. If you are involved in process safety and plan to attend the AIChE Spring meeting, you may want to include Chuck's presentation on your agenda.

MP3 | iTunes

ARC Advisory Group's recently published ARC View, Emerson Brings DeltaV SIS into the Future with Version 11 Release, describes the continuing advancements of the DeltaV SIS safety instrumented system. DeltaV SIS launched over 5 years ago and this whitepaper provides an update of its original and continuing objectives:

Emerson designed DeltaV SIS to address the issues that face safety system end users today, from flexibility in design to increased reliability, increased visibility into the system, reduced complexity, and easier regulatory compliance.

The flexibility is described:

DeltaV SIS can support a simplex or redundant logic solver. Both are certified for SIL 3 applications. Each logic solver has 16 integrated I/O channels. These are software configurable, eliminating the need for separate I/O cards.

The SIS scales from an individual logic solver upwards:

Emerson has also considerably increased the potential size of DeltaV SIS systems to the point where they can handle very large applications. The architecture can expand from a single 16-channel logic solver to 30,000 I/O... SISNet Domains further increase design flexibility, provide improved support for large projects, easier expansion of existing systems, and easier isolation of separate SIS applications. Basically, this eliminates the capacity limits for DeltaV SIS.

The purpose of a safety instrumented system is of course to take the process to a safety state if it enters a hazardous operating condition. The flip side is that you don't want the SIS to shut down the process when it shouldn't, such as in the case of a failure of a transmitter or final element. The whitepaper notes where the reliability concerns in a safety instrumented function (SIF) typically occur:

When it comes to safety system reliability, most failures are the result of a faulty valve or sensor. Emerson's recent enhancements to its 3051 S intelligent pressure transmitter for SIS applications include plugged impulse line detection. Emerson's DVC6000 SIS intelligent valve positioner for SIS applications includes partial stroke testing capabilities.

Diagnostics from these intelligent sensors and digital valve controllers within each SIF are sent back to the DeltaV SIS logic solvers to help identify problems in advance, before a spurious trip occurs.

Increased visibility with the process automation system occurs because:

...integration of the control and safety system in the operations, maintenance, and engineering environments, but provides complete physical separation of control and safety hardware, software, and communication networks. This separation of the basic process control system (BPCS) and safety system hardware provides the independence necessary to eliminate the possibility of common mode failures.

Though physically separated, the advantages of this integration:

...are reduced costs due to common HMI and software tools, and, more importantly, increased visibility into the process. The integrated architecture allows the user to see everything that happens in their SIS, including device diagnostics and alerts. It allows the user to take a proactive maintenance approach by addressing problems before they become incidents, such as through partial stroke testing and plugged impulse line detection.

The final point, easier regulatory compliance involves not only the functions within the SIS, but the people and processes required in a process manufacturer's IEC 61511 safety compliance efforts. The Syncade smart operations management software can play a role in this work process management. Noted in the whitepaper:

Now the same level of integration between the DeltaV control system and Syncade is available between Syncade and DeltaV SIS. This greatly eases the process of safety system validation, competency management, document management, and workflow management. The document management capability of Syncade can help users be sure they are doing things properly from one phase of the safety lifecycle to the next.

Regulatory compliance is also assisted by the AMS Asset Portal, built on Meridium technology, which measures:

...key performance indicators such as overall equipment effectiveness (OEE).

You can follow news and connect with the DeltaV SIS team on Twitter (@DeltaVSIS), LinkedIn, or Mike Boudreaux's Safety Instrumented System room in FriendFeed.

MP3 | iTunes

Process automation systems and safety instrumented systems (SIS) have been changing with the rapid pace of technology change. An ARC Advisory Group whitepaper, Business Issues Driving Safety System Integration, outlined some of the various ways automation suppliers have been integrating these systems for process manufacturers. They described three integration levels: interfaced, integrated, and common.

Emerson's Chuck Miller has written a whitepaper, Realizing the Capital and Operational Benefits of a ICSS System. It explores how the technologies and integrated approach of the basic process control system (BPCS) and SIS, combined with work processes, can improve capital expenditure (CapEx) and operational expenditure (OpEx) performance.

In the whitepaper, Chuck describes the integrated control and safety system (ICSS) that is built upon redundant Ethernet control networks, distributed and scalable process controllers, distributed and scalable safety controllers, human machine interfaces (HMIs), engineering workstations, and application servers. He describes how CapEx savings can be achieved if the engineering tools are common when configuring the process and safety controllers and the HMI is common in communicating with the controllers. Functions such as alarm handling, time synchronization, user security, and device health monitoring are also shared between systems.

Another example on the CapEx side is compliance with the IEC 61511 international safety standard. Device audit trails, calibration histories, process and safety configuration audit trails, process and event histories all contribute to the detailed documentation and change management required for a process manufacturer's safety management program.

For the safety instrumented functions (SIFs) managed by the safety controllers (or logic solvers in safety parlance), Chuck notes the importance of diagnostics from the sensors and final control elements. From a sensor standpoint, HART device alerts can be sent to operators and maintenance personnel as an early warning of problems with the device or surrounding process (see my earlier HART diagnostics post). For final control elements, non-disruptive actuator partial stroke testing can be performed to make sure the safety valves do not become stuck from long periods of inactivity.

These predictive tests help on the OpEx side of the equation. Through a continuous process of detection and notification, which in turn feeds the work process associated with rapid correction, spurious trips and on-demand failures can be avoided. Chuck uses the analogy of an automobile service technician. The process begins by performing diagnostic tests. With the results in hand, the person or people with the right set of skills can be assigned to resolve the situation quickly.

Similarly, process manufacturers can organize to take advantage of the diagnostics within both the process automation and safety instrumented systems to avoid unplanned shutdowns and respond more quickly to abnormal situations.

Give the whitepaper a read for many more ways both the CapEx side and OpEx side of your plant budget are impacted by the integration of these systems. Also, look for and join the discussions on SIS integration in the Process Automation Usability Project site, on the DeltaV SIS LinkedIn group, and from the @DeltaVSIS Twitter account.

MP3 | iTunes

Emerson's Alan Harris has written a new whitepaper, DeltaV SIS HART Capabilities. It describes various HART capabilities that can be used with the DeltaV SIS system as well as HART diagnostics implementation best practices. For those unfamiliar with HART, the HART Communications Foundation describes it:

HART (Highway Addressable Remote Transducer) Protocol is the global standard for sending and receiving digital information across analog wires between smart devices and control or monitoring system.

Alan describes the importance of HART diagnostics in safety applications:

The HART diagnostics provide much more information on the health of a field device than can be determined from a standard 4-20 mA signal. For this reason, greater SIL (by turning Dangerous Undetected failures into Dangerous Detected failures) and longer proof testing intervals can be achieved by field devices running HART diagnostics.

He also makes the strong point that HART is not a safety-rated platform and that you should never substitute HART signals for hardwired signals, when the hardwired signal is being used to detect a hazardous condition with a SIL (safety integrity level) rating. HART only should be used for diagnostic purposes.

Alan does describe ways it can be used, especially in safety instrumented systems like DeltaV SIS that can incorporate these diagnostics directly into the SIS logic. One example is upon recognition of sensor faulty status; the SIS logic can degrade the transmitter voting:

...remove the transmitter from the voting logic (i.e. a 2oo3 voted group of transmitters degrades to 1oo2 or 2oo2 with the bad transmitter viewed as faulty) or the transmitter can be simply alarmed via operator graphics.

In the case of a problem with a final control element with a HART-enabled digital valve controller:

...HART device status signals can be used to trip valves that use a HART-enabled positioner or alarm the valve via operator graphics.

Other conditions the SIS logic can monitor in sensor devices through the HART diagnostics include PV out of limits, analog-digital mismatch, PV output saturated, PV output fixed, loss of digital communications, and field device malfunction.

For safety-application rated digital valve controllers like the Fisher DVC6000 SIS, diagnostics available to the SIS logic or asset management software include: loop current, auxiliary contact status, output pressure, % travel, position, drive signal, valve setpoint, pressure, differential pressure, and DVC internal temperature. Also, this digital communications provides a path for the SIS logic or asset management software to initiate manual or scheduled partial stroke tests (PST), which:

...checks for valve movement without fully stroking the valve. Many applications will allow 10% movements to verify valve response without upsetting the critical process line. Diagnostic data is collected and an alert is given if the valve is stuck.

Alan's whitepaper describes some of the diagnostics available in other Emerson devices such as the Rosemount 3051S pressure and 3144P temperature transmitters, and the Micro Motion Coriolis flow transmitters. He describes the purpose of these diagnostics to give the reader ideas of how they might be incorporated into their SIS logic to improve diagnostic coverage and safely increase overall availability by reducing spurious trips.

If you're responsible for your plant's safety instrumented system, you might consider giving this whitepaper a read.

MP3 | iTunes

Emerson's Wim van Loon and Rafael Lachmann presented Modular Safety Concept (MSC) for Marine & Offshore projects and the Value Proposition at Emerson Exchange. Their abstract:

The current demands from the Marine and Offshore industry require low CAPEX, high amount of flexibility and increasingly faster execution of projects. Emerson offers the Modular Safety Concept as part of a Distributed ICSS allowing customers to meet these requirements and stay Class-compliant. What are the objectives, design constraints and solutions and what are the value adds to the project?

Wim kicked off the presentation describing a conversion Floating Production Storage/Offloading Systems (FPSO) project. In very simple terms, it's converting existing tank vessels into FPSOs. This means building the production and storage facilities with the necessary process automation and safety instrumented system.

One of the issues with FPSO conversions is the capital expenditure risk in cost and schedule overruns. This can drive the return on investment below the set thresholds. Wim described areas where risks can be reduced throughout the project lifecycle. Fit for purpose design concepts contribute to a fast-track character. During the front-end engineering design (FEED) phase, if you split a larger project into parallel modules, you divide the risks where a schedule slippage in one module does not impact all the modules.

Wim described global project engineering standards with a library of standard DeltaV configurations and work processes. These standards are applied globally across all world areas to help provide resources for the process module development, no matter where the construction takes place. Complete wiring, loop test and functional check out of the modules can be done in parallel to minimize project risk.

Rafael described the modular safety concept (MSC). Here's a complete application note on the modular safety concept. Distributed control has been available since the advent of the distributed control system. Distributed safety is required. The safety system applies to emergency shutdown (ESD), process shutdown (PSD), and fire and gas (F&G). Redundancy in all logic solver and power means redundant processor and redundant I/O and two sets of feeders that are individually UPS-backed up. The feeders are each capable of powering the entire ESD or F&G module node.

With the modular approach to both the automation and safety instrumented systems, the modules can be built and tested in parallel and hooked up once they are integrated with the vessel.

The distributed approach provides significant CAPEX and schedule risk reductions over traditional, centralized process control, emergency shutdown, and fire and gas systems.

Update: I've added a link above to a detailed application note on the modular safety concept.

Some questions on flame detector reliability came my way the other day from a blog reader in the refining industry. I ran the questions by Emerson's Gary Hawkins, a refining industry consultant.

Gary's first response was to point to the authoritative source for fired heater protection in the refining and petrochemical industries, API Recommended Practice RP 556, Instrumentation, Control, and Protective Systems for Fired Heaters. The second edition is nearing completion and should be available toward the end of 2009 or early 2010. Gary is a member of the RP 556 committee and is providing comments back on this American Petroleum Institute recommended practice.

He notes that there are two categories of flame detectors: flame ionization rod and optical flame scanners (including both ultraviolet and infrared). You must consider numerous factors when selecting a flame monitoring system, including types of fuels, heater geometry, number of burners, and the type of process safety layers of protection.

Flame ionization rods are generally considered consumable and require periodic replacement. The flame ionization rod is generally only used to detect the pilot flame, as it is not suitable for long-term use in the main flame.

The reliability of flame scanners is a more complex topic with a number of considerations:

• Generally require a purged sight tube to keep the lens clean
• Difficulty to detect both the flame at the primary tips and secondary tips
• Distinguishing between the monitored flame and background radiation in the heater

Gary notes that reliability is a function of the quality, the installation, and the maintenance of the instruments involved in flame detection. Quantification requires an analysis of the installation to collect the data required for the reliability calculations. This is usually performed as part of the hazard and operability (HAZOP) analysis.

On a question about whether or not a flame detector is required when there are other indicators such as low combustion air or low fuel pressure, Gary cautions that there are many factors to consider. Each site requires compliance with their company's standards, local codes and the safety requirements specification (SRS) if the flame detectors are part of a safety instrumented system (SIS) or only used to alert the operators of abnormal conditions.

MP3 | iTunes

Automation World has a great article, Security and Safety Follow Parallel Paths, which compares and contrasts process safety and cyber security, from a risk management perspective. In an earlier post, I described the ISA99 Working Group 7 (WG7) efforts to look at the best practices in process safety and see what can be applied to functional security around the automation systems.

The article quotes Emerson's Mike Boudreaux who serves as ISA99 WG7 co chair on similarities:

On the front end of the security lifecycle, where you're trying to figure out what your risks are, the kind of risk analysis that you do is very similar to the type of risk assessments that you do for safety, where you're identifying unwanted consequences, evaluating the likelihood that those might occur, and based on that, you have a level of risk that you need to implement safeguards against.

WG7 is taking a similar approach to process safety risk levels with security assurance levels (SALs):

In the safety world, standards such as the International Electrotechnical Commission's IEC 61508 and IEC 61511 describe methods for assigning Safety Integrity Levels (SILs) to designate different levels of risk reduction provided by a safety function. Similarly, the ISA99 committee is working on a parallel concept for security known as SAL--for Security Assurance Level. Just as Safety Integrity Levels range from SIL 1 at the low end to SIL 4 for the highest integrity level, the SAL approach, as currently contemplated, will cover SAL 1 through SAL 4, designating ascending levels of cyber-security protection.

This helps prioritize security risks and the defenses required for the risk level. The article also explored the differences between process safety and cyber security risk mitigation. A statistical view is taken with process safety. Mike notes:

The focus in the safety world is on designing devices that have predictable hardware failure rates. So when I install a device out there, I can predict how frequently it's going to fail throughout the life of the process for the next 20 years... But the concept of predictable, random failures doesn't apply as well to security... With security, when you put a protective measure in place, you can't predict what its useful life is going to be.

Emerson's Bob Huba, whom we've featured in many cyber-security related posts, describes the dynamic nature of security risk mitigation:

Safety is somewhat of a fixed process. Once you've got the risks figured out and the processes in place and you put the safety system in, it doesn't change... You put in antivirus software and its life is measured in days, because there's always something new--the next conflict, or the next Sasser worm... So it's constantly evolving, and the management on the security side is much more complex and onerous, in my opinion, than it is on the safety side.

It sounds like the working group is quickly identifying the parts of the process safety lifecycle that make sense to borrow and apply for process automation cyber-security. I tend to agree with Mike's prediction that the pace of the ISA99 standards effort will move more quickly than the ISA84 process safety effort, because they are borrowing what they can and developing the rest.

MP3 | iTunes

The question of integration with respect to safety instrumented systems (SIS) and basic process control systems (BPCS) continues unabated. Emerson's Mike Boudreaux alerted me to a great article, The Question of Integration, in the June issue of Control Engineering Asia magazine. It was written by a TÜV FSExpert with one of the automation suppliers.

He frames the source of the debate:

New digital technology now makes it feasible to integrate process control and safety instrumented functions within a common automation infrastructure. While this can provide productivity and asset management benefits, if not done correctly, it can also compromise the safety and security of an industrial operation....

Certainly, a "common platform" approach, using similar hardware and software dedicated for control and safety functions, respectively, can provide the potential for cost savings. However, it is widely acknowledged that using separate, independent, and diverse hardware/software for safety and control is the optimal way to protect against potentially catastrophic common cause and systematic design and application errors. Different vendors offer varied degrees of integration and solutions. The question is how to provide an integrated control and safety solution with advanced functionality and productivity, without compromising safety and security.

He also enumerates the advantages of an integrated approach:

Some of the major potential benefits include: seamless integration; time synchronization; elimination of data mapping duplication; common HMI; compatible configuration tools; minimize spare parts; and single operator and maintenance training requirements.

He cites the issue with a "common platform" approach:

The basis for the concept of "defense in depth (D3)" and "independent protection layers (IPL)" at the heart of all international safety standards (including IEC 61508 and IEC 61511), is every layer of protection, including both control and safety, should be unambiguously independent. Some of the reasons for this basic requirement are to avoid common cause faults, minimize systematic errors, and provide security against unintentional access, sabotage, and cyber attacks.

Mike agrees with both the benefits and concerns, but points to an ARC whitepaper, Business Issues Driving Safety Systems, that distinguishes a "common platform" from an "integrated platform." The problems cited are relevant with the common architecture approach, where the hardware and software used to deliver functional integrity are shared between the BPCS and the SIS.

With DeltaV SIS, the logic solver components have physical separation, diverse components, and independent SIS logic solver hardware with a different operating system from the DeltaV BPCS. DeltaV SIS safety communications are on a physically separate bus and network from the DeltaV BPCS communications.

The physical separation, diversity, independence, and common cause elimination required by IEC 61511-1 clauses 9.5 and 11.2.4 are inherently addressed by the DeltaV SIS integrated yet separate architecture. The integration of DeltaV and DeltaV SIS is at the operation, engineering, and maintenance layer where it makes sense from the advantages described in the article.

The author sums up the article:

It is safer, renders a lower SIL requirement, and less expensive to implement physically separate and diverse, independent safety and control systems, with smart integration at the information, configuration, asset management, and HMI levels. All the capabilities of field diagnostics, asset management, including partial stroke testing, can be implemented effectively through smart integration.

On this point and in most cases throughout the article, the author and Mike are in complete agreement as demonstrated in a previous post.

Update: Fixed top quote by adding second paragraph inside quote box.

Update 2: I didn't have my recording equipment when originally posted, so I've now added the podcast below.

MP3 | iTunes

Emerson's Riyaz Ali, whom you may recall from earlier posts, wrote an Inside Functional Safety article recently titled, Digital Technology: A remedy for sick shutdown valves in Safety Instrumented System (SIS) applications. The paper is available for purchase from Inside Functional Safety, so I can't upload or link to it, but I'll highlight a few points Riyaz makes. Here's a portion of the abstract:

In the event of a safety demand, the final control element of a safety instrumented function (SIF) loop is a key component to a process going to a safe state. Unlike the logic solver or sensors (analog transmitters), the final control element requires a total shutdown to check the mechanical integrity. With the invention of the digital valve controller, a final control element's mechanical movement can be tested online by moving a span of 10% or 15% without disrupting the process.

For those not familiar with two of the major international safety standards for process manufacturers, IEC 61508 and IEC 61511, Riyaz provides this contrast:

IEC61511 is an industry specific version, specifically dealing with process industries in the "Functional Safety: Safety Instrumented Systems for the Process Industry Sector." IEC61511 provides clarity to the use of IEC61508 in automation protection systems for the process industries by using industry specific vocabulary, specific examples, and tailored requirements.

As mentioned in the abstract, the final control element is a critical portion of the safety instrumented function or safety loop to take the process to a safe state. It could be an emergency shutdown valve, blow down valve, emergency isolation valve, emergency venting valve, or on/off valve. These valves may remain dormant for long periods, so they must be tested periodically to make sure they will operate properly upon a safety demand situation.

Riyaz notes that conventional testing requires either process shutdowns or bypasses, the latter which add complexity and risk to the process flow. Completely testing the final control element's performance requires "...an in-line test that strokes the valve for full travel."

Without bypasses, the loss of production means process manufacturers want to extend these full stroke tests as long as possible, until the plant is shutdown for turnaround maintenance.

Riyaz describes ways developed to extend the time intervals for the final control element testing by partially stroking the valves. He writes:

It was recognized that the most likely failure mode of a discrete shutoff valve is to remain stuck in its normal position. To test for this type of failure, it is not necessary to completely stroke the valve to test its functionality. A large percentage of covert valve failures can be detected if a limited form of testing can determine that the valve is not stuck and will begin to move. Furthermore, if this type of test could be performed online without shutting down the process, improvements in the PFDavg could possibly be obtained without the loss of production.

Methods to perform this partial stroke testing include mechanical limiting devices and more recently logic solver-based testing:

...which sends fixed pulsations to the solenoid valve to monitor the subsequent movement of the valve. The pulse duration is set to allow slightly more than the required 10-15% movement. The feedback to valve movement is provided by an analog limit switch.

Whichever method is used, written safety procedures are important to make sure plant trips don't occur and proper documentation and maintenance is performed by properly trained personnel.

Riyaz shares how a digital valve controller is a good solution for these partial stroke tests because it:

...receives a control signal from the logic solver. It incorporates travel feedback of the valve position plus supply and actuator pneumatic pressures. This allows the smart positioner to diagnose not only itself, but also the health of the valve and actuator.

Since the process is not shutdown, the tests can be run more frequently and initiated by the logic solver, HART handheld communicator, panel, and/or PC. The tests are also automatically documented and can provide comparisons between tests. In the event of a safety demand, the digital valve controller can also provide a log to help understand the sequence of events for post-event analysis.

He clarifies that partial stroke tests, "...do not eliminate the need for full stroke test; however, it does extend the proof test interval." This extension is often long enough to reach the plant turnaround where all the final control elements can have full stroke testing performed.

If you are unfamiliar with some of these ways of partial stroke testing, you may want to purchase the paper or review some of the past blog posts in which I've featured Riyaz.

MP3 | iTunes

A big thanks to Emerson's Mike Boudreaux for his guest post while I'm out this week.

Jim is on vacation this week. He knows that I always have something to say about process safety and functional safety, and so he's agreed to let me to fill in for him as a guest author for the Emerson Process Experts blog today. Thanks, Jim!

I was up late the other night, clicking around in the LinkedIn groups for DeltaV, process safety, functional safety, security, and other topics that I find interesting. One of the groups that I frequently visit is named EHSQ Elite. EHSQ Elite is a group of safety, security, risk, regulatory, sustainability, health, environmental and quality professionals working in or for the industry, authorities and service sectors. The group has over 7,400 members, and claims to be the biggest and fastest growing safety oriented group on LinkedIn. EHSQ Elite has a very active discussion group. I saw that EHSQ Elite is sponsoring a process safety seminar series, so the group seems to be growing outside of LinkedIn.

It is definitely the largest group that I've seen in LinkedIn. The group is so active that it is really hard to keep up with all of the discussions and news feeds, and if you're primarily focused on process safety then it can be hard to sort through the noise. Luckily, LinkedIn has recently provided a new feature that enables the creation of subgroups. Pieter-Jan Bots, the manager of the group, has quickly taken advantage of this new feature and created several subgroups related to different safety topics. One of the subgroups that he created is Process Safety Management. I anticipate that this new group will grow quickly under the EHSQ Elite group. It is less than a month old and it already has 80 members.

One of the discussion topics in the group is "Methods for testing safety critical loops?"

What methods are available for testing the different elements in safety critical loops, including initiating element (e.g. pressure or level measurement), the wiring and relays or safety logic, and the final element(s) (e.g. emergency shutoff valve))? Challenge is to test the whole loop, or make sure that all elements are functioning.

I posted the following comment there, but I think it is worth sharing with the readers of the Emerson Process Experts blog. It is so relevant to what we do here at Emerson and we already have a discussion going here about partial stroke testing. Here's my comment.

The goal of proof testing devices is to uncover dangerous undetected failures - covert failures that prevent the device from acting when needed. Modern electronics-based devices include internal diagnostic tests that can detect dangerous failures, but there are always some dangerous failures that cannot be detected by diagnostics. Devices that are IEC 61508 certified should include a proof test procedure in the safety manual.

Testing of sensors and transmitters is usually very straight-forward. For examples of sensor testing procedures, see the manuals for the Rosemount 3051S and 3144P pressure and temperature transmitters: http://is.gd/1AIxZ (page 21) and http://is.gd/1AIFb (page 111).

For testing logic solvers, you can often separate hardware testing from software testing. Testing of the internal electronics hardware is typically very easy to do with modern logic solvers that can perform automated diagnostics and proof tests to uncover failures. For example, see section 5.3 of the DeltaV SIS safety manual: http://is.gd/1AKre. Functionally testing software (logic) is MUCH more complicated. Everyone has a different philosophy about the best practices for performing functional tests for the whole loop. A segmented approach is generally accepted, but there are many purists who want the entire loop to be tested all at once. This is sometimes impractical, though. The risk of a segmented approach is that there are opportunities for mistakes to be made since this approach relies more heavily on detailed procedures and processes. A segmented approach for functionally testing the logic solver will typically require a screw terminal to screw terminal test, by manipulating the values of input channels and monitoring the response of output channels. When possible, a test from sensor to final element is preferred, but this is not always practical. Offline simulation tools can simplify this activity so that configuration errors are caught offline before testing is performed using physical hardware.

Testing final elements is a pretty deep topic. There are MANY ways to test final elements - some are manual and some are automatic. The goal is to prove that the final element performs according to design specifications. With electronics based devices, partial stroke tests and proof tests can be automated. Here is a link to recent online discussions among functional safety experts about partial stroke testing: http://is.gd/1AK5K.

Feel free to join the EHSQ Elite Process Safety Management group in LinkedIn and join me in the discussion there!

Emerson's Mike Boudreaux pointed me to a great article written by ISA84 committee member, Paul Gruhn. The article, Safety, Security groups form joint working group, describes the reasons for the ISA84 Process Safety standards group and the ISA99, Industrial Automation and Control System Security group joining forces. ISA99 Working Group 7 (WG7) is the home of this effort and is chaired by Mike and Kenexis Security's Bryan Singer.

Paul's article acknowledges that we all learn from our own mistakes:

...but when it comes to the safety and security of high-risk process facilities, it is important we learn from the mistakes of others. That is the collective knowledge that standards are built on.

In the article, he describes how safety and security are similar:

...the greater the level of risk in a process, the better the safety instrumented systems that will be needed to control it. Similarly, the greater the level of risk of a security breach, the stronger the measures will be needed to combat it.

I asked Mike for some recent developments with WG7. He told me that they have created task groups to review the existing ISA99 standard as well as the two leading global safety standards related to process manufacturers--IEC 61508 and IEC 61511. Other relevant standards are also being considered. The intent is to look at how the lifecycle and risk reduction methodologies in these safety standards might be applied to automation system security.

Mike described three task groups that have been created: ISA-99 WG07.TG01-2009, -.TG02-2009, and -TG03-2009. Brian Singer leads the TG01 group and they are working on the creation of the ISA-99 WG07 charter document.

Mike leads TG02 and his task group is assembling a list of recommendations to the ISA99 leadership on how to improve consistency with other engineering practices. They would also provide a list of recommendations on key benefits of the current ISA99 approach or additional areas of opportunity to provide value. Finally, the task group will provide input to the standards roadmap for the documents that will receive WG7 content and any other needed documents.

The final work group, TG03 is lead by Jim Gilsinn whose group will lead the effort for a target outline and document structure for the WG7 work products.

These structures help provide a framework for collective knowledge sharing that's required to develop security standards, which will benefit process manufacturers the way ISA84 and IEC 61511 have benefitted them from a process safety standpoint.

For those of you who use Twitter (and you should! J), you can follow updates by Mike and Bryan and Dow's Eric Cosman on this important standards effort at @isa99chair.

MP3 | iTunes

Update: Mike shared with me that Bryan Singer and Eric Cosman of Dow Chemical are the two folks who manage the ISA99chair Twitter account and I've fixed the post above.

The Flow Control magazine website has a great Safety Instrumented Systems Primer interview with Emerson's Mike Boudreaux. You may recall Mike and his views on process safety and safety instrumented systems in earlier posts.

If you're not already steeped in the language of process safety with things like safety integrity levels (SIL), safety instrumented functions (SIF), IEC 61511, etc., the questions and answers help provide a good primer. I'll share just a few snippets from the Q&A, but you'll want to read the entire interview.

Mike addresses the question on how safety instrumented systems (SIS) have come to be:

Much of the focus has been to reduce process risk through inherently safe design and independent layers of protection (IPL). Safety instrumented systems are one of the many layers of protection that are used to deliver increased process safety.

Further on this point, he describes why an SIS is important:

When a process cannot practically be designed to be inherently safe, an SIS can be used to reduce risks to an acceptable level. An SIS can be designed to deliver a specified safety integrity level (SIL) of risk reduction. IEC 61508 defines SIL 1 through SIL 4, with each SIL designating a relative level of risk reduction provided by a safety instrumented function (SIF) by an additional order of magnitude.

For those new to the world of process safety, Mike also shares his view on common pitfalls in process safety SIS design and implementation:

When developing a safety requirements specification (SRS), process manufacturers sometimes go overboard and make the SRS too complex to be practical, or they go in the opposite direction and don't provide a consistent set of documentation... the SRS should provide a functional description and the integrity requirements for each SIF. The SRS is the document against which all of the safety lifecycle activities are verified and validated. As such, it is important that this documentation be simple to use and maintain.

The other major pitfall is the complexity of SIF design and SIL verification. Mike offers:

Knowing which devices to use, selecting the appropriate hardware fault tolerance, correctly applying prior-use data, and designing the most economical SIF to minimize capital and operating costs while maximizing availability, can be a difficult task. End-users should make sure the people performing this work are competent in the area of process safety systems design and, more specifically, SIF design and SIL verification.

On advancements in SIS design strategy, Mike describes how technology is playing a key role:

Improved device diagnostics is being driven by technology advancements in microprocessors and device design. Diagnostics reduces the dangerous undetected failure rates for devices. Automated online proof testing and device diagnostics will deliver safer systems, because failures will be detected whenever they occur.

I hope you'll get as much from the interview as I did.

MP3 | iTunes

Charles Fialkowski's blog post last week, To Integrate or not to integrate Safety and Control describes some of the continued discussions going on concerning separation of the safety instrumented systems (SIS) and basic process control systems (BPCS). He wrote:

Today, I still see a lot of confusion over this issue on what's right and what is 'really' right. I recently personally witnessed another vendor use my same 4 year old illustration on SIS integration and bugger it all up to position his system (of course) as the best approach, ugh!

He concluded:

The answer is not with a vendor whose underline message is "buy mine", nor from that elderly colleague who's reluctant to any change, and is convinced his 30 year approach is the ONLY way to go. Nope, the answer is that it all DEPENDS. It depends on many factors regarding your process, level of risk needed to be reduced, complexity, management of change issues, budget, communications, security, etc.

For other viewpoints on this topic, there are several references available via the DeltaV SIS website, including an ARC whitepaper titled Business Issues Driving Safety System Integration. You can also see a lot of back and forth on this topic of separation, if you're a member of the ISA safety mailing list. Several Emerson process safety experts can be found in the SIS discussions that take place on this list.

I ran the post by Emerson's Mike Boudreaux who was already one step ahead of me, since he also subscribes to Charlie's blog. He agrees with the points Charlie makes. Building on these thoughts, Mike adds:

Separation of control and safety is important and required by IEC 61511. Clause 11.2.4 requires that the basic process control system (BPCS) shall be designed to be separate and independent to the extent that the functional integrity of the SIS is not compromised. Further, clause 9.5 requires that an assessment to be performed to ensure that the likelihood of common cause, common mode, and dependent failures between protection layers are sufficiently low in comparison to the overall safety integrity requirements of the protection layers. Clause 9.5.2 specifically says that the assessment shall consider:

• Independency between protection layers
• Diversity between protection layers
• Physical separation between different protection layers
• Common cause failures between protection layers and between protection layers and BPCS

It is possible to meet these requirements under an integrated platform. In fact, DeltaV SIS has been assessed by both Exida and TÜV to consider these requirements of IEC 61511. This is accomplished by physically separate, diverse, and independent SIS logic solver hardware and firmware and a separate network for secure SIS communications. DeltaV SIS uses an integrated platform for operation, maintenance, and engineering but keeps separation at the run-time execution level so that the functional integrity of the SIS is not compromised. This level of integration is no different than the interdependency, diversity, physical separation, and common cause exposure that you have when you integrate systems from separate vendors.

Thinking about the different type of SIS applications, Mike adds:

It is also sometimes beneficial to integrate emergency shutdown systems (ESD), fire and gas systems (FGS), and burner management systems (BMS) applications in the same SIS platform, using separate logic solvers. For many BMS applications, there is often a high degree of interaction between the BPCS and SIS. An integrated platform like the DeltaV SIS streamlines implementation and simplifies the application.

MP3 | iTunes

Recently at the International Health, Safety, Environment, and Loss Prevention Conference in Kuwait, Emerson's David Walker had the opportunity to present on the topic of process safety. His presentation, Using a Smart Safety Instrumented System (SIS) to Make Better Operational Decisions, described the role of diagnostics in monitoring the health of the devices and surrounding process in safety instrumented functions.

David noted how accidents still manage to occur even with the safety standards and methodologies, which build layers of protection that guard against these incidents. The majority of these events occur because of the failure of plants to implement best practices in process safety and instill a pervasive safety culture. Also, safety implementations and standards are having difficulty keeping pace with the automation system alarm and display technologies. A few examples of these advances are alarm prioritization and narrowcasting by location and/or function. These capabilities often were not in existence when the plant process safety standards were developed.

David shared the data I mentioned in an earlier post where more that 90% of the failures in safety instrumented functions occur outside the logic solver--in the sensor or final control element (FCE). Traditionally, the focus of safety engineers has been on maintaining and supporting the logic solver, mainly because it could not provide diagnostics from the sensors and final control elements to identify potential problems. These missing diagnostics are even more critical as the components of the safety loop age and become less reliable. This equipment is more likely to cause spurious trips that unnecessarily shut down the process--decreasing overall availability.

Newer safety instrumented systems like DeltaV SIS communicate via HART digital communications to safety-certified or proven-in-use sensors and smart final control elements. The diagnostics from the sensors and FCEs help detect, report, and often give operators and maintenance technicians time to respond to the abnormal situation before a shutdown sequence is initiated. David listed some examples of these device diagnostics:

• Partial stroke testing of FCEs
• Low supply pressure to FCEs
• Temperature sensor failure and hot-backup capabilities
• Earth leakage detection
• Pressure transmitter impulse line plugging
• Flow transmitter two-phase flow
• Degraded voting logic upon transmitter failure
• Remote from hazardous location device testing by operations and maintenance staff.

David closed his presentation with the thought that the trend is to integrate this information from the SIS with the basic process control system (BPCS) instead of interfacing through a gateway because of the value of this diagnostic information. This helps operators and maintenance personnel make better operational decisions to avoid process shut downs and identify and address abnormal situations as quickly as possible.

MP3 | iTunes

InTech magazine has a web exclusive on the importance of safety valves in a safety instrumented system. The article, Valve failure: Not an Option, describes methods of implementing partial stroke testing (PST) to reduce the probability of failure upon demand, average (PFD_avg).

For those not familiar with a partial stroke test, I found this definition:

This test checks for valve movement without fully stroking the valve. Many applications will allow 10% movements to verify valve response without upsetting the critical process line. Diagnostic data is collected and an alert is given if the valve is stuck.

The purpose of this test is to improve PFD_avg to possibly increase the safety integrity level (SIL) rating of the safety valve in a safety instrumented function (SIF), to extend the proof test interval, or a combination of both. Extending the proof test interval may allow process operators to avoid additional downtime by scheduling proof tests during turnarounds.

The author enumerates four methods of performing the PST: by the emergency shutdown system (ESD), by a positioner-based device, by a 2-out-of-2 (2oo2) or 2-out-of-3 (2oo3) redundant device, and by a 2-out-of-4-doubled diagnostic (2oo4D) redundant device.

The part of the article that jumped out for me, which I needed to ask Emerson's Riyaz Ali about was:

Using a positioner-based device is perhaps the worst option, as it is a complete misapplication of technology. Positioners should modulate control valves, whose movement is very small. ESD valves on the other hand are fully open or fully closed, and go from one state to the other as quickly as possible. Because positioners have a very small Flow Factor (Cv), they cannot vent a valve diaphragm quickly as required to satisfy the process safety time, and are suitable only for smaller valves. To compensate for this deficiency, an interposing SOV can vent the valve diaphragm. This SOV is not tested during the PST and remains in an open position for an extended period of time. As such, it may not be able to close (vent) upon demand and is itself a source of both dangerous failures and spurious trips.

In addition to the interposing SOV, positioners use a pneumatic valve-nozzle arrangement, which operates independently of the positioner electronics. Given the nozzle orifice plugs up (often by a tiny spec of dirt or water in the air supply), shutting off the electronics will not vent the valve diaphragm. This is a dangerous failure mode, as venting the diaphragm (closing the valve) is critical to achieving the safe state. Unfortunately, most positioner product safety evaluations do not address this dangerous failure mode.

Riyaz offers some counterpoints. Advanced positioners or digital valve controllers such as the Fisher DVC6000 SIS have been designed specifically to operate safety shutdown valves and has gone through the rigorous design, testing and certification process defined in the IEC 61508 international safety standard for use up to SIL 3 applications. This design, testing and certification process was developed to ensure the applicability of the technology for this process safety application.

Riyaz notes that it is true that a very few applications do require shorter process safety times. He points out that it is not necessary to use a solenoid valve (SOV) to improve the stroking speed. Positioners can use pneumatic devices to achieve faster stroking time. I discussed a quick-exhaust example in an earlier post. For process manufacturers who still would like to use an SOV in the SIF loop, these SOVs have different capacities to meet the stroking speed requirements. Also, some of the more modern positioners like the DVC6000 SIS can also monitor the health of the SOV when it's used with a single-acting actuator. It performs checks for the dangerous failures of SOVs on-line without affecting the process.

Some digital valve controllers, like the DVC6000 SIS, are suitable for use in a SIL3 SIF in standalone mode. When used in standalone mode or in pneumatic series with SOV or other pneumatic accessories, it continuously checks the pneumatic integrity (functioning of I/P and pneumatic relay) to ensure that these components are working and ready to drive the valves upon a safety demand (see figure 13). If, during normal operation, any abnormality is noted, an alert is sent to the HOST system.

Riyaz also provides clarification that air quality requirements are always specified in each product bulletin for pneumatically operated valves and specifically, the safety manual of a field device always recommends to follow the ISA S7.0.01 air quality standard, which specifies the air be clean, dry, without oil, water or any particulate contaminates.

For your IEC 61511 process safety risk mitigation efforts, partial stroke testing performed by digital valve controllers can help you reduce the PFD_avg on your safety shutdown valves.

MP3 | iTunes

Update: Welcome, Plant Engineering Live blog readers! Jack, I appreciate the great recap of this post!

Update 2: Thanks to Dr. Beckman for pointing out my error on 2004D in the comment section of this post. It is "diagnostic" and not "double" as I'd originally written. I've also shown Dr. Beckman's comments to Riyaz and asked if he'd like to add a comment... stay tuned!

I saw a great process safety article in InTech magazine entitled, When failsafe isn't enough. It give a "howto" approach to volume tank sizing for reserve air pressure required for an orderly safety shutdown.

The author describes some cases where this reserve air volume might be needed, such as when failure position of safety valves are not in the failsafe condition or when operating conditions require and orderly, sequenced shutdown.

The equations to size the volume tank are given as well as who would typically supply the equation parameters. For instance, the valve supplier typically supplies the safety valve torque requirements and required leakage rates. The actuator supplier provides the torque-to-supply pressure tables. The good news for those of us a little rusty in our advanced math skills is that the equations are algebraic and the simplifying assumptions err to the side of conservative volume sizing.

I sent a link of this great article to Emerson's Len Laskowski, whom you may recall from earlier process safety posts. Len is a principal technical consultant, registered professional engineer, and certified functional safety expert (CFSE) and TÜV CFSE.

Len added that many engineers will tend to the conservative side and size the volume tank for several strokes of a valve, even if it needs to operate only once in a single stroke. This is mainly because extra capacity is relatively inexpensive, especially to mitigate the risk of a larger hazard.

He shared a reactor emergency depressurization example as a typical application where you might find volume tanks. Len wrote:

Typically, if this is a safety instrumented function (SIF) you want de-energized to trip failsafe. The emergency depressurization valves are Fail Open on loss of air. A spurious trip of this system would be bad news as the author suggests. It could create secondary hazards as is suggested in IEC 61511 that need to be identified.

For example, if the air failure was extensive a large number of vessels all depressurizing at once could overload a flare system. Too quick a depressurization of some chemicals could cause auto refrigeration that could lead to a cooling of the vent piping below design spec and the hazard of pipe embrittlement.

In some reactors, it would possibly blow catalyst out the vent system and possibly put stress on reactor beds, or trays that could damage the internals of the vessel, due to the large pressure differential caused by the emergency depressurization. These secondary issues also need to be managed and are reasons why volume tanks are needed.

Len has worked with process manufacturers to address some of these issues:

In some cases, a nitrogen or air bottle backup system would be used that have much more capacity than a volume tank. I have also seen cases where nitrogen is automatically switched in to back up a valve. This can be done by having a 3-way valve hooked up so that the common goes to the final element, one side goes to Instrument air and the other nitrogen.

You need some check valves to guard against reverse flow and have the valve actuator off the Instrument air so that it cuts off the nitrogen when instrument air is present. This is also a good setup when you have air motors that need a lot of air (gas) that need to move big valves. With nitrogen's toxicity in sufficient concentrations, these applications are generally outdoors, well ventilated, and require close review.

Len complimented the author on his article and added a few more considerations for process safety professionals. He wrote:

Other considerations that may be overlooked are common mode failures and testing. Typically, one would put two check valves in the system because failure of one would allow the tank to bleed out to the plant header. Also, care must be taken that the air is clean and no dirt is allowed to get to the check valves, so a filter/ separator is really required to ensure that the check valves have a good opportunity to operate.

Facilities to isolate the volume tank from the air supply and bleed the air upstream of the check valves are also required not only to check that the system works initially but also for future proof testing. Typically, these systems should be checked at the same time the safety instrumented system (SIS) is proof tested. This is an easy item to overlook and needs to be put on the testing schedule with the SIF's it supports.

I hope between the author's original article and Len's additional thoughts that there are some pearls you can apply in your process safety efforts.

MP3 | iTunes

Emerson's DeltaV SIS product manager, Mike Boudreaux, whom I've featured in several process safety-related posts, manages two great sources of information on safety instrumented systems (subscribe) and process safety (subscribe). These Friendfeed rooms are excellent places to both capture and comment on stories as one finds them.

My subscription to the safety instrumented systems room pointed me to a great article by Murphy Oil's William Taggart. The article, which originally appeared in Intech magazine, is entitled Process safety systems in the Gulf of Mexico.

Mike's capture of the article's opening paragraph drew my attention:

Process safety systems for the offshore oil/gas industry in the Gulf of Mexico have taken a very different path than those of their onshore brethren. Monthly and quarterly testing of safety devices in an online mode, a prescriptive safety standard written more than 40 years ago, and a governmental agency looking over their shoulder make up what could have been a recipe for disaster, but instead it has been a recipe for an exemplary process safety record coupled with high uptimes. The differences lie in API RP 14C and ISA84 and the results to facilities in the Gulf of Mexico and onshore facilities. The differences are also why their system has worked.

I'm not sure about 40 years ago, but what the author describes is exactly how it worked more than 20 years ago when I worked as a systems engineer on offshore oil & gas platforms.

The American Petroleum Institute's Recommended Practice 14C (API RP 14C) was indeed very prescriptive for what safety shutdowns were required for each piece of the processing equipment from the wellheads to the custody transfer skids where the production was metered and ownership transferred to the pipeline companies.

The author wrote:

API RP 14C provides a simple standard you can easily apply to offshore oil and gas facilities where the process design is the same basic type that has seen use for years. It errs on the conservative side by requiring safety devices, which might be excluded under ISA84, IEC 61511, or IEC 61508 analysis. It does not address the implementation of the safety system, rather focusing on the required functions.

Based on the platform's processing equipment, the safety instrumented functions were very clear. And, monthly testing of the safety instrumented function inputs and safety valves was required by the U.S. Department of the Interior's Minerals Management Service. The operators worked hard to make sure the platforms they were responsible for had no MMS citations. The author notes a change over the years with the advent of reliable electronic transmitters that the safety function inputs could be tested quarterly instead of monthly.

Another key difference with other process industries is that RP 14C has philosophy to shut everything down on a safety trip:

...an event on a single vessel will affect the entire facility, especially if it is a process critical vessel like a flare scrubber or process sump tank. On a typical offshore oil/gas facility, 20 safety devices will shut in the entire facility. Also, 200-400 safety devices will shut in their specific piece of equipment or a section of the process train depending on the size and complexity of the facility.

The combination of a conservative, prescriptive approach to safety instrumented functions, federally-mandated rigorous testing, and a "shut it all down" philosophy has produced an impressive safety track record where there has been no process safety-related fatalities in more than 9 years in the Gulf of Mexico.

In his safety instrumented system room, Mike had also flagged an October 2008 ControlGlobal.com story on Murphy Oil's use of the DeltaV and DeltaV SIS systems on some of their offshore platforms and the reasons for taking this approach.

MP3 | iTunes

Emerson's Dale Perry alerted me to a great article on safety-certified sensors in the November 2008 issue of Control Engineering magazine. Dale manages the Rosemount pressure measurement line of products.

The article, Practice Safe Sensing; Safety-certified sensors promise to cut costs and boost performance. But the tradeoffs must be carefully considered., described the advances in both numbers and intelligence of sensor devices used in process safety applications. The article defined these devices as:

...sensors can be certified by third parties to meet safety integrity levels [note: I've added hyperlinks for additional reference], or SIL, designations found in IEC 61508. One positive result of this is the potential to use fewer sensors without compromising safety, leading to a decrease in wiring and installation costs. Another positive effect is the potential for improved process control, largely due to increasingly intelligent sensors.

Exida's principal partner, Bill Goble, shared how the number of safety certified transmitters from automation suppliers has increased from five in 2003 to 24 in 2007--with more in testing and certification as automation suppliers improve the design and testing processes required to achieve certification to the safety integrity levels.

To mitigate risk for higher SIL applications, often you need multiple sensors (if not safety-certified sensors) connected in a one-out-of-two (1oo2) or two-out-of-three (2oo3) voting arrangement. Dale is quoted in the article and he discussed and amplified on the fewer sensors tradeoff:

Fewer sensors increase the possibility of a false alarm, which carries a cost since it might shut down a process needlessly.

The economic tradeoff is capital cost savings of fewer sensors and the associated installation and maintenance costs versus the probability of lost production from unplanned shutdowns caused by spurious trips.

Dale described how incorporating the features necessary for certification became part of research & development best practices. The R&D team incorporates these best practices as new devices are developed and existing ones are enhanced. These safety-certified sensors still carry extra expenses like order checks of options for the required SIL application, failure modes, effects, and diagnostics analysis (FMEDA) documentation, serial numbers and failure data shipped with each sensor.

On the increasing level of intelligence, Dale noted:

The same intelligence that makes sensors safer increasingly supplies other capabilities... Users demand predictive diagnostics beyond the sensor. They want this functionality because more insight into a process helps prevent abnormal, and potentially unprofitable or dangerous, situations.

Dale also gave a peek at future of Rosemount safety certified sensors when he stated:

We see these advanced process diagnostics, as well as loop diagnostics, being included in future safety certified products.

When developing and executing your IEC 61511 safety lifecycle programs, the intelligence in these sensors and throughout your safety instrumented functions (SIF) can help improve the diagnostic coverage and reduce manual testing.

MP3 | iTunes

I'm lucky enough to receive a copy of Andrew Bond's Industrial Automation Insider newsletter each month through an Emerson subscription agreement. Andrew covers the happenings among the automation suppliers and standards bodies. You can also find some of Andrew's writings on the ControlGlobal.com site.

In the November 2008 newsletter, one item that caught some attention around here was this nugget:

...first TÜV-approved SIL3 Foundation fieldbus safety valve controller to appear on the market. The device delivers status changes automatically via Foundation fieldbus and incorporates real time alarm management eliminating the need for external wiring or I/O cards.

I have the privilege of working in the vicinity of two very knowledgeable people with respect to process safety, Riyaz Ali and Mike Boudreaux.

Riyaz notes that the Foundation SIF specifications are still under development. In a recent Fieldbus Foundation release, it quotes ARC's Larry O'Brien:

It is very clear that end users want this technology and are striving to include FF-SIF systems in their project specifications. Many major end users will probably be specifying FF-SIF systems for their new projects starting in 2011.

A September 2008 ARC whitepaper, Foundation Fieldbus Safety Instrumented Functions Forge the Future of Process Safety, provides background on the Foundation SIF standard advancement and its current draft status. Mike and Riyaz were present at the successful May 2008 Foundation SIF end user demonstration project in Amsterdam, and Mike shared his experiences with me. Riyaz also shared that one of the function blocks, the SIF_DO block, will not be available from the Fieldbus Foundation until the first half of 2009.

Many automation suppliers are developing products based on the current Foundation SIF draft, including Emerson. I asked Riyaz about the current solution Emerson provides until the standard is ratified. Riyaz responded:

The current solution for use in a Foundation fieldbus SIS application is to use the DVC6000f PD instrument. Several hundred units have been supplied worldwide to process manufacturers where partial stroke test scripts are run from host systems, such as the DeltaV system and AMS Device Manager.

In this application, process manufacturers use a solenoid valve operated by a hardwired digital output from the SIS logic solver.

Riyaz expects that until process manufacturers have sufficient experience, they will continue to use an independent solenoid valve to take the SIS valve to the fail state, while at the same time using a DVC6000f PD for partial stroke diagnostics using Foundation fieldbus through the basic process control system (BPCS).

Mike notes that both the DeltaV and DeltaV SIS systems are capable of performing these safety instrumented function predictive diagnostics. The DeltaV system is being used to perform partial stroke testing with the DVC6000f PD using Foundation fieldbus communications. The DeltaV SIS system is being used to automate partial stroke testing with the DVC6000 SIS safety valve controller using HART communications. This additional diagnostic coverage assists process manufacturers with their IEC 61511 safety lifecycle efforts.

Using diagnostics enabled by Foundation fieldbus and HART communications, the DeltaV and DeltaV SIS systems with DVC6000 digital valve controllers can provide many of the benefits today that are promised by Foundation SIF in the future.

MP3 | iTunes

Update: Next week is the Thanksgiving holidays in the U.S. and I'll not be posting. We'll be upgrading our version of Movable Type software. Wish us luck!

Last week at the ISA Expo in Houston, I sat in on a great session featuring Emerson's Ed Bailey, as well as folks from Siemens, Ametek and a private consultant with years of experience with Dow Corning. The session was entitled, Energy Management Issues for Process Optimization, and it had the following description:

Subjects open for discussion in this session include nearly anything relevant to this topic, not just process control and instrumentation. Expect discussions regarding process maintenance, process modifications, maybe whole new processes that were less cost effective under the old energy cost structure but now are more cost effective.

Ed leads the technology development efforts for the Rosemount Analytical Gas measurement products. He kicked off the panel discussion showing the forecasted growth of energy production. From an ExxonMobil outlook study, most of the world's growing energy needs will continue to be met by the combustion of oil, gas, and coal.

To help manage the carbon emissions, to deal with the increases in fuel costs over their historical averages, and to operate in an environment with increasing governmental regulations, process manufacturers have an ever-increasing need for improved combustion flue gas analysis. The best way to minimize carbon dioxide (CO₂) emissions is to operate existing combustion processes at their maximum efficiency.

Ed described some of the existing industry practices like averaging the output of a few analyzers as not providing enough insight to diagnose and optimize the burners. Burner differences and stratification are normal conditions that this averaging strategy does not well address. Instead, Ed recommended a mix of oxygen (O₂) and carbon monoxide (CO) measurements be used combined with neural network strategies that enable more complex models to be created to maximize efficiency versus the load/fuel variations--and to minimize mono-nitrogen oxide compounds (NO_x). The key point is that more discrete measurement points, which in turn feed more sophisticated control algorithms, will drive efficiency.

One of the discussion points during the session was the use of zirconium oxide (ZrO₂) oxygen analyzers to measure the residual oxygen remaining in the flue gases from any combustion process. Ed mentioned the Rosemount Analytical in-situ oxygen transmitter as an example of a zirconium oxide oxygen analyzer to help provide data to better control and optimize the combustion process.

An interesting question came into the panel about the safety considerations of running the combustion process right on the edge at its most efficient but potentially dangerous point. The panel had good thoughts that you need to separate the control aspects from the safety instrumented system burner management aspects. Like any process with safety risks, a risk analysis and risk mitigation strategy per the IEC 61511 international safety standard is critical.

MP3 | iTunes | My Podcast Alley feed! {pca-d211b332524855a78944048f9c70f6e7}

At last week's Emerson Exchange, I had the chance to catch one of my favorite presenters, Mike Schmidt, who is a principle SIS consultant in Emerson's refining and chemical industry center. What makes him a favorite is that he can really simplify concepts around process safety and safety instrumented systems (SIS) and make them easy to understand by those of us not steeped in safety. He also adds a touch of humor to keep the audience engaged and having fun while learning about the serious subject of process safety.

Mike co-developed with Emerson process safety engineer, Tim Forbis, the presentation, "What About...Using Bypasses, DBB, and Other Process Features in Safety Instrumented Functions". Their abstract:

There are special design concerns when process features like double-block-and-bleed and isolation-and-bypass valve configurations are included in safety instrumented functions (SIFs). This talk addresses these concerns and also gives guidance on considerations for performing safety integrity level (SIL) verification calculations when incorporating these and other process design features in SIFs.

Mike provided guidance on four process examples including pump and discharge valve, multiple inlets (to a tank or vessel), double block and bleed, and unit bypass and isolation.

Let's take the first example from the presentation of a pump and discharge valve. The safe state is stopping the flow by closing the discharge valve. The complication is the pump continuing to run causing a "deadhead" condition against the valve and risking pump damage. The typical function of the basic process control system (BPCS) is to stop the pump if the discharge valve is not open.

Mike and Tim's recommendation was not to include the pump in the SIF for several reasons including:

• Pump damage is not a hazard protected against
• Pump damage does not warrant SIL-rated protection
• Less complexity means a better spurious trip rate
• Pump stop may not contribute to SIF purpose--stopping flow
• Few components decreases cost--initial investment and operating cost

Now, if deadheading the pump is its own hazard, use a separate SIF with hazard-specific trip conditions. For instance, if the deadhead condition causes the pump to leak leading to fire, then you must mitigate that risk. Or, if the pump stop is included in the SIF as a redundant means to stop flow, then trip on the same condition as the discharge valve. A separate trip condition based on valve action adds complexity and cost, compromises independence and results in worse Probability of Failure on Demand, Average (PFD_AVG) and mean time to failure spurious (MTTF_s).

A final consideration Mike shares is that if your logic solver, such as DeltaV SIS, has sequencing capabilities, the safety logic should stop the pump first and then close the valve.

The other cases also present recommendations and counter-recommendations based on the circumstances of the hazard to be mitigated. Mike's key takeaways for the audience are that the actions for the SIFs may need to be different than the actions for process control in the same process. Also, the final control elements in the SIFs should be limited to those needed to accomplish the purpose of each SIF.

Adding more than is required increases the probability of failure on demand, increases spurious trips, increases investment costs, and increases ongoing operating and maintenance costs.

Update: One of the great suggestions from a customer (thanks Rich!) at last week's Emerson Exchange was that I should consider recording the blog for those with long commutes. I thought we'd give it a whirl, so here is today's post in podcast form. Next step will be to figure out how to get it to iTunes... stay tuned!

I received an email last week with some questions to an earlier post, Checking Your Safety Solenoid Valves. While protecting the emailer's anonymity, I thought I'd share the questions and answers provided by Emerson's Riyaz Ali with you.

The first question was about the assertion, "What the technology team found through extensive research and development is that the solenoid valve can be pulsed for a split second by smart SIS logic solvers like the DeltaV SIS system." The question was:

The apparent assumption here is that the DVC6000 SIS is added to the solenoid valve installation but does not replace it. This raises the question of what benefit the DVC6000 SIS has over other versions.

Riyaz responded:

The digital valve controller (DVC) is used as a diagnostics device to initiate partial stroke tests (PST) and to continuously monitor the health of valve, even if there is no change in input signal to the DVC. The DVC6000 SIS is certified for use in Safety Instrumented Function loop without solenoid-operated valves (SOV). Applications which require faster stroking speed and where a process manufacturer is more concerned about "safety availability" and would like to have either or device pneumatically in series to take the final element to a safe state, will employ DVC and SOV.

It is true that physically the DVC6000 and DVC6000 SIS have the same components (except sticker on cover and different firmware in microprocessor) but unlike the general DVC used for process control, the DVC6000 SIS for safety has built in:

• safe guard against spurious trip during PST
• PST on line in service without change of input signal
• configurable stroking speed to ramp (rather than step) slowly of fast during partial stroke test
• capture the PST test results and store in the non volatile memory of device
• using associated software allows the analyzed test results of health of the final Element
• audit documentation (comparisons and storage)
• returns the valve to its normal state after completion of test
• manual reset feature
• automate PST without any other user interface

A second question arose about what value there is if the DVC6000 goes to zero mA and loses power and thus losing its diagnostic:

Again, it doesn't appear that the SIS version is bringing anything to the party. If configured in the 0-20mA or 0-24 volt DC scheme and used as part of the safety trip, communications are lost during the trip and the feature described does not apply. If it is not used to trip the valve, why use the SIS derivative?

Riyaz answered:

When DVC is used with 0-20mA or 0-24VDC, it only loses its capability to trigger the event in the case of "Safety Demand". It otherwise has all other capabilities of a DVC6000 SIS operated by 4mA. When used with 0ma or 0VDC, DVC does take an active part in "Safety Shutdown" and makes "Final Element" to attain "Safe State". The DVC6000 SIS, when operated with 4-20mA, can capture and store the results in the nonvolatile memory for study and understanding of event which could provide vital clues of the event and also could provide learning lessons for the future. This provides the opportunity for safety reliability engineers to access and evaluate the "Demand Condition". Also, the details obtained can be used with regulatory bodies who would like to have audit of device in the case of demand.

The whole purpose of migrating from discrete on-off switch contacts to analog input (sensors) / output (final element) for logic solvers have evolved use of microprocessor-based field devices in safety instrumented systems. If one uses microprocessor-based devices then why should they not use 4-20mA instead of 0-20mA? I am still in the opinion that the analog signal for field device provides continuous monitoring by logic solver for its input and output. If one decides to use microprocessor-based devices, it makes sense to use 4-20mA rather than 0-20mA for the DVC, which does not offer any advantages. On top of it, the DVC6000 SIS when used with 4-20mA is certified for its compliance to IEC 61508.

The final question came up when I wrote, "One final point Riyaz emphasized is the DVC6000 SIS spurious trip protection which provides maximum output pressure to the solenoid at minimum input signal in a case where the 4-20mA signal between the smart logic solver and digital valve controller is lost or severed." The question was:

Here the SIS is driven by a 4-20 mA signal but, amazingly, it is configured to fail to danger on loss of the control signal. I still don't see the benefit of the DVC6000SIS over its siblings.

Riyaz responded:

This is typically ETT (Energize to Trip) scenario, where during normal operation customer will use 4mA (because plant availability is highest) and upon Safety Demand customer would like to provide 20mA to DVC so that DVC can trip the valve.

In fact, one of the major oil and gas producers has already used this same scenario in their plant. They are using SOV to trip the valve and DVC for diagnostics, partial stroke test and SOV health test and uses DVC with reverse relay. Even if someone cuts the power to input signal of DVC, it still supplies full pressure to avoid any spurious trips.

I thought sharing this email exchange might provide answers for your IEC 61511 compliance efforts if you had similar questions when reading the earlier post.

Last week, Emerson's Mike Boudreaux and several Emerson CFSE safety experts, attended the 8th International PES Symposium hosted by TÜV Rheinland at their office in Cologne, Germany. From Mike's internal blog, here's his on-the-scene review of Control editor and Sound Off! blog's Walt Boyes' presentation:

Walt Boyes kicked off the symposium with the keynote presentation titled Why is Safety so HARD? Amazingly, he presented the first several slides of his presentation by speaking in German! This was very impressive. He covered a lot of ground in his presentation. The main points were:

• Plants need to be built and operated inherently safe.
• It's not just about the SIS. Inherent safety includes good alarm management, security, operations, training, and company goals.
• The SIS must be part of an overall proactive security strategy.
• Operator HMI design and training needs to be improved. Operator response is dependent on how information is presented.
• Like safety, alarm management must be a lifecycle process instead of just a project task.
• Company management needs a way to consider incident avoidance in the financial metrics.

Walt's key point was that process safety needs to be raised to the business level. Company CFOs have no way to calculate the cost avoidance of events that don't happen. It's only after an incident that the costs are seen. Because of the way that financial reporting is done, there is no way to account for the value of operating inherently safe. It is impossible to show lives not lost or equipment not damaged in a company's financial reports. The industry needs a way to measure what we do. If you can't measure it in financial terms, it never happened. Safety needs to be considered as part of the economic calculus, which includes environmental stewardship and company sustainability.

Walt used the example of the BP Texas City explosion to illustrate his point about taking an integrated approach to SIS, alarm management, operations, training, and company goals:

No one expected the operators to have difficulty seeing both the inlet and the outlet flows to the isomerization process and the raffinate splitter tower at BP Texas City. No one expected ALL the level measurement devices on the tower to fail at the same time. No one expected the safety system to fail. No one expected that the operators would consistently make wrong decision after wrong decision as they tried to recover from the impending disaster. No one expected the diesel pickup truck to be running in the same area as the cloud of hydrocarbon vapor.

Yet all of these things happened. And people died. There have been many more accidents in the three years since the BP disaster, and there will be many more. And many more people will die.

We need to start thinking about safety, security, alarm management, operations and training as an integrated whole, and we need to have our companies agree that the safe way is the most profitable way. We have not done this yet, and until we do, people will continue to die.

Walt's presentation was exceptionally relevant, with two fatal chemical plant explosions in the previous week (20 workers killed in Southern China and one worker killed in West Virginia). The need for improved process safety is driving increased demand for safety instrumented systems. According to a recent ARC Advisory Group process safety system study, "The worldwide market, which is around USD1.4 billion in 2007, is expected to grow at a compounded annual growth rate (CAGR) of over 12% per year to over USD2.5 billion in 2012."

Some lively email exchanges occur in some of the ISA Technical and Industry email lists. I usually find out about these if one gets forwarded my way. If I could express one wish to the ISA folks it would be to web and RSS-enable these email lists, so that I could more easily discover them in my Google searches and persistent RSS search feeds.

If you're not familiar with persistent RSS searches, I recommend you visit Google Blog Search or Google News Search. You can subscribe to any of the searches you run and you'll get a notice when something new is posted. Or you can get an email if you choose the email alert option--as if we need more emails!

Enough with this side tangent, on to the matter in the ISA Safety email list. A thread discussed the risk mitigation effectiveness regarding fire and gas (F&G) systems as safety instrumented systems (SIS). SIS-TECH Solutions founder Angela Summers wrote a thorough response to arguments raised by several other list members. The first excerpt I gleaned is around the reliability of fire and gas systems:

An SIS is a safety function that is independent and separate from the BPCS [basic process control system], acts to achieve or maintain a safe state of the process when abnormal process conditions are detected, and achieves a PFD [probability of failure on demand] less than 0.1. As noted by other postings, a significant performance limitation for fire and gas systems is the detector and mitigation effectiveness.

Angela sums up her reasoning:

The vast majority of fire and gas systems are not SIS, because they do not achieve or maintain a safe state of the process, but rather act after equipment design limits have been exceeded. Further, fire and gas systems are not typically capable of achieving the required dependability (integrity and reliability) to be considered an IPL [independent protection layer].

Fire and gas systems may be implemented in the SIS logic solver according to IEC 61511/ISA 84.00.01-2004, which requires that the user ensure that the non-SIS functions do not impact the functionality and/or integrity of the SIS.

In my email thread that circulated among the Emerson safety expert community, TÜV CFSE-certified Len Laskowski, whom you may recall from earlier safety posts, agreed with Angela's reasoning:

An F&G system is almost impossible to attain a SIL 1 level risk reduction for the effectiveness reasons Angela states. I also agree that for prevention or maintaining a safe state of the process, it cannot be considered an IPL and it should not be given credit in a LOPA to prevent an incident. However, it is an SIS system because IEC 61511 defines SIS to be preventive or mitigative. F&G is clearly mitigative because the incident has already occurred. F&G tries to mitigate the hazard as best it can and give operations time to escape or take further actions. It just rarely achieves a SIL level. If one wants to disqualify it as an SIS because it is not at least SIL 1, well we need to discuss that a bit further. Yes, we can do them in the SIS system as long as in doesn't affect the SIS as Angela states. And yes, we should make them as reliable as possible. Reliability and availability is the name of the game for F&G.

Len is also a member of SP84 Working Group 6 sub-committee on Fire & Gas Systems. This working group is developing a Technical Report (ISA-TR84.00.07) to clarify the relationship between Fire & Gas Systems and Safety Instrumented Systems.

Emerson's Mike Boudreaux, whom you also may recall from earlier posts was the one who looped me in on this email. He adds:

DeltaV SIS was designed for emergency shutdown (ESD), burner management systems (BMS), and fire and gas (F&G) applications. There are often significant integration benefits to implementing the ESD, F&G, and BMS systems in the same SIS platform. Without question, an F&G system benefits from the SIS Safety Lifecycle model provided by IEC 61511.

There are significant differences between F&G and ESD applications. While an ESD system switches outputs off if it detects a dangerous situation, a F&G system will normally switch on water sprays or inert gas discharge in the case of fire, or sound alarms and switch on blowers in the case of releases of toxic or flammable gas.

Here is a summary of the major differences between F&G and ESD applications:

• An ESD system operates before the accident has occurred, whereas an F&G system takes action to minimize the effects of the incident after it has occurred.
• An ESD system is typically the facility's last line of prevention against an incident, whereas a F&G system is typically the first line of mitigation of an incident.
• An ESD system is evaluated on the probability that it will be able to act when a demand occurs. A F&G system is evaluated based on the effectiveness to detect and mitigate the incident once it has occurred.
• Most ESD systems are SIL rated, whereas most F&G systems are not SIL rated.
• Most ESD systems are normally energized, whereas most F&G systems are normally de-energized (energize to trip).
• An ESD spurious trip causes plant downtime, whereas an F&G spurious trip can cause equipment damage and potential injury.

If your responsibilities include safety instrumented systems, there are some really good and hotly debated discussions going on that you may want to join. I only wish these were more visible and easily found through searches and persistent RSS searches.

Update: Mike sent me a Twitter tweet that he has a Safety Instrumented Systems Friendfeed room setup and added this post. You may want to join this room if you have an interest in SIS and want to see items as they are posted by Mike, me and others (including you) who are members of this room.

Two very knowledgeable people in safety instrumented systems (SIS), Mike Boudreaux and Riyaz Ali, shared with me the story behind the recent news about the DVC6000 SIS digital valve controller (operated by 4-20mA) being certified to be compliant with IEC 61508 for use up to SIL 3 safety instrumented functions (SIF).

With this certification, DeltaV SIS logic solver's HART two-state, 4-20mA output and the Fisher DVC6000 SIS without any additional solenoids or other auxiliary devices can be used for SIL 3 applications. This configuration provides capturing trip events during safety demand, which provides crucial data for reliability and analysis by safety engineers of event. It's also helpful information for regulatory audits.

Now, I used my trusty friend Google to learn more about the HART two-state channel and found this page in DeltaV Books On-Line on the function block in the logic solver that helps make this happen. Basically:

...DeltaV SIS Logic Solver Digital Valve Controller (LSDVC) function block provides an interface to the DVC6000 SIS for safety shutdown and for partial stroke testing. The HART Two-state Output Channel provides the control signal and the HART communications path to the digital valve controller. You can configure the output channel to have an OFF_CURRENT of 0 mA or 4 mA. The control signal can command the valve controller to the tripped state regardless of the configured OFF_CURRENT value. Using an OFF_CURRENT value of 4 mA allows HART communication between the Logic Solver and the valve controller whether the valve controller is in the normal or the trip state. When the OFF_CURRENT is 0 mA, the power is removed entirely when the LSDVC function block drives the channel Off.

Mike noted that continuous diagnostics is possible because the valve closes when delivered a 4 mA signal. The DVC6000 SIS records the results of a demand event by logging all the results of travel and pressure data points in the microprocessor memory. This event log is critical for plant personnel, reliability engineers, and auditing authority to understand the final element status before and after the trip or demand event. Before the new certification was obtained, diagnostics would be lost on shutdown because the signal to the DVC would be 0 mA.

These on-line diagnostics coupled with partial stroke testing can be automatically initiated from the DeltaV SIS logic solver. This means that the final control element is periodically checked to help protect against spurious trips and to test for demand availability. The operator can also manually initiate these partial stroke tests from operator faceplates. The DVC6000 provides pass/fail status back via HART digital communications for alarming and historical event recording.

Riyaz pointed out that Type B devices (generally microprocessor-based) the IEC 61508 international safety standard (part 2, table 3) mandates redundancy in SIL 3 applications. This means the DVC6000 SIS connected to the DeltaV SIS HART two-state channel is suitable for SIL 1 and SIL 2 applications without redundancy, but for SIL 3 SIFs, IEC61508 mandates a full redundancy or hardware fault tolerance of one.

Achieving this certification helps reduce the components in these SIFs and increase the diagnostic coverage and capture of historical SIS information on demand.

The Industrial Equipment News (IEN) blog post, Now Playing: "Death in the Oilfield" reminds me of an earlier line of thinking about the growing importance of some of the social media technologies, often dubbed "Web 2.0".

I've harped about zealous IT organizations in the past and their quest to block sites that potentially are "time-wasters" including YouTube videos, Flickr photos, Facebook and other social media sites (are any of these blocked for you?) If you've ever seen teenagers in action, there is little doubt these sites can appear to waste time.

But they can also be put to very good use, like how the U.S. Chemical Safety Board (USCSB) is using YouTube. From the IEN post:

It's easy to zone out on those repetitious building fire drills, even though we know they're important. Industrial safety managers face the issue of inattention in safety training workshops regularly, but some are finding that the U.S. Chemical Safety Board's videos can help to focus attention. The most recent video, Death in the Oilfield, was released just this week. The 9-minute presentation, based on an explosion at an oilfield in Raleigh, MS that claimed three lives, uses 3D animation to illustrate the sequence of events that led to the explosion. Also included are interviews with CSB investigators and key safety lessons to be learned.

If permitted by your IT organization, visit the USCSB YouTube Channel to see their full list of videos. I've also embedded the video here as quick test to see if your organization blocks these:

This particular case did not involve automation-related equipment but rather work practices. Other accident investigations on the USCSB channel involve the combination of human error and equipment failure.

From the quote above, there just might be some, "...key safety lessons to be learned." If you think it might help, point your IT folks to this post and ask why you can't access this type of important safety information.

Update: I just saw a tweet from Control magazine editor-in-chief and Sound OFF! blog's Walt Boyes:

talking about putting the Process Automation Media Network on YouTube...

Sounds like another reason to unblock your network.

I just read a great article, How to Achieve Competent Workforce for Safety, in the May edition of Automation World magazine. Written by editor-in-chief, Gary Mintchell (also of Feed Forward blog, Automation Gear blog and Twitter fame), this article looks at the people side of ensuring safety. It examines some of the existing regulations and standards around competency, views from both process and discrete automation suppliers and views from safety-focused organizations.

Emerson's Chuck Miller is quoted in the article and has long articulated the role of people in effective safety programs. The article notes that both the U.S. Occupational Health and Safety Administration (OSHA) and the global IEC organizations, through the IEC 61508 and IEC 61511 standards, "state that people involved with the safety lifecycle must be competent in the area in which they deal."

The safety lifecycle covers a broad spectrum of responsibilities, and Chuck notes, "even people we consider to be safety experts may not be expert in all areas of the lifecycle. For example, a reliability engineer may know a lot about the equipment, but may not be able to competently go into the plant and effectively calibrate and maintain that equipment."

The article describes the top-down support and commitment to build a strong safety culture with competent people across all phases of the safety lifecycle. To help in this competency requirement, Emerson developed a safety management system built according to IEC 61511 and had its processes audited and certified by TÜV in 2006.

A safety management system should clearly define the organization, competency policy, safety audit procedures and the safety lifecycle activities. Good guidelines exist to help. The United Kingdom's Health and Safety Executive (HSE) in 2007 published, Managing competence for safety-related system, Part 1: Key Guidance. It includes 16 principles across the plan, design, operate and audit/review phases of the safety lifecycle.

Emerson's safety management system defines clear policies and processes, roles, role competency requirements and the training/experience required to achieve the identified skills for each role. Examples of roles in the project phase are SIS consultants, SIS project leads, SIS software engineering personnel, SIS hardware engineering personnel, and SIS field equipment engineering personnel. In addition to an employee's work experience, a key part of Emerson's safety competency requirements program is the Certified Functional Safety Expert (CFSE) certification. I did a quick search on the list of CFSE/CFSP certified safety professionals and counted more than 60 global Emerson folks that are now certified.

I caught up with Mike Boudreaux to find other ways that Emerson helps end users to address their SIS competency requirements. Thorough knowledge of the entire safety system is important. Competency requirements should apply to all of the components that make up the SIS, from the sensor to the final element and everything in between. Here are some ways that Emerson is helping:

• SIS Seminars that include a safety overview, discussion of SIS applications and a discussion of the safety lifecycle
• PlantWeb University SIS courses that are free online courses that provide a good overview of IEC 61508/61511 safety lifecycle concepts.
• Process Safety Training Courses that cover the Analysis and Realization phases of the IEC 61511 safety lifecycle
• Training courses on the SIS components that Emerson supplies, including the sensors, logic solvers, final elements, and safety lifecycle tools.
• Emerson has supported the development of the CSFE/CSFP programs through participation on the CFSE Governance Board. The governance board is an independent board that administers certification tests for CFSE.

Mike also points out, "competency goes beyond knowledge of the concepts and technologies that are used to implement an SIS. Good design and implementation reduces the random and common cause hardware failures. It is in preventing the systematic failures where managing competency throughout the entire safety lifecycle becomes so important. For many end users, this means that developing competency management in the Operation phase is very critical."

Knowledge of the process application and the hazards involved is a must. IEC 61511 also calls out the need for "adequate management and leadership skills appropriate to their role in the safety lifecycle activities" as part of competency. This has a lot to do with the type of people that you employ and the company culture that you develop. It is not something that can be created overnight and it takes a long-term commitment to be successful.

Update: Welcome Feed Forward blog readers!

Recently, Emerson's Fisher Control Valve and Regulators division announced that several lines of control valves received SIL 3 certification for on/off operation per the IEC 61508 international safety standard. Safety valves with digital valve controllers have been certified for many years, but these are the first control valves to achieve this independent third-party certification. Up to this point, the prior use methodology has been required to demonstrate the control valves are "proven in use" for safety applications.

I caught up with Andy Evans, a product manager in Fisher's European operations. Andy shared with me the motives behind pursuing this certification:

...the architectural constraints in IEC 61508 state that a final element needs a Safe Failure Fraction of greater than 60% to be used in a SIL 2 loop as a single device. The generic data, which was being used prior to having specific FMEDA (Failure Modes, Effects, and Diagnostic Analysis), was less than 60%.

Andy also noted that process manufacturers were increasingly requesting the certification given the efforts required with the "prior use" approach. The team decided to pursue certification for the Fisher GX, Vee-ball, easy-e and HP valve families.

The valve technology organization worked with the third-party safety professionals, Exida. They followed the basic process outlined in the IEC 61508 standard. The team went through an initial documentation plan including verification and validation (V&V) followed by the detailed writing of the safety requirement specifications (SRS). These activities completed the analysis phase of the safety lifecycle.

They went through the FMEDA for the mechanical portions of the actuators and valve bodies based on their physical properties and field experience. This analysis looks at the effect of each component in the valve failing in its worst possible way and then categorizing that failure.

Exida has a database of frequency of failure for each type of component. These failures are categorized into safe & dangerous (dangerous meaning stopping the valve moving to its safe state) and detected & undetected.

After the FMEDA analysis was performed, functional tests (integral), conceptual design, and detailed design assessments were done.

The final steps on the path to certification were a thorough evaluation of the engineering development process and documentation assessment for design modifications, change request processes and impact analyses.

Having these control valves certified for up to SIL 3 safety instrumented functions provide process manufacturers great flexibility in the selection of final control elements for their IEC 61511 safety compliance efforts.

One of the first, if not the first, weblogs in our world of process automation was started by Jim Pinto. He currently has eight weblogs covering several industrial automation suppliers.

On his Emerson Process Management weblog, a post from Thursday, June 12, 2008 made some assertions about DeltaV SIS that need clarification. I caught up with DeltaV SIS product manager Mike Boudreaux to set the record straight.

Assertion number one:

You can only at this moment transfer 8 digital bits of peer-to-peer between nodes. The Emerson sales person argued that this is all you need if you design your SIS nicely. Personally I seek to differ from this. I do want to go into an argument with him. This is a very expensive way via a pair of fiber optics cables to only have 8 bits. I heard that the real issue was due to a system design limitation.

Mike notes that that this misunderstanding comes from the fact that DeltaV SIS is unique for its distributed, modular architecture. A single logic solver module provides SIL 3-capable logic solving and 16 I/O channels that can be configured as digital input, digital output, HART analog input and HART two-state analog output. 32 logic solvers can comprise a single DeltaV SIS node.

On a single node, I/O data is published so that SIS Modules in any logic solver can reference the I/O input values from any other logic solver without any effect on the system response time. Additionally, each logic solver can publish up to eight secure parameters that any other logic solver can reference. This means that 512 I/O and 256 secure parameters can be published for use between logic solvers on a single node. A secure black channel communications protocol is used for this communication via a dedicated redundant peer-to-peer bus.

Beyond this local communications capability within a node, up to 32 DeltaV SIS nodes can be inter-connected via a dedicated redundant counter-rotating fiber optic ring (SISNet) that provides secure SIS communications between nodes. Up to 256 secure parameters can be published globally, and these global parameters can be referenced by SIS Modules in any logic solver that is on a node connected to the SISNet ring. This meets the secure communication requirements for most emergency shutdown, fire and gas and burner management safety applications. See more in the System Capacities section of DeltaV Books On-line.

Aside from the secure communications required to implement a safety instrumented function, there is no limit on the amount of non-secure data that can be passed to operator workstations for monitoring. This information is transmitted through the DeltaV Controller to the area control network, which is entirely separate from the secure DeltaV SIS SISNet communications.

Assertion number two:

The electronics takes only low powered inputs. You can only have at max 8xDOs (at max 500 mA per DO point) on a single DeltaV SIS module - which has 16 configurable IO points.

Each 24 VDC discrete output can provide up to 0.5 A of field power per channel, with a maximum of 4.0 A per logic solver card. DeltaV SIS is designed for implementing distributed safety logic. As such, inputs and outputs would typically be wired to the same logic solver for the SIF that is being controlled. With the general rule of 40% of SIS I/O being outputs, there are enough output channels provided to implement most safety instrumented functions (SIF).

In cases where more than 4.0 A is needed, external hardware such as the SIS Relay can be used to drive up to 16 DO's from a single logic solver. Additionally, using the HART two-state AO channel can provide up to 16 output channels for operating a digital valve controller without any concern for field power limits. The Fisher DVC6000 SIS has recently been certified as suitable for use in SIL3 applications in 4-20 mA mode, with no need for a solenoid.

The final assertion:

It suits nicely into a small system type of expansion. At its gets larger and larger and becoming more complicated, it can become an engineering nightmare.

Scalability is the strength of the DeltaV SIS architecture. It's well suited for large, geographically distributed applications throughout a facility. It has been applied on some of the largest floating production, storage and offloading system (FPSO) projects in the world. Fire & gas and emergency shutdown applications are required from bow to stern in these massive, floating oil and gas production facilities. Mike observes that the strength of using DeltaV SIS on large projects is the tight integration that is available with a similarly large DeltaV automation system.

I hope this helps set the record straight on this post, should you hear similar assertions being made as you evaluate safety instrumented systems in your IEC 61511 safety compliance efforts.

Update: Welcome readers of Gary Mintchell's Feed Forward blog! I appreciate the visit and any comments you might have.

I read Siemens' Charles Fialkowski's latest post, Introducing a non-redundant, redundant SIL 3 solution? about their SIL 3 HART I/O card. He discusses how technology has changed where newer SIL-3 rated safety instrumented systems (SIS):

...don't require redundancy to achieve high levels of safety. In the past, safety systems required dual, triple or even quadruple redundancy just to achieve high levels of safety.

He points out that advances in technology have allowed diagnostic coverage not possible in earlier SIS designs. He closes his post:

Another common misunderstanding is how these systems address field redundancy (sensors and final control elements). While I can't speak for the Emerson or Yokogawa system, I do know for a fact that the new Siemens HART analog input module handles redundant field devices just like any dual, triple or quadruple redundant system would.

I thought I'd give the Emerson perspective so I caught up with DeltaV SIS product manager Mike Boudreaux. He first pointed out that DeltaV SIS has HART I/O and the DeltaV SIS logic solvers are SIL3 certified in simplex (non-redundant) mode and have been since DeltaV SIS began shipping in 2005. Other safety instrumented systems also accept HART I/O, but only to pass-through the HART data to asset management systems. DeltaV SIS makes this HART status information available in the logic solver.

Mike noted that only the analog, 4-20mA process variable (PV) is used for the safety instrumented function (SIF). The digital HART PV's are not accessible for use in SIFs, but the device status provided by the HART digital communications protocol is passed along with an analog input in DeltaV SIS. If a HART transmitter detects a problem, the status for an analog input will become "Bad." Conditions for a Bad status include earth leakage detection, loss of HART communications, device malfunction and device fixed-loop current to name a few.

This Bad status can be used in the logic solver. For example, in a multi-transmitter SIF, a voter block can be configured to ignore an input value if it is Bad. In accordance with the international safety standard IEC 61511, this capability can be used to provide continued safe operation of the process while the faulty part is repaired. DeltaV SIS will alert operations of this problem so that the device can be maintained in the specified mean time to repair (MTTR). Alternatively, the voter block can be configured to treat a detected failure as a vote to trip, which provides increased safety.

When a HART device detects a problem, an alert is displayed on the DeltaV operator station. SIS faceplates and detail displays for HART devices help operators view and manage HART device alarms.

DeltaV SIS also uses the HART communications protocol to enhance partial stroke testing. It validates the operation of the final control element--the most critical and most likely to fail in a safety instrumented function. The logic solver can generate HART commands to initiate a partial stroke test in a digital valve controller. The operators can initiate partial stroke tests manually from their operator workstations or they can be scheduled to occur automatically based on the specified test interval. The results from these tests are captured and integrated with the system event history. An alarm can be generated if a partial stroke test fails, alerting maintenance that there is a potential problem with a valve.

This diagnostic coverage and information feedback to operations provide process manufacturers better tools for compliance with the IEC 61511 safety lifecycle compliance efforts.

Update: Welcome readers of Gary Mintchell's Feed Forward blog. Thanks for the shout out, Gary!

You may have seen some of the coverage of last week's Foundation for Safety Instrumented Functions (SIF) End User Demonstration (DeltaV News, Sound OFF! blog, and ARC's Larry O'Brien's blog to name a few.) This event highlighted demonstrations of Foundation Fieldbus Safety Instrumented Systems (FF-SIS) which were held at Shell Global Solutions in Amsterdam, Saudi Aramco in Dhahran, BP in Gelsenkirchen, Germany and Chevron in Houston.

A demonstration version of the Fisher DVC6000f SIS was included at each of the demonstration sites. Also, Emerson participated in the demonstrations of Foundation SIF technology by providing special demo versions of Rosemount, DeltaV, Fisher, and AMS Suite products.

Emerson's Mike Boudreaux was at this event held in Amsterdam. Mike presented the results of Emerson's participation the Chevron demonstration held earlier this month. For this demonstration, Emerson provided a logic solver that communicated with field devices using the FF-SIS protocol. Demo versions of devices from various suppliers were specially developed to demonstrate the capabilities of the FF-SIS protocol. The demonstration tested the capabilities of the FF-SIS protocol and interoperability of devices.

These components were included in the demonstration project:

• Rosemount pressure transmitter
• ABB pressure transmitter
• Magnetrol level transmitter
• Siemens level transmitter
• Emerson logic solver
• Fisher DVC6000f SIS control valve
• Westlock positioner
• Pepperl+Fuchs power conditioners with diagnostics
• Fieldbus Diagnostics FF-SIS packet analyzer
• DeltaV HMI and engineering tools
• AMS Suite: Intelligent Device Manager
• Fisher ValveLink SNAP-ON

I hope Mike doesn't mind, but I've lifted the account of the demonstration from his Emerson-internal blog:

The demo system was originally assembled at Emerson in Austin, TX where we did some preliminary testing to make sure that everything worked. When the demo unit was delivered to Chevron, it was set up and running in less than an hour. It was simply a matter of plugging in cables and powering the system up. There were a couple of devices that required software resets, but for the most part the system started up with ease. We used AMS Suite: Intelligent Device Manager for configuring devices and clearing fault states. The functionality of AMS Suite easily transferred to FF-SIS.

We implemented two SIF's with 1oo2 voting. The first was a high pressure shutdown, acting on the DVC6000f SIS. The second SIF is for a high level shutdown, acting on the Westlock positioner. We tested various trip scenarios. In one case, we demonstrated degraded mode operation, where the voter block was configured to ignore a value if the PV status was bad based on device diagnostics. The function blocks operated as expected, with the same functionality that is available in the DeltaV SIS system today using HART I/O.

In addition to using AMS Suite for configuring devices, we also demonstrated the partial stroke test using ValveLink SNAP-ON. The partial stroke test was executed flawlessly with all of the features of ValveLink available for the FF-SIS device as is already available today through HART or FF. In addition to a standard partial stroke test, we also demonstrated a scenario where a trip occurs during the PST cycle. The valve behaved as it should, aborting the PST and closing the valve.

In his presentation, Mike described how the use of Foundation SIF technology could help process manufacturers to run safer and more reliable processes. His first point was that more advanced diagnostics are available to detect random and systemic failures while reducing spurious trips. Another was that test intervals for final control elements could be increased through the initiation of partial stroke testing from the operator stations. Also, the maintenance of devices involved in the SIFs is simplified with the integration of their diagnostics with the operator stations. This integration also facilitates easier commissioning and testing of these devices.

This end user FF-SIS demonstration testing is another milestone in the path of this technology becoming available for your future process safety applications. End users who participated at the event in Amsterdam indicated that they will continue to internally test the Foundation SIF technology. Most people expect that it will be 2-3 years before an actual implementation will occur in a process manufacturing facility. Key milestones for the future will be the finalization of the FF-SIS specifications, development and testing of commercial devices, and device certification for IEC 61508 compliance.

Automation World magazine's Wes Iverson recently had a nice article, The Great Safety Debate. He described the various approaches to safety instrumented systems (SIS) and their connections with basic process control systems (BPCS). The article highlights where the SIS suppliers products fall in the ARC Advisory Group's four categories of SIS: separate, interfaced, integrated and common.

Separate defines complete separation between the BPCS and SIS. Interfaced defines a connection via a gateway using OPC, MODBUS or other communications method to share information, particularly at operator displays. Integrated defines a closer connection perhaps sharing common engineering tools, operator displays, alarms, etc. Common defines a single box does both control and safety.

The article references ARC's viewpoint:

...integrated control/safety systems as one of its "top automation technologies and trends to watch in 2007."

Emerson's Chuck Miller, whom you may recall from earlier process safety-related posts, described DeltaV SIS as being part of the integrated category. He's quoted:

In the Emerson architecture, "our safety and control systems are completely segregated in all the ways that count," says Miller. "The operating systems are different. The hardware is different. The only thing we do share are engineering tools, and even those are password protected for all safety integrated functions," Miller points out. And while integrated DeltaV SIS and DeltaV systems are linked with a dedicated communications channel for information sharing, that link is one-way, he adds. "The SIS sends information out to the BPCS, and while the SIS can see information from the BPCS, that information does not alter the safety instrumented functions implemented in the SIS."

Chuck also added:

"You no longer have to map your safety system into your DCS via Modbus or OPC. You no longer have to run a separate bus for time synchronization to the different subsystems, and you no longer need a stand-alone sequence-of-event system," he explains. "All of those functional subsystems are built into our integrated BPCS/SIS environment."

The article did point offer critiques by suppliers of other suppliers' approaches. The SISs in the separate and interfaced categories point to issues like common mode failures, inadvertent changes in SIS and reliance on functional or logical separation instead of physical separation. The article references that some have called this FUD, as did a blog post from last year, which I confess caused me to LOL.

As the article noted:

Various integrated safety/control systems are on the market today that have met this requirement, say their vendors, as evidenced by certifications received from TÜV [hyperlink added], an independent international certification organization. And once a system is TÜV-certified as meeting international standards for use at a specific safety integrity level, or SIL, that should end any debate, these vendors contend.

If you're looking to address your organization's IEC 61511 safety lifecycle requirements, this article is worth a read to understand the various SIS approaches and critiques of these approaches.

Update: I received an email from DeltaV SIS Product Manager, Mike Boudreaux who notes that beyond the engineering tools, the operator station (HMI) software and asset management software (AMS Intelligent Device Manager) are also shared by both the DeltaV system and DeltaV SIS.

The ControlGlobal.com site has a great article on process safety, Leading the Way to Process Safety. Author Peter Montagna describes the importance of leadership:

With strong leadership, a process safety program can achieve many goals. It can satisfy shareholders and company management with improved productivity and profitability; satisfy the community with fewer incidents; and satisfy employees with a healthy and safe working environment.

I ran this by Emerson's Chuck Miller whom you may recall from earlier posts on process safety. He's been preaching the critical importance of competency in functional safety management.

When I forwarded the RSS feed of the ControlGlobal.com story his way and asked his thoughts, Chuck as usual had some good ones. He wholeheartedly agrees that leadership is an important component:

...safety culture and competency ... that is culture creation has to be a driven from the top down. The leadership must set the standards and evaluate the process of the program. Management relates to the implementation of the process.

Chuck adds that there is a distinction between management and leadership. He writes:

However, many do not separate management and leadership, but instead combine the two. I place this as the leading metric of success or failure of the process. Changing culture in a work environment requires that you have the right people in place. They are hard to find but they are out there. To be effective it takes someone from the outside (of the work group) with the right credentials to drive the mission--no relationships or baggage to complicate the change agent with compromises.

Peter expressed a point in the article, "Then the process safety specialist leader has to form a team and help it create a compelling vision..." Chuck took a different view. He writes:

I put this responsibility on leadership (visa vie our Functional Safety Management Board) whose visionary commitment sets the goal and strategies to get there. For me it takes leadership PLUS a commitment from all levels of the organization--these implementers are the safety specialists and they drive the commitment.

For your process safety efforts, what are your experiences?

My spy utility, WatchThatPage, alerted me to another good article, this time on the Fisher control valves and regulators area of the Emerson website. The article, Getting ready for the nuclear renaissance, from the April issue of Valve World magazine, features Bill Fitzgerald, director of the Fisher Valves nuclear business unit.

As more and more people around the world climb the economic ladder, the global demand for energy continues to grow. A nuclear power renaissance is underway, according to Bill driven by:

...issues like global warming and a desire for energy independence... It can never be the only solution, but it is a logical part of the solution.

Bill describes his team tracking forty U.S. projects. He estimates two-thirds of these will actually be built. The first ones may come on-line as soon as 2015. Bill describes the large engineering firms as well as the U.S. Nuclear Regulatory Commission (NRC) staffing up anticipating the work required to completely design, build and commission the first wave of these plants over the next seven years. This expected growth is by no means limited to the U.S.

As part of this process, the engineering firms' procurement people need to identify and begin to purchase the long-lead items like reactor vessels, which may take three years from order to delivery. Control valves also fall into this long-lead item category. As Bill explains:

...control valves have long lead times because the ASME has just issued new qualification requirements. So to use a valve in a given safety related application will probably require 18 months of qualification testing. We also have to factor in ever-tighter seismic requirements. Then materials procurement, machining, assembly and testing will probably take an additional 9-18 months, depending on valve type. So, we believe that if we get an order today for a nuclear grade valve it could take as long as three years to actually deliver it to the end user.

And Bill notes that these valves are used in safety critical areas. Not having them will delay the startup of the plant. Based upon this expected global increase in nuclear power plants, Emerson and other automation suppliers are increasing their capabilities to meet this demand.

Technology has changed greatly since these types of plants were built in the U.S. a generation ago. Bill describes digital technologies like Foundation fieldbus, which can be used in the balance of plant applications to provide better control and diagnostic information. Devices like digital valve controllers have completed Electric Power Research Institute (EPRI)-certification for use in this demanding application.

As energy producers seek ways to meet the increasing global energy demand, these preparatory activities are critical to meet challenging project schedules.

Update: I was just pointed to a great Béla Lipták article, The Third Industrial Revolution by a member of our DeltaV Twitter community. Béla describes the post fossil fuel world based on solar power and the role of process automation. It's well worth your read and I look forward to his book due out in August.

In the world of process safety, technology continues to advance to assist process manufacturers in their IEC 61511 safety compliance efforts. I saw a recent press release on enhancements to the Fisher DVC6000 digital valve controller. The news was:

...enhancements include manual reset, a stored safety demand event log, pass / fail status after a partial stroke test, and third party certification to SIL3, SIF loop.

I asked Riyaz Ali, whom you may recall from earlier posts, to simplify what this all means for me. The stored safety demand event log he likened to an airplane black box recorder. If a process upset condition triggers a safety demand on a valve controlled by the DVC6000 SIS (operated by 4-20mA input signal), it in turn automatically triggers an event log to capture the data into non-volatile memory locally in the digital valve controller.

This log keeps pre- and post-event data of the operating conditions surrounding the safety demand event. Examples of the type of data stored away in this event log include: travel, travel setpoint, output pressure with time in seconds, graphical representation of data points and date and time stamp of the trigger event for regulatory compliance.

Riyaz also described for me the partial stoke testing reporting. It now will provide pass/fail status and a signature curve of the valve stem movement. These partial stroke tests periodically diagnose the SIS valve to help ensure its availability. Also, a specially designed built-in relay provides protection against spurious trips which improves overall process availability. Other information provided back to the AMS ValveLink software includes diagnostics on stick slip, shaft integrity and maximum and minimum torque values.

For the DVC6000 SIS, the Fisher team achieved third-party certification for compliance to the IEC 61508 international safety standard for use in a SIL 3 safety instrumented function. This means that process manufacturers can use the DVC6000 SIS as part of the safety instrumented function in the SIL 3 loops they identify as part of their risk assessment and risk mitigation strategy.

Having all these digital valve controllers keeping logs of what's going on especially around upset conditions can greatly assist root cause investigations and help avoid future abnormal situations. And the diagnostics coming from the partial stroke tests can help process manufacturers avoid these abnormal conditions in the first place.

Emerson's Chuck Miller is one passionately guy when it comes to process safety and the international safety standards, IEC 61508 and IEC 61511. He is on a mission to put the focus of functional safety management where he believes it belongs--on the competency of safety professionals involved in the safety lifecycle.

Chuck noted a panel discussion he sat in on at last fall's ISA Expo in Houston. The panel discussed various approaches to process manufacturing risk mitigation. These included combining control and safety in the same control system platform, the standalone safety instrumented system (SIS) approach, and the separate-yet-integrated safety system approach.

An end user on the panel discussed the common platform approach. He emphasized that his company's internal policies and procedures for risk assessment, implementation, operations and maintenance were well understood and consistently applied. These factors drove the decision to implement systems in this manner.

A safety instrumented system supplier discussed the standalone SIS approach and one of Chuck's colleagues discussed the separate yet integrated approach that is represented by safety instrumented systems like DeltaV SIS. Using several advanced technology examples including advancements in diagnostic coverage; common programming environments and global databases the presenter illustrated how such technologies, when appropriately applied, provided measurable savings throughout the safety lifecycle without compromising the SIS's ability to conform to international safety standards, such as IEC 61511.

Chuck's revelation was that the real issue is not so much the philosophy, the approach, the architecture, or even the platform selected. What really drives a successful SIS implementation is competency. Each of the presenters was passionate about their approach being the best solution because their individual competency was based on that particular philosophy and approach.

His bottom line--functional safety management must be implemented around the requirements of a technology and supported by competent safety professionals that always ensure that the SIS solution is defined, designed, installed, operated and maintained in a way that meets its defined functional safety requirements throughout its lifecycle.

As this group of panelists demonstrated in their exchanges with the audience--there are several philosophies, architectures and platforms to mitigate process manufacturers' safety risks. It takes competent safety professionals to work with these throughout the safety lifecycle.

A colleague recently pointed me to a Manufacturing Business Technology article, Red alert: Increase in process automation heightens need for safety-related systems. The article points to a recent Frost & Sullivan study which predicts the market for safety-related systems used by process manufacturers will more than double from 2006.

Quoting from the account of this research report:

It says users will welcome systems that address the underlying challenge of minimizing the trade off between process uptime and process safety. In addition, users will favor vendors that have significant technical experience in installing complex integrated safety solutions that monitor safety and non-safety functions while reducing the costly channels of diversified communication.

Over the past several years of blogging, I've discussed safety instrumented systems and the associated global standards, IEC 61508 and IEC 61511 on numerous occasions. Newer architectures like Emerson's smart SIS incorporate digital communications so that the complete safety instrumented function (SIF) can be continuously diagnosed to help the function perform when it should and not when it shouldn't.

Rather than being prescriptive and instructing process manufacturers what to do, the safety standards are performance-based. IEC 61511 allows you to investigate the alternative solutions for the right safety instrumented function for the safety integrity level (SIL). This means that more engineering work may be required to investigate these alternatives to find the best solution.

I think this where the "technical experience" part of the quote from above comes in. Emerson's Len Laskowski said it best in an earlier post:

This is great news for the engineering community because they get to do the engineering. However the bad news is they must do the engineering.

As process manufacturers address their risk-mitigation strategies and comply with the IEC 61511 standard, they will continue to work closely with those that can provide the technical expertise required throughout the safety lifecycle, from front end engineering and design to ongoing system maintenance.

Successfully executing a project with safety instrumented systems requires trained and competent project team members. They must be versed in the safety lifecycle as required by international safety standards--primarily IEC 61508 and IEC 61511 (ISA 84.01 in the U.S.) for the process industries.

To address this safety expertise requirement, TÜV and exida along with the support of other global safety experts created the Certified Functional Safety Expert (CFSE) concept. Its mission is:

...to ensure that personnel performing SIS lifecycle activities are competent as required by the IEC 61508, 61511, and 62061 [machinery safety] standards.

Currently there are two levels of certification, CFSE and CFSP (Certified Functional Safety Professional). The difference is mainly in practicing experience--ten years for CFSEs versus two years for CFSPs. The CFSE.ORG website describes the difference:

The CFSE is the higher level certification and is aimed at professionals who actively lead, coordinate and review the more complex and demanding activities in the Safety Lifecycle in leadership positions including SIL selection and SIL verification.

The CFSP is targeted at professionals who need a thorough understanding of the Safety Lifecycle activities at the execution level without necessarily leading, coordinating or reviewing the more complex and demanding activities.

CFSE.ORG reports that there are currently over 200 CFSEs and CFSPs in practice worldwide. The certification process is not easy. Those trying to take the test are warned:

...the certificate exams are extremely rigorous and often demand significant preparation in order to achieve the 80% passing grade for both exams. With this in mind, the Governance Board strongly recommends that all candidates develop an in-depth study plan to properly prepare for the examinations. The topics covered in the different exams and sample Process Applications Exam questions provided in the Specialties and General Information pull-down menus may be helpful in developing an effective study plan.

In view of the comprehensive nature of the exams, the Governance Board recommends that candidates put in at least 40 self study hours as part of their preparation for the CFSE/CFSP exams.

I bring all this up because I received a note from one of my colleagues in Calgary in our Hydrocarbon and Energy industry center. The news is that they have some newly minted CFSEs--David Goerzen and Ajmal Siddiq. Congratulations on your achievement!

I went out to the CFSE.ORG site and did a search on the 15 pages of CFSEs/CFSPs. As of today, November 27, 2007, I counted 38 Emerson CFSEs and 8 CFSPs. This is more than 20% of all the certified safety professionals in the world. The percentage is higher if you exclude the machinery safety professionals.

The organizational roles of these safety professionals run the gamut including projects, support, technology, sales and marketing. These organizations work with process manufacturers at various stages of the safety lifecycle to help meet their risk reduction goals.

Emerson's Marshall Meier was a very busy person at this year's Emerson Exchange. In addition to his Web 2.0 in the Plant presentation that I wrote about in an earlier post, he presented on the subject of Foundation fieldbus (FF) technologies emerging in safety instrumented systems (SIS). Key points made in the presentation were that the Foundation fieldbus specification has been enhanced to support SIS, that the Fieldbus Foundation is currently running a demonstration project to validate the FF-SIS specification, and that this specification will begin to emerge in future SIS sensors, final control elements and logic solvers.

The purpose of Marshall's presentation was to give a look into the technology and process for how this standards effort is unfolding. It was not to say that this technology is ready to apply in your operations.

He first posed the question, "Why use Foundation fieldbus in SIS?" The answer is that Foundation fieldbus provides more computational horsepower and each value has a status associated with it. Conventional 4-20mA analog signals do not provide this goodness indication of data. More advanced diagnostics are also available to be used as part of the safety instrumented function. An example is Rosemount sensors that detect plugged impulse line conditions. Another benefit is with FF-SIS devices, users wouldn't need to have 4-20mA SIS devices in an otherwise FF installation.

The additional safety-related function blocks specified in phase one of the preliminary specification include analog input and discrete output. Discrete input and analog output blocks are not yet defined in this early specification. Function blocks that can only run in a logic solver include analog comparators and logic blocks. Note that the same device description standard as the process-level FF function blocks will be applicable to FF-SIS blocks.

The Fieldbus Foundation last year announced a demonstration project working with process manufacturers and identified four sites with various suppliers' safety logic solvers, sensors, and final control elements. These tests are meant to validate the specifications for FF-SIS. These participating companies include Chevron, Shell, BP, and Saudi Aramco.

The FF-SIS specifications will advance in phases. Beyond the function blocks mentioned earlier, phase two will include additional blocks and the potential to have SIS and non-SIS devices on the same segment.

At last week's ISA Expo 2007, Emerson's Gary Law received the Douglas H. Annin award. This award is award is in recognition of Gary's outstanding technical achievements in the design, development and application of automatic control systems. The ISA describes this award:

The Douglas H. Annin Award recognizes an outstanding achievement in the design, application, or development of the components in an automatic control system from the input measurement through the final control element. The award is in honor of Douglas H. Annin, a pioneer in modern-day control valve actuation and control valve body design.

I've known Gary for many years in our work advancing the DeltaV system. He is now a technologist with the DeltaV architecture team. He is responsible for the system architecture, and future developments of DeltaV system and PlantWeb architecture.

Gary was instrumental in the design and introduction of the DeltaV SIS (safety instrumented system.) He was a part of eight different patents for this development and holds more than a dozen overall through his career. This Douglas H. Annin award was recognition for this innovation. Specifically:

For design and development of a safety instrumented system logic solver that is built into a basic process control system input/output card.

DeltaV SIS was the first SIS to take advantage of smart instruments (sensors and final control elements) used in safety applications communicating via the HART communications protocol. The diagnostics from these instruments can be used to monitor continuously the health of each safety instrumented function (sensor + logic solver + final control element.)

In earlier posts, I've discussed some of these innovations and their application. These include performing partial stroke tests automatically within the safety instrumented function, separation between control and safety systems, and the ability to do complex safety shutdown sequences.

Scalability is another key aspect that was brought to safety instrumented systems with the design of DeltaV SIS. Logic solvers are added in small increments (16 I/O channels) for process manufacturers' SIL 1-3 safety instrumented functions. The hardware, software, and communications running in the logic solvers are different from the DeltaV automation system, but the configuration software is the same. This design provides the separation proscribed by the IEC 61508 global safety standard.

Much of the innovations in the DeltaV hardware and its interactions with the configuration software are thanks to Gary's efforts. You can see some of his enthusiasm in the digital bus videos created several years ago.

Congratulations to Gary for this recognition of his work to advance the state of technology in our world of process automation.

Emerson's Mike Schmidt, a principal safety consultant in the Refining and Chemical industry center, presented Beyond 2oo3: Multi-sensor Architecture in SIF Design at the Emerson Exchange. You may recall Mike from an earlier post.

Mike discussed several cases and applications where more than three sensors are used in safety shutdown applications. Redundancy was his first example where more than one sensor is being used for the exact same purpose. An example is separate temperature sensors installed on the inlets to multiple reactors, perhaps because of fears of common cause failure. In fact, all three of these sensors measure the same thing. The inlet temperature is coming from the same header, so it is the same for all three new sensors.

Separate hazards are those serving unrelated purposes or are at independent points in the process. There is no redundancy here. The only possible architecture for the sensors is to have three separate instances of one-out-of-one (1oo1) voting.

Mike built the case of three tanks with three inlet temperatures sensors coming off a common header and said it could be argued that the three could be considered redundant. However, three sensors on the tank outlets could not be considered redundant since they are monitoring for separate hazards.

When evaluating fault tolerances, it is important to consider the number of success paths. Parallel paths provide redundancy where serial paths with multiple elements have single points of failure. If you have three identical temperature sensors in parallel, it is like having a path with three in parallel in series with common cause failure. Using different types of sensors greatly reduces this common cause failure to provide much lower probabilities of failure on demand (PFD_AVG).

Mike discussed the case of a packed-bed reactor. These may be instrumented with ten or more temperature sensors to provide a temperature profile. The safety trip will be based on an abnormal profile. With advanced logic solvers, it is possible to perform the calculations necessary to reduce several measurements to profile parameters that can be used to trip a safety instrumented function (SIF). The profile is 1oo1 voting, but a rule might be that 8 out of 10 temperature sensors must be working to be considered a valid profile, so the PFD_AVG is based on 8oo10 fault tolerance.

A separate issue to consider from a safety mitigation standpoint is multiple sensors for localized problems, like hot spots or leaks. Considering packed bed reactor hot spots, it sounds right to say we do not want to trip the reactor based on a single temperature sensor fault. Although this may sound right, Mike explored the math behind determining the PFD_AVG. The example here is for an array of sensors installed to detect a hot spot within the packed bed, but it could just as easily be an array of analyzers around the outside of a piece of equipment installed to detect a leak of flammable or toxic gases.

He discussed the concept of the temperature sensors located next to the failed one. The sensors are primary for their respective zones and secondary for their neighboring zones. The key is to set up a separate safety instrumented function for each zone, which contains the primary sensor and the neighboring secondary sensors. This allow the reactor not be treated as a single SIF where any one sensor failure can trip it.

The math works out that no matter how many transmitters, and surrounding zones, the PFD_AVG calculations are based on primary and one secondary, even in the case of multiple secondary zones. The voting is one out the number of surrounding zones plus the one primary zone, and the PFD_AVG is always based on 1oo2 fault tolerance. No credit is taken for any of the additional secondary sensors in the PFD_AVG calculations.

Mike summarizes these concepts by saying the number of sensors required for a SIF can be optimized to achieve the necessary coverage and the required redundancy. Using more than three sensors for redundancy does not really help. It may be necessary for coverage based on the geometry of the vessel, but not for increased redundancy.

Earlier I mentioned Emerson's Dean Taggart's work with complex sequences in safety instrumented systems, based on an ongoing oil sands gasification project. John Kingston, from Emerson local business partner Spartan Controls, is presenting on this topic along with Emerson's Chuck Miller at the upcoming ISA Expo 2007.

I received a copy of the submitted paper that, among other things, explores the separation between basic process control systems (BPCS) and safety instrumented systems (SIS). Historically, the SIS was a separate entity, but with technological advances, this has begun to change. The authors note that the IEC 61508 international safety standard does not provide a definition of separation. It does mention physical separation as a highly effective technique. Given that the standard is much more performance-based than prescriptive-based, they note that there are few statements defining separation.

The paper refers to a few specific clauses in 61508-1 such as 7.5.2.4, where when the control system places a demand on one of the safety-related systems, then it "...shall be separate and independent" from the safety-related systems. In order to satisfy this clause the control system must be proven sufficiently independent from the SIS. Certification agencies like the various TÜV organizations and other third-party testing labs help provide this proof for SIS suppliers per the IEC 61508 performance standards.

61508-1 Clause 7.6.2.7 addresses common cause failures by requiring functional diversity, technology diversity, diverse parts, services, and support, and that the BPCS and SIS not share common operational, maintenance, or test procedures, and that they be physically separated. Safety instrumented systems like DeltaV SIS address these in the authors' words:

Those factors [governing independence] include diversity, which essentially means that the BPCS and SIS should have different components, operating systems, chip sets, central processing units, etc. When looking at sharing parts, services, and support systems, once must ensure that the BPCS and SIS have different power sources, and that a safety network dedicated to safety related communications is used. They should not share test procedures, which means that if you are testing either the BPCS or the SIS, that those tests should be able to be run completely independently of each other. Finally, physical separation applies to how the architecture of the system is laid out, and how cabinetry is designed; in essence, this is where one would look at separating DCS cabinets from SIS cabinets, and perhaps maintaining the SIS from a different workstation than the one used for the BPCS.

A final clause that is discussed, 61508-2 Clause 7.4.2.3 explores how non-safety functions implemented in an SIS need to be treated as safety-related unless it can be shown it is sufficiently independent (that the failure of any non-safety-related functions does not cause a dangerous failure of the safety-related functions.) This implies that control and safety functions can exist within the same system as long as sufficient care is taken in design and throughout the IEC 61511 safety lifecycle.

The authors summarize the implications of separation well:

Essentially, everything all boils down to good engineering designs and practices. One must consider the standards carefully, and understand the implications before going down a certain path. One cannot simply look at a system and know if it satisfies these requirements, because almost every system has a different level of independence. One must look at the specific details of a system to verify that it satisfies the requirements.

Dean summed up how these applied to the asphaltene gasification project:

The complexity of the process led to a need for integration as well as separation. Integration brings the benefits of integrated development and operating environments, less training cost, simpler architectures, faster and more reliable communications, reduced integration time, better handling of status information, and improved fault handling. The safety requirements of gasification focus on preventing damage to the burner, reactor, and syngas cooler, as well as operator safety. The process itself leads to the need for an intricate startup, as well as multiple methods of shutting down the process depending on the current state. An integrated but separate solution can provide several advantages while still providing the required amount of separation.

Recently the DeltaV News RSS feed announced a video case study for Australia's Arrow Energy at their Tipton Gas plant.

I discovered that Bob Gale, an AIChE fellow and Sr. Technical/Safety Consultant in Emerson's Refining and Chemical industry center was involved in this project. You may recall Bob from an earlier post about achieving IEC 61511 compliance.

Like more and more projects, a global team from Emerson was assembled to execute this project. Bob's role was to do the safety integrity level (SIL) verifications for the project. Bob noted that a part of the IEC 61511 Safety Life Cycle for DeltaV SIS projects is to have an Emerson Certified SIS Consultant verify that the safety instrumented functions (SIF), as they were designed, meet the safety integrity level that is specified in the project.

Bob's task was to ensure them that each SIF provided the risk reduction that was required to make things safe. One example he described was determining that this plant needed to divide one large SIF that encompassed the fire detection equipment on all the compressors into a single SIF for each compressor. This change allowed each of the smaller SIFs to provide the necessary risk reduction required. Each SIF is designed to shutdown the compressor in the event of a fire.

By working methodically through all of process equipment that required risk reduction, Bob played a key role for the project team in the plant's IEC 61511 safety lifecycle efforts.

I was catching up on my RSS feeds over our middle of the week U.S. Independence Day holiday. My RSS search feed on the IEC 61511 global safety standard (ISA 84.01 in the U.S.) turned up this press release on a DVD set released by the Safety Users Group. They describe the purpose of this production:

In the style of a documentary, this unique DVD will provide you with expert points of view, as well as specific concepts, definitions, experiences, examples, analysis and results from 11 world-renowned professionals in the safety industry. These experts are designers, manufacturing leaders, engineering companies, integrators, standards members, professors, legal council and TÜV certified Functional Safety experts.

Emerson's Thomas Steiner is one of the safety experts interviewed. He is one of a large number of Emerson certified functional safety experts (CFSE) and certified functional safety professionals (CFSP). The mission of this certification process as stated on the CFSE.org site:

The CFSE (Certified Functional Safety Expert) concept was originally developed by TÜV and exida with the support of other international safety experts to ensure that personnel performing SIS lifecycle activities are competent as required by the IEC 61508, 61511, and 62061 standards.

Thomas discusses some of the basic terminology from the standards such as safe failure fractions (SFF), safety requirement specifications (SRS), and safety integrity levels (SIL) in a very understandable way. He describes how it applies to process manufacturers in applying this standard. You can see his entire interview (16:54) on the EasyDeltaV.com web site.

Overall, there is quite a bit of safety expertise provided by the 11 participants on this two-DVD set. The cost is $115 (USD) and you can get a preview by viewing this trailer of the type of information presented.

If your responsibilities include the IEC 61511 safety lifecycle and you need a good primer or refresher from knowledgeable safety experts, consider this DVD set as one of your learning resources.

For complex processes like gasification units in the Oil Sands region of Northern Alberta, Canada, how do you handle the integration of complex sequences which involve both the safety instrumented system (SIS) and control system (BPCS--basic process control system in safety-speak)?

This was the subject of a recent paper given by Dean Taggart, a professional engineer and certified functional safety expert (CFSE) in Emerson's Calgary-based Hydrocarbon and Energy Industry Center. Dean gave this paper along with members from Spartan Controls and the oil and gas producer, OPTI Canada.

The team gave the paper, Integration of Complex Sequences using DeltaV (presentation), at the 2007 AIChE Spring National meeting. Dean and the team quite comprehensively covered the areas of process and safety requirements and their technical concerns, and applying an implementation framework to this project.

With this post, I'll zero in on the decisions of what should be within the span of the SIS and BPCS. As the team states, it's clear what initially goes into the SIS:

Normally the process is designed in a Front End Engineering Design (FEED) phase, where vessels, pumps, piping, and instrumentation are proposed. The process goes through a HAZOP process, with the intent of identifying hazards. As these are considered, either through a PHA, LOPA, or Risk Analysis, SIL targets are determined and requirements for SIS are established [hyperlinks added to help with acronyms].

For complex processes, the SIS may be involved in the startup or stopping sequences, like in the burner management system on a gasification reactor. Normally the process of burner management involves closing off the feeds and the burner goes off. But for a gasification reactor, under high pressure and temperature, the vessel must evacuate the asphaltene quickly or it will harden and plug up the feed lines. A shutdown sequence is required to depressurize and cool down in a non-damaging way.

The choice the project team faced was either to perform all of the startup and shutdown sequences in the SIS or split them between the SIS and BPCS. The issue with splitting the sequence is increased configuration complexity, data mapping, communications diagnostics and handshaking logic required. And some common methods for this communication like MODBUS/serial communications and OPC, the communications throughput has to be carefully designed and tested. A bigger concerned stated in the paper:

In order to work properly, the BPCS and SIS would have to have "parallel" sequences which would need to be synchronized very tightly with each other. In the event that communications was lost during a startup or shutdown, each would have to execute separate and parallel actions. Since the actions may need to be modified based on process conditions, this adds even more complexity.

For this project, the team used the DeltaV system and DeltaV SIS and ran the sequence in the DeltaV SIS. The paper describes a simpler approach:

Under normal circumstances, the SIS runs the sequence, can override the BPCS when required, and can examine the health of the BPCS. The BPCS only performs process control, listens to the SIS for overrides, and can examine the health of the SIS. If communications is lost, the SIS can take the appropriate action (perhaps abort a startup, execute a shutdown, or may do nothing at all if in normal operation). In this case, the BPCS may continue to execute process control on some loops, and for others they may automatically be set to override or manual mode. The flexibility is there, and there is little concern over loss of communication.

If you have a project with hazardous areas with control system and SIS requirements, this paper is an excellent resource for an approach to think through the design process.

People from across the world come up this blog and get some great questions from time to time. The most recent example is questions about safety instrumented systems (SIS) and the IEC 61511 standards. I thought I'd run them by two experienced Emerson safety experts, Len Laskowski in the Refining and Chemical industry center and Stephane Boily in the Hydrocarbon and Energy industry center.

As safety professionals incorporate these performance-based international safety standards, I thought sharing their answers with you might help your safety planning efforts. Len answers the four questions and Stephane adds his thoughts looking at the SIS installation components.

What are the standards that define the best rules for installation of field equipment of a SIF/SIS, on site?

IEC 61511 or ISA-S84-2003 (which is really the same thing, plus a grandfather clause) are intended for application in the process industry. They do the best job of defining what one needs to be concerned with for field instruments. The guidance may be considered somewhat minimal but the critical safety issues are there. Whatever would make a good installation for the basic process control system (BPCS) is a good installation for the SIS also. However, some different issues need to be recognized. First, the instruments need to be reliable. One measurement, referred to as "proven in use" means reliability data must be available for safety integrity level (SIL) calculations. If not then SIL-rated instruments are an option. Next one must consider fault tolerance requirements for the Safety Instrumented Function (SIF). This is a function of the SIL level for each SIF in the SIS. There will of course always be the need to make sure the instruments are calibrated routinely and tested per the proof test requirement. If this is online then the engineer needs to make sure that those facilities plus the ability to do maintenance is designed into the project. Typically sensors need their own root valve and final control elements may need bypasses or means for partial stroke testing.

The routing of the individual cables of transmitter that is in a 2oo3 voting system--the same route, different routes?

Some reliability engineers would want to try to convince you that a different route is required. While everyone would like a diverse routing from a common mode point of view, (a fire, dropped crane load, chemical spill could destroy all the cables in the same tray, etc.) it is many times impractical to route differently. One deciding factor is availability. If high availability is require diverse routine is a good idea, but again not mandatory. Some companies may have internal standards on this subject. The other factor is whether or not the SIS fails safe. If a loss of a cable, causes the System to have a spurious safe trip the system is safe, but you have to deal with the cost of the spurious trip. If the SIF is energized-to-trip, one needs to look at separate routing. Also, end of line monitoring etc.

Can I install the three field devices in battery or in different places to avoid, common failure, e.g., vibration, risk of fire?

Field instruments are designed for the outdoor industrial environment. Utilize them correctly for their application. If it is a bad installation for the BPCS it is bad for the SIS also. While many SIS logic solvers have been industrially hardened to operate in a broad range of environmental conditions with numerous successful applications, it just stands to reason that putting them in environmentally controlled areas will improve potential reliability plus the ability to do maintenance.

Yes one must always be careful with respect to common mode. Common mode can wiped out the reliability gains of redundancy. That is why it is required to do SIL Calculations to verify that the common mode effect is not so strong that it renders the SIF ineffective.

Must I use the normal practices of engineering or do rules or recommendation exist for the installation of field equipment for the SIF/SIS?

One has to ask whose normal practices?? If we mean industry best normal practices the answer is yes again but one needs to follow the entire IEC-61511 Life Cycle to determine what that really means for each project. What is an acceptable solution for one plant may not work for another. The questions you ask really points out that to safely design a plant, the project needs to execute the IEC61511 Safety Life Cycle. Hazards are identified early in the project and solutions are designed around those hazards. The questions you asked should all be covered in the Safety Requirements Specification (SRS). There are 27 questions that cover the topics you have asked and more, much more. Inexperienced engineers may not be aware of this list of questions that define an IEC61511 SRS. This is why you should work with experienced organizations. A study done by the Health and Safety Executive in the UK has shown that the majority of problems with SIS systems today are actually specified into the project. (Or shall we say not specified into the project, one does not know what one does not know.) Failure to execute the life cycle activities early and properly can have serious safety, schedule and cost implications on a project.

Stephane adds these thoughts on the installation components:

Sensor-To reduce common mode each sensor should have a separate process connection. There have been some good arguments made with regards to using different technologies in order to reduce common mode but one must look at practicality vs. benefits and risk reduction. Also, although the use of diverse technologies can reduce common cause it will not eliminate it completely.

Transmitters-For sensors integrated (or separate) with the transmitter, the geographical locations of the voted transmitters should be away from each other to the extent possible (so that in the event of a fire--all transmitters are not affected--as an example!)

Junction Boxes-Separate JBs for each transmitter / 2 core cable is preferred.

Multicore Cables-If separate JBs not possible, run each transmitter pair in separate multicore cables to the control room.

Cable Trays-Run the multicore cables in separate trays which have separate routes to the control room when practical. Availability would be the determining factor.

Safety Logic Solver-Each transmitter signal could be connected to separate SLS, on separate carriers. This would slightly compromise on the PFD value however and could also make the SIF configuration more complicated, but reduces common cause. SLS installed in two different cabinets in different control rooms would be even better! However common sense needs to be used and practicality. Same logic could be used for the output signals.

The extent to which one would go in segregating will depend on ALARP - As low as reasonably practicable (here 'low' refers to the risks involved). The Risk Reduction Factor (RRF) of the SIF and how much of the risk is the engineer / company ready to absorb, will dictate the decision. The common cause calculator (based on such segregation) is given in IEC 61508-6, Table D.5.

I caught up with Riyaz Ali who is in our organization managing Emerson's Fisher brand of valves and regulators. You may recall Riyaz from some earlier posts on safety valve local control panels, partial-stroke test in safety applications, and testing safety solenoid valves.

Riyaz has been hearing more and more questions from process manufacturers, consultants, integrators, and other automation professionals about the adoption of the IEC 61508 and IEC 61511 international safety standards. These questions tend to get very specific about the safety integrity levels (SIL) for the components within the Safety Instrumented Function (safety loop.) Today all components of the safety instrumented function (SIF) including the logic solver, sensor, and final control element may have microprocessors that can perform self-diagnostics and communicate these diagnostics digitally to the logic solver.

Riyaz wanted to help clarify some questions on SIL ratings and field devices. If a process manufacturer hears that that field device is "SIL 3-rated" in accordance with IEC 61508, this is not the case. Field devices alone are not capable of a particular SIL rating.

These devices may be suitable for use in a SIL 3-rated safety instrumented function. In other words, this SIL rating applies to the entire loop and not the individual components within the loop.

The second key point Riyaz made with me is that a single microprocessor-based device (categorized as Type B in the IEC 61508 part 2, table 3) cannot have suitability for use in a SIL 3 safety instrumented function without additional hardware fault tolerance per these IEC standards.

Obviously, there is quite a bit to these safety standards and their application, and I hope some of these blog posts on the topic of safety help you in your adoption of these standards in your facilities.

You have to admire the way a team of engineers when presented with a challenge, come up with a better, less costly approach. Such is the case with a local control panel for a safety valve that Emerson Fisher division's Riyaz Ali showed me. You may recall Riyaz from earlier posts on the topic of safety.

The challenge is that safety shutdown valves with conventional local control panels have typically required ten input/output connections between the safety system's logic solver, local control panel, solenoid and digital valve controller as the picture indicates. These panels get hard wired signals from the safety instrumented system's logic solver for light indication of valve Open, Close, and Ready to Reset. Also, if the logic solver needs to open the valve after "Ready to Reset" light indicator, "Valve Open" signal needs to be sent to local controller for field technician to open the valve on separate pair of wire. It will also require an additional I/O for shutting the valve from local controller in case of an emergency.

Now, many plants keep metrics on what it costs to install each I/O point, but a ballpark figure of $2,000 USD per I/O point is typical.

The approach Riyaz describes is based on the Fisher LCP100 local control panel which requires 5 I/O. This means roughly $10,000 savings per installed smart local control panel. If your facility is a refinery, petrochemical, or chemical plant, this could add up, based on your number of safety valves with local control panels. This panel digitally communicates directly with Emerson's Fisher DVC6000 digital valve controller to eliminate the need for separate wiring for Valve Open and Close indication, Ready to Reset indication, and pushbuttons for manual Valve Open and Close. These digital communications also provide diagnostics to reduce the ongoing costs of maintenance typical with hard-wired solutions.

Riyaz also points out the digital valve controller can provide on-line diagnostics and partial-stroke testing to assist the process manufacturer in checking the safety instrumented function which includes these shutdown valves.

As with most digital communications, the long term benefits in diagnostic coverage with this integrated approach are usually greater than the initial benefits in installation cost savings.

Before the holidays, Dave Harrold wrote a post, A Wee Bit More About Safety Instrumented Systems, in his Dave @ AFAB Group blog. He describes his work with Dr. Angela Summers, founder/president of SIS-Tech Solutions on a guidelines book for the global IEC 61511 safety standards. Dave also referenced an SIS-related Q&A article Angela wrote for Flow Control magazine.

I forwarded the post and Flow Control article link to Riyaz Ali, whom you may recall from an earlier post. Riyaz wanted to add to the conversation and make three specific points in reference to the Flow Control article.

On the question regarding the use of digital valve positioners to perform partial testing and its relationship to the proof test interval, Riyaz agrees that the proof test is far more than a partial stroke test. The proof test can be performed on a final control element either on-line when a bypass valve exists or offline when the process is shutdown, such as during a plant turnaround. Many process manufacturers do not have large bypass valves and seek to extend the interval between plant turnarounds as long as possible. The on-line partial stroke testing provided by digital valve positioners can help extend the time between proof tests. They do not replace these tests. Riyaz points to a Control Engineering magazine article authored by Dr. Summers, Partial Stroke Testing of Safety Block Valves, in which she points out:

Also affecting the SIL is diagnostic coverage and testing intervals of partial-stroke testing to supplement full-stroke testing to reduce a block valve's PFD.

Riyaz did take exception to a statement in the article about throttling valves:

Positioner failures are the leading cause of control failure, so the positioner should not be used to actuate the valve in an SIS application when preventing events associated with a loss of control. Instead, a solenoid-operated valve should be used to independently close the control valve.

His final point is on the question regarding smart positioners for partial stroke testing of smart valves. Positioners operated by air have been used in process control industries for years to improve performance of control loop. It is becoming rarer to come across a process loop not without positioners, especially where the application improved process variability. Based on its usage and benefits in process control, process manufacturers have started using them for Safety Instrumented Systems also. Riyaz agrees with Dr. Summers comment that positioners have smaller orifice but any thing larger than 8"-12" size valve, even otherwise a Quick Exhaust Valve or similar mechanical device will be used, if fast stroking speed is desired. Len Laskowski adds that the driving factor is process safety time. Many times larger valves do not need to close in one or two seconds, and in fact require a more controlled closure to avoid negative effects on process and utility equipment. It all hinges on the process safety time for each application.

Positioners by design are to bleed very small air to keep the air flowing as well keep pressure higher than atmospheric so as avoid any external atmospheric corrosive gas getting inside the housing. Also during partial stroke test positioners exhaust and fill the air, which makes its mechanical parts moving and avoid any build up.

Digital valve positioners allows partial stroke testing, while process is running and provides date and time stamp of test with capability to store and compare test results. Also, being a microprocessor based, these positioners allow remote testing and retrieval of data remotely. The main advantage is predictive maintenance by providing valve degradation analysis, which is important to critical valves in safety related systems. If by any chance valve is stuck, digital valve positioners are capable of providing alerts to operators to fix the problem.

In an earlier post I discussed the critical role the final control element plays in a safety loop or safety instrumented function (SIF) in safety parlance. This equipment mostly stays in one position until called upon to move should an emergency situation arise. Digital valve controllers like the Fieldvue DVC6000 SIS provide partial stroking of the valve to process manufacturers design their safety instrumented functions to reduce the Probability of Failure on Demand (PFD).

Even with the advancement of intelligence in digital valve controllers to do this partial stroke testing, a problem remained in testing the solenoid valves used in the safety instrumented function. These solenoid valves are installed to quickly bleed the air supply to the valve actuator that is holding the SIS valve open or closed. The only real way to test this solenoid valve has been to trip it causing the safety function to occur. These spurious trips can be quite strenuous on the plant piping and process equipment.

Riyaz Ali, a development manager in Emerson's Fisher division showed me the latest advancements to the DVC6000 SIS to test the solenoid without causing safety valve movement. What the technology team found through extensive research and development is that the solenoid valve can be pulsed for a split second by smart SIS logic solvers like the DeltaV SIS system.

This time window of the pulse is long enough for the solenoid valve to vent which provides verification that it is functional. But the time window is short enough so that the actuator does not bleed off enough pressure to make the SIS valve move. Diagnostics in the DVC6000 SIS can sense and capture the data for the momentary pressure blip across the solenoid valve during the test. It also records pressures, travel information, and other diagnostic information.

Beyond solenoid testing, Riyaz mentioned the DVC6000 SIS is capable of collecting data during a trip event, much like an airline's "black box" flight recorder. This data collection can be triggered upon a change in actuator pressure, valve travel, input current, pressure differential, travel deviation, travel cutoff, or an externally defined trigger event. This data can be helpful when reviewing the causes of a safety trip as well as having the data available for regulatory reporting.

One final point Riyaz emphasized is the DVC6000 SIS spurious trip protection which provides maximum output pressure to the solenoid at minimum input signal in a case where the 4-20mA signal between the smart logic solver and digital valve controller is lost or severed.

Together, these technologies give process manufacturers an end-to-end way of checking the safety instrumented functions including the solenoid valves, to assist their design, implementation, and ongoing testing phases of the IEC 61511 safety lifecycle.

Recently Control magazine editor-in-chief, Walt Boyes covered a presentation by TÜV-Rhineland's Heinz Gall, in a post entitled, Heinz Gall on Functional Safety--from the department of "no whining". Heinz' key point in this presentation was:

You must have safety management, and qualified personnel are a must!

Len agrees with Heinz' assessment. He believes the problem most engineers have with the new standard such as IEC 61511 is that it is a performance standard. This is great news for the engineering community because they get to do the engineering. However the bad news is they must do the engineering. Len recalled the days when most process manufacturers were putting together their standards on safety instrumented systems, that these standards were very prescriptive.

This made it easier from an engineering point of view but sometimes could not cover all cases. By contrast, IEC 61511 being a performance standard allows you to investigate the alternative solutions for the right safety instrumented function (SIF) for the safety integrity level (SIL).

Len stresses that this can be a very powerful tool if applied properly and there is enough time in the project schedule to do this analysis. What typically happens is that project schedules do not put in enough time or qualified resources dedicated to this activity. As with most project activities, it is much better to do this earlier in the project than later. Len's team has been called into projects towards the end and has uncovered problems on some of the high SIL level SIFs. This has caused a scramble to find the appropriate rated instruments required.

Len advises for your IEC 61511 safety projects to plan for more engineering time in the feasibility and front end engineering design (FEED). The older prescriptive methods allowed this work to be done later in the detailed design phase. As Len puts it:

Recognizing the need for more front end work will go a long way in reducing project frustrations.

Update: I fixed a typo and would like to extend a welcome to the readers of Gary Mintchell's Feed Forward blog (subscribe here).

OK, you've done all the engineering, installation and commissioning and have field electrical and electronic equipment that is certified for the hazardous location in which it operates. In North America, this equipment has been tested and approved to appropriate codes and standards by OSHA-accredited NRTLs (Nationally Recognized Testing Laboratories) like FM Approvals, UL, CSA, and MetLabs to name a few. Other countries may have similar requirements through entities such as PTB of Germany, LCIE of France, KEMA of the Netherlands, and UC (formerly UCIEE) of Brazil.

So what about the certification if the equipment has been salvaged from a plant that has been shut down, and then refurbished, reconditioned, or remanufactured and resold? Or what about equipment that is resold as "new surplus" or after installed equipment has been repaired?

Bob Baker, a Safety Consultant to Emerson Process Management presented with FM Approvals' Cheryl A. Gagliardi at the recent Mary Kay O'Connor Process Safety Center 2006 International Symposium. Their presentation, Maintaining Certification Compliance of Equipment Used in Hazardous (Classified) Locations, discusses what happens (or should happen) should a device be changed in some way, even unknowingly.

When ownership transfer occurs, as in the case of equipment that has been resold as new surplus or after being salvaged, refurbished, remanufactured, or reconditioned, there typically is no historical awareness of whether or not a device has ever been "changed" in any manner by the prior owner, resulting in potential non-compliance. Such a "change" could have been as simple as touching up the threads of an explosion-proof device's galled terminal box housing or cover, or it could be the use of non-OEM parts, the accidental scratching of a flame path surface or damage to a flame arrestor, etc. These same types of issues could also occur during the repair of a device even though it may never leave an original owner's site.

The FM Approval mark is a statement of conformity that a product is in compliance with defined standards at the time the product leaves the manufacturing and/or repair facilities audited and approved by FM Approvals. Once the equipment is placed into use, continued compliance with the applicable codes and standards becomes the responsibility of the process manufacturer, i.e. the end user.

FM Approvals listed its definition of repair as "work performed to the unit that would bring it back to its original condition approved by FM Approvals, with repair including refurbished, remanufactured, reconditioned, salvaged, and new surplus." FM Approvals also presented that process manufacturers have several choices when making repairs on equipment with hazardous area approval certifications including:

• Returning the equipment to an original equipment manufacturer (OEM) or any of its repair facilities that are approved and audited by FM Approvals. The OEM has the design control and knowledge of the FM Approvals certification requirements to return the equipment to its originally certified condition
• Having the equipment repaired by a third party facility that is approved and audited by FM Approvals in accordance with its repair standard 3606:1998 - Repair Service for Process Control Equipment Used in Hazardous (Classified) Locations
• Performing the repair in-house if the process manufacturer's repair facility is similarly approved and audited by FM Approvals to its repair standard 3606.

FM Approvals recommended that its certification marks be removed from non-compliant equipment resulting when the repair work is done by a facility which is not audited and approved by FM Approvals. Since the burden is on the process manufacturer that the equipment is approved for the hazardous location in which it operates, the process manufacturer should insist that either:

• The repair (all types as noted above) be done by a facility that is audited and approved by FM Approvals to recertify the equipment (and prove it, by submitting FM Approvals documentation to the end user, that is specific to the brand and model)
• Have the FM Approvals certification mark removed if the facility is not an FM Approved repair facility.

Removing the certification mark or the entire nameplate should help eliminate confusion about a device's NRTL approval status, and reduce the chance of inadvertent installation into a hazardous location that requires an NRTL approved device.

Bob recommends that process manufacturers develop corporate policies and guidance directing inspection, engineering, maintenance, and procurement to ensure the installation of compliant devices for their intended hazardous locations. He also recommends that stringent supplier qualifications be established to prevent introduction or re-introduction of non-compliant equipment, and that identification and abatement processes be developed for potentially non-compliant equipment already installed.

In summary, it is important that industry understand whether the purchase of products for use in hazardous locations, as defined by the National Electric Code and OSHA, can give rise to product safety and regulatory compliance issues.

Ms Gagliardi and Mr. Baker will again be presenting this topic on Thursday, January 25, 2007 at the Texas A&M Instrumentation Symposium (Jan 23-25).

I used to be one of those who thought of the logic solver piece of a safety loop as being the "safety system." In reality it's the sensors, logic solvers, and final control elements which make up the safety loop, or safety instrumented function (SIF) in safety-speak.

Tom Jeansonne, a regional sales manager in Emerson's Valve Automation division, presents a paper at next week's Emerson Exchange entitled Safety Instrumented Systems, The Role Of The Final Control Element. Tom sets the tone for the importance of the final control element in the safety loop. It exists for the purpose of taking the process to a "safe" state when predetermined conditions are violated.

The final control element or actuated valve typically remains energized for long periods of time in a fixed position. According to Offshore Reliability Data (OREDA), when failures do occur in the safety loop, it happens in the final control element 50-60% of the time. The key is to reduce the Probability of Failure on Demand (PFD) to meet the appropriate safety integrity level (SIL). The standards IEC 61511 and ANSI/ISA S84 defined this risk-based approach to safety.

Tom describes a way to reduce PFD for final control elements through partial stroke testing. As the name implies, the actuator and valve are periodically operated a partial amount to help ensure the valve will perform on demand. This testing process also increases the diagnostic coverage on the final control element while allowing the normal process operations to continue. In turn this can extend the time between scheduled plant shutdowns reducing operating costs and increasing efficiency while maintaining SIL ratings.

With digital controllers like the Fisher Fieldvue DVC6000 and smart logic solvers like the DeltaV SIS system, these partial stroke tests can be automatically performed and data compared and retained. These tests can identify issues like broken valve stems, torque degradation, stick slip, friction degradation, and pneumatic path leakages. Any anomalies can be sent to the operations and maintenance staff as valve stuck alerts, travel/pressure/deviation alerts, and supply pressure alerts. These diagnostics help identify any issues before the final control element is requested by the logic solver to take the process to a safe state.

Tom sums up his presentation with how the Valve Automation group has packaged the DVC6000 with several different types of Bettis, FieldQ, Hytork, and El-O-Matic actuators, and solenoids into a SIL-PAC TÜV and Exida-certified final control element solution.

As the international safety standard IEC 61511 (ISA S84.02 in the U.S.) has provided process manufacturers a risk-based approach to safety in their plants.

Many organizations including Emerson are providing training and project execution services to assist these manufacturers in better understanding and complying with this standard. I've mentioned some of the training courses in an earlier safety engineering training post.

Obviously it takes people experienced in process safety to develop this training and execute safety projects. I had the opportunity to catch up with Bob Gale, a certified SIS Consultant and SIS lead in our Refining and Chemical industry organization. He has over 30 years of process automation experience, 20 of these in process safety, and is nationally recognized for his work in the development of the American Institute of Chemical Engineer's (AIChE) chemical process safety practice guidelines.

Bob was also instrumental in helping the Refining and Chemical become part of Emerson's global effort to achieve TÜV-certification in Functional Safety Management Systems in accordance with IEC 61511 for management and control of safety instrumented systems (SIS) applications.

Bob recently served as an SIS Consultant for a DeltaV SIS system used in an ultra low sulfur diesel plant application. In this capacity, he and the Emerson SIS project experts work with the manufacturer to verify the appropriate SIL levels and risk mitigation strategies of the safety instrumented system along with assisting the client with the conceptual design of the various Safety Instrumented Functions. Bob also works with manufacturers on all the earlier phases of the safety life cycle, from the Process Hazard Analysis through to Layer of Protection Analysis and SIL Determination.

For those working to achieve IEC 61511 compliance, Bob believes the place to start is with the education on the standard to understand the scope of the safety lifecycle. Of course he also believes you should assemble an experienced project team to help from the up front analysis, through the engineering, installation, commissioning, and ongoing support phases.

Those involved with safety instrumented systems (SIS) know that the performance of the system to perform on demand requires all elements of the safety loop: logic solver, sensor, and final control element to correctly perform their role.

Data from the Offshore Reliability Database (OREDA) points out that 92% of the failures come from problems in the sensors or final control elements.

The IEC 61508 international safety standard stipulates requirements for equipment to be used in safety applications. It must be suitable for the safety application, that is, for the appropriate safety integrity level (SIL). SIL is defined:

Safety Integrity Levels (SILs) are a safety-measurement standard defined by several bodies including the International Electrotechnical Commission in IEC 61508 to quantify the chance of dangerous failures in electrical or electronic safety devices, that is, the probability of the device to fail in performing its safety function.

Suppliers like Emerson can seek certification either by designing new products to achieve certification based upon the safety requirements or by being "proven in use" as defined by the IEC 61508 standard. The folks at Exida have an excellent write up describing the latter method entitled, What does Proven In Use imply?

I caught up with Al Samson, Director of Product Support for our Micro Motion Coriolis flow meter products. Earlier this year Micro Motion flow meters became the first flow meter to be TÜV-certified to the IEC 61508 safety standards.

The Micro Motion 1700/2700 transmitter family has had more than 5 years in service with high reliability so the team used the proven in use method to achieve certification for use in SIL 1-3 applications. These transmitters are used with the Micro Motion Elite, F, T, and DT sensor families.

The Micro Motion team worked with Exida to develop the Failure Modes, Effects and Diagnostics Analysis (FMEDA) and other essential documentation necessary for the TÜV process audit required to receive the proven in use certification.

Al pointed out that the combination of an inherently redundant Coriolis sensor along with a high level of internal diagnostics provided a safe failure fraction of 92% which is the best among this class of sensors.

In AutomationWorld magazine Editor-in-Chief Gary Mintchell's recent blog post, Safety Integrated System training, he describes an SIS training course recommended by a former colleague.

I caught up with Pat Garland in Emerson's Educational Services organization to see what training we were offering to help automation professionals learn the ins and outs of the safety including the global safety standard IEC 61511 (ISA S84 in the U.S.)

Along with a lot of efforts in other parts of Emerson Process Management developing safety instrumented system (SIS) products, SIS project services, and ongoing SIS lifecyle services, the Educational Services team has developed courses around safety from basic understanding of terminology and global standards to more specific product training.

Pat specifically pointed me to some on-line eLearning courses which include a Safety Engineering Overview and a more in depth Safety Engineering course. You can see sample courseware here (requires Flash player.)

These are paid for classes but include access to the course for three months and email access to Emerson safety experts for this three month duration. Based upon the feedback of automation professionals who have participated in the various forms of education services, many more eLearning modules are in development.

Pat has posted his email on the eLearning page, so fire away if you have questions or post comments here.

Finally, speaking of commitment to education, it was great to read Control magazine Editor-in-Chief Walt Boye's blog post today, More on "Being the Solution..."

Emerson Process Management is the undisputed king of giving to colleges, universities and technical trade schools, as near as I can tell. They have donated millions of dollars worth of field instruments and DeltaV systems, or sold them to academic institutions at cost, depending on the need of the particular institution. In particular, they've donated to the three North American Fieldbus education centers a whole lot.

What Emerson does is the template for the first way to expend education resources: support actual engineering education. This must be done. Thank you for being part of the solution. Please don't stop.

After reading about the "10 Truths of Safety Instrumented Systems" in a ControlGlobal.com email (Control Magazine's online website), and getting a copy, I'd spoken to our of our safety experts, Andrew Dennant, and was working up an analysis of the 10 truths...

...and then I read the comments of Nova Chemical and ISA Safety Division Newsletter Editor/Webmaster Brian T. Smith on Walt Boyes' SOUND OFF!!! blog.

Andrew and I will add just one point to the discussion underway.

When thinking about availability, consider the entire safety loop, not just the logic solvers, since the majority of failures occur outside the logic solver. An analysis of the data sources like the Offshore Reliability Database (OREDA) and exida's Safety Equipment Reliability Handbook shows that up to 92% of hardware failures happen in the field and only 8% happen in the logic solver. Studies by the Health and Safety Executive in the UK show that less than 15% of all failures are hardware-related. Doing the math, 15% x 8% = 1.2%, puts us in the range of failures that are caused by the logic solver.

The key to high process availability is having a smart SIS which diagnoses the complete safety function including the logic solver, sensor, and final control element, correctly engineered in accordance with globally-agreed best practice safety standards, aka IEC 61511.

UPDATE: The figures cited in the Health and Safety Executive study are from the publication, Out of Control: Why control systems go wrong and how to prevent failure (2nd edition), orderable from the HSE site.

I recently heard a presentation from one of our Chemical industry experts, Peter Cox, an Operations Consultant based in our Emerson Belgium office. Peter spent 14 years with BASF in various engineering and management positions before joining Emerson.

One of the key issues European Union chemical manufacturers are facing is that they ensure compliance with the SEVESO II Directive released in 2005 (COMAH in the United Kingdom.)

The guidelines were named after an industrial accident which occurred in Seveso, Italy in 1976.

The directive states the requirement for a mandatory review to prove compliance with the safety regulations at least every five years for every plant in the European Union and U.K which falls under these directives.

In an earlier post I discussed how Emerson safety experts are helping process manufacturers use the IEC 61511 performance-base safety standards to address these safety regulations.

Peter believes that Chemical manufacturers must take a holistic look at the safety lifecycle from risk identification, to the classification of these risks, to the design of the safety function, through the ongoing maintenance and testing of these safety functions.

Emerson is helping Chemical manufacturers in this area with safety expertise a