June 2009

Web Exclusive

Safety first

Looking for the logic behind single loop logic solvers

Fast Forward

  • Heightened awareness causes hike in systems optimizing safety.
  • Safety practitioners look to a "new generation" of safety equipment.
  • Sometimes lower cost safety devices can be a better bet.
By Jim McConahay

The industrial process industry is experiencing a huge boom in functional process safety applications.

Much of this growth comes from increased awareness of destruction of property, injuries and loss of life associated with tragic events widely publicized in the worldwide media. Needless to say, companies have a moral and legal obligation to limit risk posed by their operations. In addition to their social responsibilities, the costs of litigation measuring in the billions of dollars have caught the eye of risk management executives worldwide.


As a result, management recognizes the financial rewards of utilizing a properly designed process system that optimizes reliability and safety. That is why companies are now actively taking steps to comply with various national and worldwide safety standards such as ANSI/ISA 84 and IEC 61508/61511.

To accomplish this, safety practitioners look to a "new generation" of equipment specifically designed and approved for use in Safety Instrumented Systems (SISs) that utilize Electrical and/or Electronic and/or Programmable (E/E/PE) technologies.

Safe state

A SIS is an instrumented system used to implement one or more Safety Instrumented Functions (SIF). A SIS consists of any combination of sensors, logic solvers, and final control elements for the purpose of taking a process to a safe state when predetermined conditions no longer exist. A SIF is a function implemented by a SIS that achieves or maintains a safe state for the process with respect to a specific hazardous event.

Examples of SIF applications include:

  • Shutdown in a hazardous chemical process plant
  • Open a valve to relieve excess pressure
  • On/off control to prevent tank overflow
  • Shutdown fuel supply to a furnace
  • Add coolant to arrest exothermic runaway
  • Automatic shutdown when operator not present
  • Close a feed valve to prevent tank overflow
  • Initiate release of a fire suppressant
  • Initiate an evacuation alarm

Safety guidelines

To help companies implement a SIS, the International Electrotechnical Commission (IEC) developed IEC 61508, the standard for "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems."

The main objective of IEC 61508 is to provide a design standard for SISs to reduce risk to a tolerable level by following the overall hardware and software safety life cycle procedures, and by maintaining the associated stringent documentation.

IEC 61508 has become the benchmark used mainly by safety equipment suppliers to show their equipment is suitable for use in Safety Integrity Level (SIL) rated systems.

For legacy products, suppliers are performing a Failure Modes, Effects and Diagnostic Analysis (FMEDA) hardware only assessment, which provides failure data for SIS designers and may also provide proven-in-use data. This does not include any assessment of the product development process which contributes to systematic faults in the product design.

New products fully compliant with IEC 61508 address systematic faults by a full assessment of fault avoidance and fault control measures during hardware and software development.


Risk assessment

To determine a SIL, the safety practitioner team Risk/Process Hazard Analysis procedure identifies all process hazards, estimate their risks, and decide if that risk is tolerable. Once a SIL has been assigned to a process, the safety practitioner has to verify the individual components (sensors, logic solvers, final elements, etc.) that are working together to implement the individual SIFs comply with the constraints of the required SIL.

For any device used in a SIS, the team must pay close attention to each device's Safety Failure Fraction (SFF) and Probability of Failure on Demand (PFDavg). For each device in the SIF, both numbers have to compare to the rules outlined in the safety standards to ensure they are sufficient for use in the required SIL of the SIS. If these devices end up classified as Type B, such as micro-processor based devices, the development process including software must also undergo assessment and approval for the required SIL level. While the standards do allow proven-in-use data as proof of a device's reliability, such information is usually very hard to verify and document.

For this reason, many end users prefer fully assessed devices by third party organizations.

It is always the responsibility of the end user to perform or verify the calculations for the entire safety loop. Since a SIF relies on more than one device, it is imperative all devices in the loop work together to meet the required SIL levels. The device's SFF and the PFDavg values used for these calculations should be in a FMEDA report.

IEC 61508 requires a quantitative, as well as qualitative, assessment of risk. FMEDA provides a systematic way to assess the effects of all probable and known failure modes, including on-line monitoring and error checking, of a SIS component. It is a detailed circuit and performance evaluation that estimates failure rates, failure modes, and diagnostic capability of a device. This data allows a user to determine a device's applicability in a specific safety-related application. It is best if a well-qualified third-party agency that specializes in functional safety approvals certifies the FMEDA report.

Logic solvers

The idea of a safety system used to conjure up images of Triple Modular Redundant (TMR) systems that represent enormous capital expenditures. And while TMR is a necessity for some processes, there is also an assortment of safety-certified devices for all cost levels. One simple, economical, yet highly dependable option is using a safety trip alarm as a single loop logic solver.

This single loop logic solver monitors a temperature, pressure, level, flow, position, or status variable. If the input exceeds a selected high or low trip point, one or multiple relay outputs warn of unwanted process conditions or provide emergency shutdown, or provide on/off control, such as in a level control application.

Safety applications

The sophistication of alarm trips, and their applicability in SIS systems, has increased exponentially since their introduction. This includes programmable inputs; local configuration using on-board controls; safe password protection; a process display; transmitter excitation (the ability to power a transmitter eliminates an additional possible point of failure); and especially, comprehensive internal, input and sensor diagnostics.

Specially-engineered safety trip alarms can check their own operation and configuration upon start up, and then continuously monitor this information, as well as the input signal. If internally diagnosed faults or external faults, such as loss of sensor or "bad quality input" occur, the alarm will trip a fault alarm.

By using the "new generation" of single loop logic solvers, and knowing what you really need in your process, users can realize the advantages of larger and more expensive safety-certified PLCs at a much lower cost. If a microprocessor based single loop logic solver has a safety failure fraction greater than or equal to 90%, and the PFDavg data falls within the required range, it is suitable for use in SIL 2 applications using a 1oo1 (no voting or redundancy required) architecture. In 1oo2 architecture (redundancy) this same single loop logic solver could be suitable for use in a SIL 3 application provided the software is assessed and suitable for SIL 3 applications.

Third-party certifications

Today, the design of some single loop logic solvers start "from the ground up" in accordance with IEC 61508. An essential requirement to verify their design is a third-party certification from TÜV, exida, or a similarly accredited approval body. This certification provides unbiased, verified evidence that the unit is appropriate for use in specific SIS strategies. For example, the certification may verify the device is appropriate for SIFs up to SIL 2 in a simplex or 1oo1 configuration. For increased process availability and/or higher SILs (such as SIL 3), the devices may be applied in 1oo2 or 2oo3 architectures. Hazardous area approvals, specifically Class 1, Division 2 for non-incendive (Type N) applications and Zone 2 applications are a must.

Today, there are solutions for SIS strategies with hundreds of I/O, and there are those for systems with just a handful of I/O-and everything in between. The "new generation" in safety-certified single loop logic solvers fits into this scenario. Benefits that last for the life of the system include less maintenance, faster testing, easier documentation of the safety management reports, and modular replacement strategies.


Jim McConahay is a senior field applications engineer at Moore Industries-International, Inc. His e-mail is jmcconahay@miinet.com.