November/December 2011
Process Automation

Centralized or distributed process safety

Picking the best safety system architecture cuts risk and cost while simplifying implementation and maintenance

Fast Forward

  • Safety systems can be implemented in a centralized or a distributed fashion.
  • Centralization is the more traditional approach, but distributed safety is gaining momentum.
  • Process plants should consider both approaches to meet their safety needs and may need to mix and match centralized and distributed safety for best results.
By Dr. Angela Summers

process auto1Process plant safety systems can either be centralized, distributed, or a combination of both. Each approach has its advantages and challenges, with selection of the best option dependent on a variety of factors. This article will examine various safety system architectures and will show process plant users how to pick the best solution to fit their specific needs.

Centralized safety

Some process plants employ a single monolithic safety system across their entire facility. These systems use a centralized logic solver, typically a large programmable unit and probably featuring internal redundancy and extensive diagnostics, all housed in an environmentally controlled area. 

Use of a single safety logic solver gained popularity as a means to lower the cost per I/O point by connecting increasing numbers of I/O to the logic solver central processing unit (CPU). 

At many sites, the safety logic solver provides oversight for thousands of I/O points, with the result that facility safety and production reliability are dependent on the performance of a single safety logic solver. Consequently, software upgrades, application program changes, hardware failure, maintenance, and function checks can affect the entire safety system.

With centralized safety, decisions about CPU and I/O placement must be made during initial project design. The safety system I/O modules may be located in the central area or remotely located near the field devices with secure digital communication back to the logic solver. The communications between the CPU and remote I/O must be vendor certified to IEC 61508. Because of their importance, these remote I/O links are often installed along different and redundant paths so damage to one area of the plant does not bring down the entire system.

Conformance to IEC 61511 requires individual field devices be hardwired directly to the safety system I/O. Remote safety I/O allows the designer to reduce the length of these individual wire runs, potentially lowering the project cost.

With centralized systems, users only need to master one software product, although it can be quite complex. Programmable systems require an engineering interface with access security controls to troubleshoot performance degradation. The centralized system does not provide local interfaces or panels in the field, so these must be designed and installed separately, adding additional cost and complexity.

Manufacturer selection constitutes a long-term commitment for training and spare parts. Once the selection is made, the number of different hardware components is minimized, lessening the learning curve and reducing stocking requirements. Small addition and upgrade projects must adapt to the existing system, so additional connection points need to be implemented with hardware compatible with the original installation. 

Since a single logic solver manages many safety functions, the application program execution must be fast enough to address the shortest required process safety time. Changes to the application program, such as the addition of a new safety function, must be evaluated for their impact on other safety functions. Problems during download of a new application program or during loss of CPU environmental control may impact multiple plant process units, potentially affecting the safety and uptime of many pieces of equipment.

Perhaps, the greatest problem with centralized systems is failure of the main controller can cause the entire safety system to cease functioning. While hardware redundancy can reduce the probability of this occurrence, systemic errors in software and the need for firmware updates remain as potential threats, and the need to shutdown the entire system to perform updates can impact process uptime.

On the plus side, integration issues are virtually eliminated because the hardware components and software are supplied by one vendor, and there is a clear single source responsibility in case any issues arise.

process auto2

Distributed safety

Distributed safety systems are perhaps less familiar, but are nonetheless used extensively in process plants worldwide. Main distributed safety components include trip modules or relays and/or small programmable electronic controllers with limited I/O capability, each designed and selected to fit the needs of a single safety function.

A distributed safety system is often designed to provide safe operation of a limited plant area, a particular plant process, a single piece of equipment, or a single safety function. For example, a compressor skid might be supplied with its own control and safety system, separate and apart from the plant's main control and safety system.

In another case, a particular plant process might have its own safety system. For example, our company supplied a distributed safety system for a distillate hydrotreater unit at a refinery. The system used four separate trip modules to monitor four scenarios involving low level and low flow that could lead to overpressure of equipment within the unit.

Distributed safety systems have benefits and drawbacks; perhaps, the greatest advantage of the distributed safety system is independent operation and shutdown. Simply put, the locally controlled system will operate as designed even if other safety systems fail, or if communication links among the systems fail. 

Failures and degraded conditions within the local and distributed safety system can be diagnosed and presented to the operator for appropriate response. For a simple trip module system, the required diagnostic is probably a periodic proof test, and any necessary repair is performed by an electrician with a screwdriver. Contrast this condition with a centralized safety system running continuous hardware diagnostics and requiring an engineering interface with diagnostic tools and an engineer or a highly-skilled technician for troubleshooting and repair. 

Because distributed safety systems only address a limited number of functions, the safety system can be modified or upgraded without disturbing other parts of the process. For plant retrofits and expansions, it is often easier to install a distributed safety system instead of integrating the new functionality into the centralized safety controller. The addition of a new safety function is relatively simple because the new function does not have to interact with the existing safety hardware or fit in an existing enclosure.  New field hardwired safety connections can be relatively short in length since the logic solver can be mounted in close proximity to the protected unit.

If the distributed safety system uses only trip modules and relays instead of programmable electronics, several other advantages are realized. No software programming is required, and the system can easily be designed to fail-safe. Speed of execution is unmatched by a programmable system, as is the ease of design and maintenance. Trip modules and safety relays can be selected to withstand the field operating environment and can be mounted in simple waterproof enclosures in close proximity to the protected equipment, with no operational dependence on environmental controls such as air conditioning.

As with centralized safety systems, conformance to IEC 61511 requires individual field devices be hardwired directly to the safety system I/O. The field sensors may be shared with the regulatory control system and operator HMIs through isolators or through a digital communication bus. All of the safety actions are performed locally by the distributed safety system. If a local operator interface is required, the distributed safety system panel can be modified to provide lights, push buttons, and/or an operator interface terminal.

The main challenge of implementing distributed safety is the need to implement and integrate products from a number of different suppliers. Although each distributed safety system may be relatively simple itself, the sheer number of different systems can add complexity. Parts from different suppliers need to be stocked, and plant personnel need to be familiar with the operation of each system. Just gathering the right tools for field troubleshooting can become a challenge, as these tools are often specific to each safety system.

Many process plants want to combine the benefits of centralized and distributed safety while minimizing the drawbacks of each, and one way to do this is with a hybrid safety system architecture.

process auto3  

Hybrids may improve the breed

Newer technologies such as distributed and networked safety controllers, safety-rated digital communication networks, and safety-rated remote I/O are allowing some process plants to combine many of the advantages of centralized and distributed safety in a hybrid safety system architecture.

In this type of a system, a central safety controller communicates to one or more distributed sub-controllers located throughout the plant via a high-speed digital network. Each sub-controller has its own local I/O and can control its local process on a stand-alone basis. The communications among the safety CPUs must be covered in the logic solver vendor product certification to IEC 61508. This requirement implies the hybrid safety system will be purchased from a single vendor, much like the centralized system.

With this approach, there is only one software programming environment for the entire safety system and only one supplier. This virtually eliminates integration issues and simplifies design and maintenance. Control room personnel are presented with a unified operator interface, and this interface can display complete information from each distributed safety sub-controller.

On the negative side, these systems are often the most complex of all to design, program, and maintain because there are many separate safety controllers. A high-speed network must be designed, installed, and maintained-and access security and cybersecurity must be tightly controlled.

 process auto4

Selecting the best option

For a new Greenfield plant, a centralized safety system architecture is often the initial approach. If the selected regulatory control system supplier also offers distributed safety, as most of the major automation vendors do, then the plant can realize the benefits of a single vendor approach with a hybrid system.

Reliance on a single vendor is often more costly in terms of purchase costs, but this approach should reduce other life-cycle costs. The main risk is complete dependence on one supplier, as well as sometimes overwhelming complexity in initial design, often requiring extensive supplier support at considerable cost.

Centralized safety systems are installed and running in many process plants, and most users cannot justify a wholesale change of approach. In this situation, it is often more cost effective and simpler to perform additions and upgrades with distributed safety systems.

These distributed systems can be networked back to the regulatory control system and its operator interface via either hardwiring or a digital network, providing the operator with a system that looks and feels much like a centralized safety system at a lower cost.

Distributed safety systems are often present in process skids, compressors, packaging machines, and other subsystems purchased from OEMs. The OEM safety systems are usually linked back to the central regulatory control system via either hardwiring or digital networks, although the safety systems may be completely standalone.

Most new facilities will select either a centralized or a hybrid safety system architecture. Existing plants need to make sure newer safety systems fit into their existing safety system architecture. In many cases, this means distributed safety systems will be used, and these systems will be integrated into the existing safety system architecture.

process auto5


Dr. Angela Summers is president of SIS-TECH (, a specialty engineering and consulting company, and she is widely recognized for her expertise in the field of instrumented safety systems. Summers is an active participant in industrial safety standards' development, and she has published over 50 papers related to process safety and safety instrumented system design.