Eliminating black boxes in safety applications
By Ken O'Malley, P.E., CFSE
In the past, many safety controllers were typically procured and supplied as mysterious black boxes with few or no links to other safety and automation systems, the antithesis of an open system. Instead of a black box, process automation professionals can design their own safety system that integrates with other automation systems and has superior performance, more uptime, and faster diagnostics.
Black boxes are being replaced by open controllers in burner management systems (BMSs). That solution is a safety instrumented system (SIS) built around a programmable safety controller that will conform to all codes and add a host of useful features and connectivity options. Today's marketplace offers many safety products that are competitively priced and relatively easy to use.
Standards permit users to consider a BMS to be an SIS with its hazardous operations; layer of protection analysis (LOPA); safety requirements, design, configuration, factory, and site acceptance testing; ongoing management; and periodic testing adhering to the complete safety life cycle as mandated by the ANSI/ISA-84.00.01-2004 standard.
With a traditional BMS controller, process switches that detect dangerous process deviations are wired to nonprogrammable, purpose-built black box logic solvers. Upon deviations, the controller isolates fuel sources to the combustion chamber as required, but gives little or no feedback to the operator. To alleviate this issue, smart transmitters with internal diagnostic capabilities can be used in lieu of switches, along with safety-rated logic solvers based on programmable logic controllers (PLCs). This solution provides greater process awareness for operations and easier troubleshooting for maintenance following an equipment trip.
One of our customers recently spent two days determining the cause of a BMS black box controller trip. The facility had a backup boiler, so it avoided costly extended downtime, but troubleshooting costs were high. This customer is now working with us to replace its black box BMS logic solver with a PLC-based BMS.
In most cases, downtime is very costly, so there is a great need to use an ISA-84 performance-based approach that gives designers the flexibility to add redundancy and trip voting to reduce nuisance trips due to single-point failures. This approach typically results in at least one safety integrity level (SIL) 2 safety function.
Achieving SIL 2 with a general-purpose PLC places a heavy burden on the end user to demonstrate that the PLC is suitable for an SIS application through a proven in-use analysis. Additionally, using a general-purpose PLC in a BMS application requires the addition of an external watch dog timer (WDT) to protect against undetected failures of the PLC. If a safety PLC is used, the WDTs may be optionally omitted if approved by the authority having jurisdiction, eliminating nuisance trips associated with the failure of these devices.
A few years ago, I was participating in a LOPA session at a customer's facility where the site's lead safety engineer interrupted the meeting and handed a WDT to me. After an all-night investigation following a boiler trip, she had isolated the cause to the faulty WDT. Our company had installed the BMS on their boiler a year earlier. Even though an SIS BMS with a safety controller was used and WDTs were therefore not required, the customer's project team had elected to keep the WDTs. But by reducing nuisance trips through the elimination of single points of failures like a WDT, the system becomes safer, because many incidents occur while placing equipment back into service following a trip.
It is important to note that even when the BMS is designed through an ISA-84-based SIS approach, the end user is still responsible for compliance, not the BMS vendor or the system integrator. And in order to meet the equivalency clause of the code of record, the complete life cycle as outlined in ISA-84 must be followed, including SIL selection, verification, and ongoing functional testing at the calculated test interval.
A BMS can be implemented in strict accordance with the appropriate code of record through a prescriptive-based approach using a black box controller. But, implementing a BMS as an SIS with a programmable safety controller offers advantages including reduced nuisance trip rates, improved troubleshooting information, and greater process and system health information.
ABOUT THE AUTHOR
Ken O'Malley, P.E., CFSE, is a degreed electrical engineer with 25 years of automation engineering experience. He is currently executive VP engineering technology at aeSolutions (www.aesolns.com). O'Malley has participated in the development of numerous PLC-based products for fire and gas and burner management system applications, and several of these products are now available with FM approval.