Design of SIS, Control Systems and Instrumentation Systems
New Excel tool for SIL verification of safety instrumented functions.
It calculate the SIL according to IEC-61508 of both simple and complex SIF, taking into account the three requirements of the Standard (systematic capability, failure probability and architectural constraints).
It allows all types of architectures and incorporates macros in VBA to compare SIFs, generate various types of reports and other functions.
We provide different training courses in the area of instrumentation and control.
Design of SIFs and SIL calculation. Very practical course focused on the design of safety instrumented functions and comparison of solutions according to cost and technical requirements. You learn the efficient use of the SILcet tool developed by us and include many practical examples including how to make the upgrading of old safety systems.
Practical design of the control system. It is a course provided by ISA Spain, developed by PLCdesign and other automation manufacturers that collaborate with ISA.
We offer different engineering services within the area of instrumentation and control, such as:
More info on the Enertria website
-Bid generator: Excel to compare, analyze and automatically generate the usual documents of an offer. Designed mainly for suppliers of Solutions (Automation, Mechanical, etc.)
-Cabinet Layout: Excel to design the internal layout of the components of any electrical or control cabinet. Designed mainly for panel builders and system integrators
-IO Builder: Excel to distribute the simple and redundant I / O signals of any control system. Designed for System Integrators.
The importance of diagnostics in the SIS The diagnostics in an Safety Instrumented System (SIS) are of crucial importance because they are the key to reduce the rates of undetected dangerous failures and, therefore, to reduce the probability of failure on demand (PFD / PFH) and increase the SIL. We can see it in the following 2 equations (used in SILcet), for the 1oo1 and 1oo2 architectures, which are used to calculate the Probability of Failure and the SIL achieved. The objective of the diagnostics is to detect any internal failure in a component. What they do is to monitor the correct operation of the devices that intervene in a SIF (safety instrumented function). We can classify the diagnostics in 2 types: Product diagnostics or self-diagnostics. They are those that come integrated from factory with the product (sensors, PLC, final elements). In the safety PLCs the self-diagnostics are very high, in certified 4-20 mA transmitters they are high. It is in the final elements of the SIF that, depending on the type, we can find certified products without product diagnostics (as in shut off valves) because they are usually purely mechanical elements. Application diagnostics. They are additional diagnostics of each specific application. They are not always necessary because it depends on many factors, but for SIL-2 and 3 levels they can be essential to meet the required SIL. To implement them we will need to add some software routines in the PLC and, sometimes, also external wiring to the PLC and some additional hardware components (limit switch, valve positioner, line monitoring resistor, transmitter, DO feedback to DI, etc.) Some practical examples of this type of diagnostic: 4-20 mA transmitter signal diagnostic (out of range, frozen signal, etc.) Diagnostics by comparison (IEC-61508 gives them a lot of credit). Use of the Hart protocol to diagnose problems in the transmitters or in their wiring from the PLC to the instrument (due to earth leakage, etc.) Diagnostic to detect the failure of the digital outputs in a PLC as it is not a standard feature in all PLCs. The partial stroke test (PST) in a safety valve. Diagnostic of valve failures by using transmitters. It is an interesting application that can be used only in certain designs. Other cases such as detection of cable break, etc. These are some examples that we explained in the course SIFs Design and calculation of SIL.
The importance of common cause failures When designing a control system, we should paid special attention to common cause failures, that is, to the factors that may cause the simultaneous failure of several components or redundant channels. It is an even more important aspect in the case of safety instrumented systems (SIS) and is considered in international safety standards such as IEC-61508 (for all industries), IEC-61511 (for the process industry), IEC-62061 (for machinery safety), IEC-61513 (for the nuclear industry) or ISA-84. We can perform an excellent design of the system or the safety instrumented function, but if we neglect the common cause failures the final result can be really bad. Not always the design engineer is aware of the importance of this. They are of vital importance in systems of high availability, i.e., in systems with redundant architectures 2oo3, 2oo4, 2oo2, 3oo3, etc. or in safety systems with architectures 1oo2, 1oo3, 2oo3, etc. Suppose for example a PLC with redundant CPU mounted inside a cabinet with insufficient ventilation, with errors in the design of grounding system and that has been tested by personnel with little experience (which greatly increases the possible software errors) . Any of these aspects can have a very negative effect on both CPUs simultaneously. How many System Integrators actually calculate the heat dissipation inside the control cabinet and under the specified temperature and humidity conditions? It is not a complicated calculation, but it serves as an example to draw attention to common cause failures. In the field elements, such as sensors or actuators, there are also many common factors that influence the operation of the system, such as how they are assembled and calibrated, if they have been correctly specified, or for example, if we are using the same multi cable and junction boxes for all redundant channels. In order to evaluate and quantify common cause failures, IEC-61508 makes several recommendations on how to do so and introduces the so-called β factor that should be used in formulas for calculation of failure probabilities and others. To give a better idea of what we are talking about, we show below some of the formulas used in the SILcet application, where we can see in red the term corresponding to the common cause failures, and that greatly influences the 1oo2, 2oo3 and 2oo4 results since the first term is usually the power of a very small number (<< 0.1).
What is a Safety Instrumented Function? The safety instrumented function is a control loop in a process or machine whose objective is safety. SIF is its acronym in English. In the following image we see the most common simplified representation of the SIF. The integrity and performance of the safety instrumented function depends on a large number of factors, and it is measured by the so-called “Safety Integrated Level” (SIL) which are covered by various international standards such as IEC-61508 (for all industries), IEC-61511 (for the process industry), IEC-62061 (for machinery safety), IEC-61513 (for the nuclear industry) or ISA-84. Some of the main factors that influence the performance of the SIF are the following: The technology used: the quality of the components and the manufacturer, the safe and dangerous failure rates, the capacity of automatic diagnostics of the components, etc. The architecture used: component redundancy, common cause failures, etc. The response time of the components, the time to be repaired and restoration time to normal operation. The activities throughout the life cycle of the safety instrumented function such as periodic tests, documentation of failures and other actions, SIL level verifications, etc. In the following image we can see a more detailed representation of the SIF where you can see many other elements that make up the safety function. Sensors It is very important to consider everything around the sensor to work properly, such as an adequate connection to the process, a correct measurement technology in each case, or other aspects of the design such as wiring and interface components with the safety PLC. Logic solver The logic solver can be a PLC, a relay system or an electronic system in general (programmable or not) but must meet a series of requirements to be used in an safety instrumented function. In this article we talk for example about the safety PLC. The design should take into account both hardware and, software or firmware, as well as external factors such as cybersecurity. Final elements In the safety instrumented function the final elements are usually the weakest link in the chain for different reasons (mechanical elements and in direct connection with the process). It is very important to select well the construction materials, as well as all the components and a correct execution of the mounting on site. Other elements There are many other elements and external factors that greatly influence the performance and integrity of the safety instrumented function such as external temperature, vibrations, electromagnetic interferences, if there is dust in suspension (especially if it is corrosive), power supplies, operation and maintenance tasks, etc. All these factors are in the category that we call common cause failures and that must be analyzed in detail in order to minimize their impact on the performance of the SIF, i.e., to avoid the degradation of the required SIL level.
SIL requirements – Systematic Capability, Failure Probability and Architectural Constraints. The designer of the safety instrumented function must verify that the 3 SIL requirements of the IEC61508 Standard are met. Each requirement will meet a certain maximum SIL level. The final SIL of the SIF will be the lowest of the three and must be greater than or equal to the required target SIL. 1-The systematic capacity of the element (sensor, PLC, valve, etc.) is reflected in the certification issued by certain entities such as Exida or TÜV. The rating (SC 1/2/3) achieved depends on the effectiveness of the quality system and other aspects. A category, for example SC3, means that the product is certified for applications up to SIL 3. Another option is the “prior use” that must be documented and justified. It is important to be clear that it is not enough, for complying with the SIL level, the use of certified products, but it is necessary to comply with all the SIL requirements. If the systematic capability of any of the elements is unknown, it should be indicated in the verification report. 2- The second requirement is determined by the average Probability of Failure on Demand of the SIF (PFDavg for low demand systems) or Probability of dangerous Failures per Hour in the SIF (PFH for high demand systems). The calculation is made for the selected architecture in each subsystem (sensor, logic solver and actuator) that are summed to obtain the probability of failure of the SIF (Safety Instrumented Function). If the required SIL is not met, it will have to be recalculated with another architecture (1oo2, 2oo3, etc.), or with products with lower failure rates or reducing other factors that affect this calculation (Interval Test, beta factor for common cause failures, etc.) It is important to use realistic failure rate values and if possible that they are based on historical data from similar applications. 2-The third SIL requirement is called “Architectural Constraints” based on the minimum hardware redundancy requirements. The tables of the SFF values (safe failure fraction = proportion of safe failures) and HFT (hardware fault tolerance) are used. If the selected architecture does not comply with any of the subsystems (sensor, logic solver, actuator), it will have to be recalculated with another safer architecture (1oo2, 2oo3, etc). There are 2 options (Route 1H and Route 2H). The 2H is used if the failure rates are realistic for the specific application. Otherwise Route 1H should be used, which was created as a defense against too low rates that are not too realistic. In Route 1H there are two HFT tables according to whether the element is type A (simple elements such as pressure switches, valves, etc.) or type B (complex elements such as smart transmitters or PLCs). The three SIL requirements must be met. The maximum SIL achievable by the SIF will be the lowest of the three. It’s the methodology we use in the tool SILcet to calculate and verify the SIL.
Phase 7: Isolators and Terminal Blocks In this article we discuss the options we have for isolators, converters, barriers, terminal blocks and other components (index of design phases). 7-Isolators, field terminals and prefabricated cables Converters, Isolators and Barriers They are used to convert signal ranges, to electrically isolate two circuits, to duplicate signals, to amplify signals, and so on. Normally we use the term “signal converter” when we transform one range into another, for example, from 0-10 VDC to 4-20 mA. The term “isolator” is used when the main objective is to perform a galvanic separation (or electrical isolation) between the input and output circuits. The term “barrier” usually refers to the intrinsic safety (IS) isolators used to wire signals from the control panel to the hazardous area. In the case of redundant signals we can use the signal duplicators, mainly with analog signals. In the market, there are many types and formats available and it is rare that we do not find the solution we are looking for. The important thing from the point of view of design is to correctly perform the selection in each case since the impact on the total cost can be important, especially in the case of large systems. For example, if it is technically acceptable it will be better to use double isolators than simple with the consequent saving of cost and space in the cabinet. Field terminals (terminals) The possible options are many and it is difficult to give general rules. Usually the discussion focuses on the following: -Connection by screw or spring connection. In most cases the screw connection is accepted, but not always the spring connection. This one is more suitable when there are vibrations and saves wiring time of the control cabinet. -Fused or non-fused terminal. This is a more important point than it seems and should be consulted in the technical specification. There are end users who have clear requirements in this regard. The reason for using fuses in the terminals is because we want to avoid that a short circuit or other problem in a signal affects the whole module or panel. On the other hand, we know that introducing fuses is to introduce other elements that can fail. Let’s look at some of the options we have: A) Use a fuse terminal in each signal individually. B) Use the fuse terminal for each group of signals or module according to a functional criterion (per equipment or service). C) Use I/O modules with built-in electronic protection. D) In the case of the digital outputs we can choose to protect each group with a circuit breaker. This is sometimes used to protect a group of electrovalves. We can also use several of the options depending on the type of signal and the type of module used. -Single or double level terminal blocks It is more common to use single level terminal blocks. The main advantage is when it comes to wiring, both in the manufacturing workshop and in the field. When we use double level is because we want to save space even at the cost of making it difficult to access the terminals. -Cables with or without terminal tip. In general, it is technically more convenient to use tips on the cables. There are numerous installations that do not use these tips when using spring terminals. Pre-fabricated cables for PLCs It is a good option to consider on many occasions, especially if we want to reduce costs, space and wiring time of the control cabinet. Finding an advantageous design based on prefabricated cables can be complicated if we have made a functional distribution of I/O signals (based on equipment or field areas) and therefore there may be, in the same module, signals with different wiring (e.g.: 2-wire and 4-wire analog inputs, digital outputs to intermediate relays with voltage or voltage-free contacts, digital inputs with and without intermediate relay, etc.). In large systems, especially in the oil & gas industry, marshalling cabinets are located between junction boxes and DCS. Within these cabinets field cables are connected and cross wiring is performed to order the signals according to the DCS I/O modules. In this way, it is possible to use prefabricated cables to interconnect the marshalling cabinets with the DCS modules. In large and complex projects this system has many advantages. Link to next phase.