Design of SIS, Control Systems and Instrumentation Systems.
New Excel tool for SIL verification of safety instrumented functions.
It calculate the SIL according to IEC-61508 of both simple and complex SIF, taking into account the three requirements of the Standard (systematic capability, failure probability and architectural constraints).
It allows all types of architectures and incorporates macros in VBA to compare SIFs, generate various types of reports and other functions.
Course on the use of SILcet tool and design of safety instrumented functions (SIF) and SIL calculation according to IEC-61508 and other standards (available from March-2018).
The course focuses on the design and modification phases of the SIF. It puts the focus on practical examples of both existing and new systems, as well as explanations for the use of the SILcet tool and the correct way to calculate the failure probability (PFDavg) and the SIL level (route 1H or 2H).
–Bid generator: Excel to compare, analyze and automatically generate most of the usual documents of an offer.
–Cabinet Layout: Excel to design the internal layout of the components of any electrical or control cabinet.
–IO Builder: Excel to distribute the simple and redundant I / O signals of any control system.
The importance of common cause failures When designing a control system, we should paid special attention to common cause failures, that is, to the factors that may cause the simultaneous failure of several components or redundant channels. It is an even more important aspect in the case of safety instrumented systems (SIS) and is considered in international safety standards such as IEC-61508 (for all industries), IEC-61511 (for the process industry), IEC-62061 (for machinery safety), IEC-61513 (for the nuclear industry) or ISA-84. We can perform an excellent design of the system or the safety instrumented function, but if we neglect the common cause failures the final result can be really bad. Not always the design engineer is aware of the importance of this. They are of vital importance in systems of high availability, i.e., in systems with redundant architectures 2oo3, 2oo4, 2oo2, 3oo3, etc. or in safety systems with architectures 1oo2, 1oo3, 2oo3, etc. Suppose for example a PLC with redundant CPU mounted inside a cabinet with insufficient ventilation, with errors in the design of grounding system and that has been tested by personnel with little experience (which greatly increases the possible software errors) . Any of these aspects can have a very negative effect on both CPUs simultaneously. How many System Integrators actually calculate the heat dissipation inside the control cabinet and under the specified temperature and humidity conditions? It is not a complicated calculation, but it serves as an example to draw attention to common cause failures. In the field elements, such as sensors or actuators, there are also many common factors that influence the operation of the system, such as how they are assembled and calibrated, if they have been correctly specified, or for example, if we are using the same multi cable and junction boxes for all redundant channels. In order to evaluate and quantify common cause failures, IEC-61508 makes several recommendations on how to do so and introduces the so-called β factor that should be used in formulas for calculation of failure probabilities and others. To give a better idea of what we are talking about, we show below some of the formulas used in the SILcet application, where we can see in red the term corresponding to the common cause failures, and that greatly influences the 1oo2, 2oo3 and 2oo4 results since the first term is usually the power of a very small number (<< 0.1).
What is a Safety Instrumented Function? The safety instrumented function is a control loop in a process or machine whose objective is safety. SIF is its acronym in English. In the following image we see the most common simplified representation of the SIF. The integrity and performance of the safety instrumented function depends on a large number of factors, and it is measured by the so-called “Safety Integrated Level” (SIL) which are covered by various international standards such as IEC-61508 (for all industries), IEC-61511 (for the process industry), IEC-62061 (for machinery safety), IEC-61513 (for the nuclear industry) or ISA-84. Some of the main factors that influence the performance of the SIF are the following: The technology used: the quality of the components and the manufacturer, the safe and dangerous failure rates, the capacity of automatic diagnostics of the components, etc. The architecture used: component redundancy, common cause failures, etc. The response time of the components, the time to be repaired and restoration time to normal operation. The activities throughout the life cycle of the safety instrumented function such as periodic tests, documentation of failures and other actions, SIL level verifications, etc. In the following image we can see a more detailed representation of the SIF where you can see many other elements that make up the safety function. Sensors It is very important to consider everything around the sensor to work properly, such as an adequate connection to the process, a correct measurement technology in each case, or other aspects of the design such as wiring and interface components with the safety PLC. Logic solver The logic solver can be a PLC, a relay system or an electronic system in general (programmable or not) but must meet a series of requirements to be used in an safety instrumented function. In this article we talk for example about the safety PLC. The design should take into account both hardware and, software or firmware, as well as external factors such as cybersecurity. Final elements In the safety instrumented function the final elements are usually the weakest link in the chain for different reasons (mechanical elements and in direct connection with the process). It is very important to select well the construction materials, as well as all the components and a correct execution of the mounting on site. Other elements There are many other elements and external factors that greatly influence the performance and integrity of the safety instrumented function such as external temperature, vibrations, electromagnetic interferences, if there is dust in suspension (especially if it is corrosive), power supplies, operation and maintenance tasks, etc. All these factors are in the category that we call common cause failures and that must be analyzed in detail in order to minimize their impact on the performance of the SIF, i.e., to avoid the degradation of the required SIL level.
SIL requirements – Systematic Capability, Failure Probability and Architectural Constraints. The designer of the safety instrumented function must verify that the 3 SIL requirements of the IEC61508 Standard are met. Each requirement will meet a certain maximum SIL level. The final SIL of the SIF will be the lowest of the three and must be greater than or equal to the required target SIL. 1-The systematic capacity of the element (sensor, PLC, valve, etc.) is reflected in the certification issued by certain entities such as Exida or TÜV. The rating (SC 1/2/3) achieved depends on the effectiveness of the quality system and other aspects. A category, for example SC3, means that the product is certified for applications up to SIL 3. Another option is the “prior use” that must be documented and justified. It is important to be clear that it is not enough, for complying with the SIL level, the use of certified products, but it is necessary to comply with all the SIL requirements. If the systematic capability of any of the elements is unknown, it should be indicated in the verification report. 2- The second requirement is determined by the average Probability of Failure on Demand of the SIF (PFDavg for low demand systems) or Probability of dangerous Failures per Hour in the SIF (PFH for high demand systems). The calculation is made for the selected architecture in each subsystem (sensor, logic solver and actuator) that are summed to obtain the probability of failure of the SIF (Safety Instrumented Function). If the required SIL is not met, it will have to be recalculated with another architecture (1oo2, 2oo3, etc.), or with products with lower failure rates or reducing other factors that affect this calculation (Interval Test, beta factor for common cause failures, etc.) It is important to use realistic failure rate values and if possible that they are based on historical data from similar applications. 2-The third SIL requirement is called “Architectural Constraints” based on the minimum hardware redundancy requirements. The tables of the SFF values (safe failure fraction = proportion of safe failures) and HFT (hardware fault tolerance) are used. If the selected architecture does not comply with any of the subsystems (sensor, logic solver, actuator), it will have to be recalculated with another safer architecture (1oo2, 2oo3, etc). There are 2 options (Route 1H and Route 2H). The 2H is used if the failure rates are realistic for the specific application. Otherwise Route 1H should be used, which was created as a defense against too low rates that are not too realistic. In Route 1H there are two HFT tables according to whether the element is type A (simple elements such as pressure switches, valves, etc.) or type B (complex elements such as smart transmitters or PLCs). The three SIL requirements must be met. The maximum SIL achievable by the SIF will be the lowest of the three. It’s the methodology we use in the tool SILcet to calculate and verify the SIL.
Phase 7: Isolators and Terminal Blocks In this article we discuss the options we have for isolators, converters, barriers, terminal blocks and other components (index of design phases). 7-Isolators, field terminals and prefabricated cables Converters, Isolators and Barriers They are used to convert signal ranges, to electrically isolate two circuits, to duplicate signals, to amplify signals, and so on. Normally we use the term “signal converter” when we transform one range into another, for example, from 0-10 VDC to 4-20 mA. The term “isolator” is used when the main objective is to perform a galvanic separation (or electrical isolation) between the input and output circuits. The term “barrier” usually refers to the intrinsic safety (IS) isolators used to wire signals from the control panel to the hazardous area. In the case of redundant signals we can use the signal duplicators, mainly with analog signals. In the market, there are many types and formats available and it is rare that we do not find the solution we are looking for. The important thing from the point of view of design is to correctly perform the selection in each case since the impact on the total cost can be important, especially in the case of large systems. For example, if it is technically acceptable it will be better to use double isolators than simple with the consequent saving of cost and space in the cabinet. Field terminals (terminals) The possible options are many and it is difficult to give general rules. Usually the discussion focuses on the following: -Connection by screw or spring connection. In most cases the screw connection is accepted, but not always the spring connection. This one is more suitable when there are vibrations and saves wiring time of the control cabinet. -Fused or non-fused terminal. This is a more important point than it seems and should be consulted in the technical specification. There are end users who have clear requirements in this regard. The reason for using fuses in the terminals is because we want to avoid that a short circuit or other problem in a signal affects the whole module or panel. On the other hand, we know that introducing fuses is to introduce other elements that can fail. Let’s look at some of the options we have: A) Use a fuse terminal in each signal individually. B) Use the fuse terminal for each group of signals or module according to a functional criterion (per equipment or service). C) Use I/O modules with built-in electronic protection. D) In the case of the digital outputs we can choose to protect each group with a circuit breaker. This is sometimes used to protect a group of electrovalves. We can also use several of the options depending on the type of signal and the type of module used. -Single or double level terminal blocks It is more common to use single level terminal blocks. The main advantage is when it comes to wiring, both in the manufacturing workshop and in the field. When we use double level is because we want to save space even at the cost of making it difficult to access the terminals. -Cables with or without terminal tip. In general, it is technically more convenient to use tips on the cables. There are numerous installations that do not use these tips when using spring terminals. Pre-fabricated cables for PLCs It is a good option to consider on many occasions, especially if we want to reduce costs, space and wiring time of the control cabinet. Finding an advantageous design based on prefabricated cables can be complicated if we have made a functional distribution of I/O signals (based on equipment or field areas) and therefore there may be, in the same module, signals with different wiring (e.g.: 2-wire and 4-wire analog inputs, digital outputs to intermediate relays with voltage or voltage-free contacts, digital inputs with and without intermediate relay, etc.). In large systems, especially in the oil & gas industry, marshalling cabinets are located between junction boxes and DCS. Within these cabinets field cables are connected and cross wiring is performed to order the signals according to the DCS I/O modules. In this way, it is possible to use prefabricated cables to interconnect the marshalling cabinets with the DCS modules. In large and complex projects this system has many advantages. Link to next phase.
Phase 6: Power Supply and Circuit Breakers In this article we discuss the design of 24 VDC power supply and circuit breakers (index of design phases). 6-Power Supply and Circuit Breakers The design of the power distribution of the control panel is an important aspect that can greatly influence the availability of the plant. Not always the necessary attention is given to this point. Power supply Let’s look first at the 24 VDC power supply needed in many control cabinets. Our recommendations are as follows: -Perform a conservative calculation of the power required by applying a coherent simultaneity factor and adding at least 20% reserve. -Analyze the voltage range allowed by 24 VDC consumers in order to correctly design the power supply. -Analyze the behavior of the power supply throughout the operating temperature range. This information is provided by the manufacturer. -Analyze the behavior of the power supply in the case of micro cuts in the input voltage, especially if we are facing unstable power networks. -Use a redundant power supply configuration whenever possible. For this, different technologies and commercial modules exist that allow to use both P.S. in a balanced way. -Analyze what type of 24 VDC loads we have and how we are going to distribute and protect the different power lines. It is necessary to take into account in the design if any of these loads can demand peaks of consumption that adversely affect the rest, if so it will be important either to consider it in the calculation of the power or use electronic circuit breakers with adjustable current limiting. -Analyze the efficiency of the power supply because it is important both for the electrical consumption and for the heat dissipation inside the cabinet. -Depending on the environment and the application, analyze whether it is necessary to include in the design some capacitor bank to avoid problems caused by micro-cuts in the supply, as well as if DC/DC converters are necessary to isolate zones from each other or uninterruptible power supply (UPS). Power Distribution The distribution of power and the selection of circuit breakers is not generally complicated. The most important thing is to define correctly the number, levels and protection current of each circuit breaker so that the protection and discrimination of each line are correct. Design must minimize as much as possible common mode failures, i.e. there is no single fault that causes unintentional trip of two or more switches. This is especially important when designing a redundant system with redundant power supplies and separate protections on each channel. For example, it is not a good design if we use a single circuit breaker to protect both power supplies in a redundant system, or if we use a single C.B. to protect all power to field elements such as electro valves, etc. In any case, all this depends on design criteria and if the budget is sufficient. Another aspect to consider in the design of the power distribution is the difference between AC and DC, since it is very common to use the same type of circuit breakers for everything without analyzing whether it is actually correct or not. The DC tripping curve is different with a factor of 1.3. Keep in mind that if we want to make a very efficient design an option are the adjustable electronic C.B. In certain applications, this may be necessary. Link to next phase.
In this section we try to explain many basic concepts about design of control systems that are not always clear and recommend some good practices on how to make the design. There are many aspects we treat: the control panel, options for redundant architectures, design of a fail safe system, 2 out of 3 logic, etc.