ICS Triplex

&
IEC 61508

TRUSTED Fault Tolerant Technology

How can you make a plant really safe?

Do not build it in the first place.

Not Acceptable!
Do what the French did 200 years ago.

They passed a law requiring an explosives

manufacturer to live on the premises...
with his family.
Overconfidence & Complacency

After Three Mile Island, but before Chernobyl, the

head of the Soviet Academy of Sciences said,
“Soviet reactors will soon be so safe that they could be
installed in Red Square.”

When the Bhopal plant works manager was informed

of the accident, he said in disbelief,
“The gas leak just can’t be from my plant. The plant is
shut down. Our technology just can’t go wrong. We just
can’t have leaks.”
Is 99.9% Good Enough?

If 99.9% were considered “good enough”:

 There would be 880,000 credit cards with

the wrong information on the magnetic
strip.
 The postal service would lose 16,000
pieces of mail every hour.
 22,000 checks would be deducted from
the wrong account every hour.
Points to Consider
 What level of risk is acceptable?
 Is 99.9% good enough?
 Is it advisable to perform critical safety functions in
the DCS?
 In emergency situations, what is the human error
rate?
 Can a system that’s 10 times more reliable be less
safe?
 If a safety system is unavailable, can the plant still be
producing product?
 What about field devices - technology, redundancy,
test intervals, etc.?
Control System Incident Occurrence By Phase

Changes After
Commissioning 20% Specification 44%

Operations &
Maintenance 15%

Installation & Design & Implementation

Commissioning 6% 15%

From ‘Out Of Control’ A compilation of incidents involving control systems, by the UK HSE
Process vs. Safety Control
 Safety Control:
 Process Control:
 Dormant
 Dynamic  Must test for
 Faults self-revealing hidden faults
 Repair time less
 Repair time highly
critical
 Auto/manual transfers critical
 Relies heavily on  Should never be
operators off-line
 Little reliance on
operators
The Human Aspect
Accidents have
occurred because:
 Operators did not believe rare events were real
or genuine.

 Overload. When faced with life threatening

situations and having to make decisions within
one minute, humans have an error rate of 99%.
(At Three Mile Island, there were over 100
alarms in 10 seconds.)
IEEE, Std 603-1980
Standard Criteria for Safety Systems for Nuclear
Power Generating Stations (1980)

The U.S. nuclear industry requires redundant safety systems which

“shall be independent of and physically separated from each
other...”

“The safety system design shall be such that

credible failures in and consequential
actions by other systems shall not prevent
the safety system from meeting the
requirements.”
Difficult Decisions
If these decisions were “easy”, the standards
groups would have been done long ago.

Integrators Vendors
Regulators Users
Contractors Consultants

...or are these the

consultants?
Decision making processes
Intuition may be fine but not others...
for some things...

Eh... well...
looks about right to me!

OSHA Inspector
Failure Modes
With a safety system, the concern shouldn’t so much be with how
the system operates, but rather how the system fails. Safety systems
can fail in two ways:

Initiating failures Inhibiting failures

• fail-safe • fail-danger
• overt • covert
• spurious • potentially dangerous
• costly downtime • must find by testing
DxU=
Example of a demand failure

A 200 million dollar satellite was once dropped

because a 5 dollar relay stuck on a leased crane.
What is a Safety System?

Safety systems are designed to respond to conditions of the plant,

which may be hazardous in themselves, or if no action were taken
could eventually give rise to a hazard. They must generate the
correct outputs to prevent the hazard or mitigate the consequences.

Other common names:

 ESD Emergency Shutdown Systems
 SIS Safety Interlock (Instrumented) Systems
 BMS Burner Management Systems
 F&G Fire & Gas Systems
The Problem

 Which system is “best”?

 What technology should be used?
 Relay, solid state, PLC or TMR?
 What level of redundancy is appropriate?
 Single, dual or triple?
 How often should systems be tested?
BI  Monthly, quarterly, yearly or per shutdown?
D
 What about field devices?
 Technology, level of redundancy & test
interval?
System Choices
 Pneumatic
 Relay
 Solid State
 Microprocessor

 Single
 Dual
1oo2
2oo2
Hot back-up
 Triplicated

Considerations:
System size, budget, risk, MMI, communication
requirements, testing requirements, etc.
Question
Qualitatively, which system is “best”? Which gives the fewest nuisance
trips? Which gives the best safety performance?

PLCs, our vendor says Relays, tested

we don’t need to test them! monthly!

That’s crazy! TMR

No! Solid state, with triple sensors!
tested yearly!

But what about

Ok, but what diagnostics?
about the valves?

And what Yeah! And what about

about complexity? common cause?
Oh come on! Isn’t the
DCS is good enough?
Performance Terms

Availability can be a very confusing term.

Numbers like 99.9998% are difficult to relate to.
(After all, 99.9% sounds "good enough" to most
people.)

The compliment, unavailability (or PFD), is also

difficult to relate to. (You need to use scientific
notation.) Few can relate to a PFD of 2.3 x 10-4.
Simplex System Performance
1oo1
Probabilities
Spurious Demand

Input
Input CPU
CPU Output
Output
0.01
A 0.02
.003 + .004 + .003 =
.006 + .008 + .006 =

1oo1 0.02 0.01

A
A
Dual System Performance
Probabilities
Spurious Demand
(1oo1) 0.02 0.01

AA
1oo2 0.04 0.0001
Vote
BB

0.0004 0.02
2oo2
AA Vote

BB
Hot Back-up PLC
Probabilities
CPU
CPU A
A CPU
CPU B
B Spurious Demand
(1oo1) 0.02 0.01

Switch
Switch
1oo2 0.04 0.0001
Vote

2oo2 0.0004 0.02

I/O
I/O
Vote

0.012 .006
Field devices Hot Backup
Basic 2oo3 Fault-tolerant System

In
In CPU
CPU A
A Out
Out

In
In CPU
CPU B
B Out
Out

In
In CPU
CPU C
C Out
Out
Basic Triple System Performance
Probabilities
Spurious Demand
(1oo1) 0.02 0.01
(1oo2) 0.04 0.0001
(2oo2) 0.0004 0.02

AA B

BB C 2oo3 0.0012 0.0003

Vote

C
C A
Quad system
Probabilities
Spurious Demand
(1oo1) 0.02 0.01
(1oo2) 0.04 0.0001
(2oo2) 0.0004 0.02
(2oo3) 0.0012 0.0003
AA

Check
Check AA Quad 0.0008 0.0002

BB

Check
Check BB
Slightly more advanced Fault-tolerant System (SIFT)

V CPU
CPU A
A Out
Out
In
In

In
In V CPU
CPU B
B Out
Out

In
In V CPU
CPU C
C Out
Out

=
2oo3
2oo3
2oo3 CPU
CPU & &
2oo3 In
In
Out
Out
The Best System, Trusted ICS - HIFT

M
In
In V CPU
CPU A
A V Out
Out
e
m
o
In
In V CPU
CPU B
B V Out
Out
r
y

In
In V CPU
CPU C
C V Out
Out
V

=
2oo3
2oo3 In
In 2oo3
2oo3 2oo3
2oo3 2oo3
2oo3 2oo3Out
2oo3Out
CPU*.3
CPU*.3 CPU*.4
CPU*.4 CPU*.3
CPU*.3
Comparison Between Architectures
Probabilities
Spurious Demand
(1oo1) 0.02 0.01
(1oo2) 0.04 0.0001
(2oo2) 0.0004 0.02
(2oo3) 0.00012 0.0003
Quad 0.0008 0.0002
SIFT 0.00070 0.00017

Trusted ICS 0.00028 0.00007

The best system
What About Certification?
 Product certification (logic system) provides an
independent review of the product to ensure that it
operates in a safe manner.
 The most common standard used is:
DIN V 19250 & DIN V VDE 0801
 The most common certifying agency is TuV.
 The DIN standard specifies safety categories
expressed as AK1 to AK8 with AK8 being the most
safe.
Certified Product

Sensors Input Modules Logic Modules Output Modules Outputs

Digital
Input
And Timer Output
Analog
Input

Digital
Input

Analog
Or Output
Input

Digital
Input
AK6
Control System Incident Occurrence By Phase

Changes After
Commissioning 20% Specification 44%

Operations &
Maintenance 15%

Installation & Design & Implementation

Commissioning 6% 15%

From ‘Out Of Control’ A compilation of incidents involving control systems, by the UK HSE
How Can Safety be Improved?
 Hardware can be easily quantified.
 What about software?
 What about the field devices?
 What about people errors?

The new standard intended to address all of these

issues is IEC 61508.
It takes a whole lifecycle approach and addresses
safety on a loop by loop basis and not just the logic
solver.
Certified Loop

Sensors Input Modules Logic Modules Output Modules Outputs

Digital
Input
And Timer Output
Analog
Input

Digital
Input

Analog
Or Output
Input

Digital
Input

SIL 3
Safety Integrity Levels (SIL)
IEC 61508
Highest
4  Definition: ‘Discrete level for
specifying the safety integrity
3 requirements of the safety
functions to be allocated to the
2 E/E/ES safety-related system’.
1  Integrity below that of SIL 1
Lowest often termed ‘SIL 0’ .
 not an officially recognised

term
Integrity

6
Risk Reduction

Acceptable Risk inherent in the

Risk Level process

Other SIS BPCS

Process

Risk
What are SIL levels

Risk Risk
Assessment SIL Reduction
Plant Risks

High

Risk

Low

Plant Safety loop

Scope

People Products

Process
Safety Lifecycle (Process)
1 Concept

2 Scope Definition

3 Hazard & Risk Analysis

4 Safety Requirements

5 Requirements Allocation

Overall planning 9 Safety-Related 10 Safety-Related 11 External risk

6 Overall 7 Overall 8 Overall systems: Systems: Other reduction
operation & safety installation & E/E/PES technology facilities
maintenance validation commission.
planning planning planning Realisation Realisation Realisation

12 Installation & Commission

13 Safety Validation Back to appropriate

overall safety lifecycle
14 Operation, Maint. & Repair phase

16 Decommissioning 15 Modification & Retrofit

Competence of Persons
 Roles & Responsibilities
 What specific tasks need to be
performed?
 Who will ensure the success of each
task?
 Suitability
 Are the right people in the right
role?
 Attributes...
 Qualifications
 Training
 Experience
Key safety factors of the Product

 Reliable (under stressed) hardware

 Quality checked firmware + application
software
 Predictable response to diagnosed failures
 Avoidance of common mode failures (all
elements)
 Hardware / Software / Humanware
 Realistic performance assessment and targets
Key Concepts of IEC 61508

 Competence of Persons

 Safety Lifecycle

 Risk Based Approach

 Safety Functions

 Safety Integrity Level

 Functional safety Assessment

IEC 61508 Summary
 Safety Lifecycle Approach
 Careful Management
 QMS and Project Management not enough!
 Safety Management needed
 Key Features - People, Product & Process
 A complimentary mix of techniques Reqd.
 Functional Safety Assessment
How can ICS Triplex Help?
ICS Triplex provide the following services:
 Safety Integrity Assessments
 Risk assessments
 Reliability/Availability studies
 Basic design philosophy preparation ESD, F&G
 Production and Resource protection analysis
 Failure mode and Effect analysis
 Health Safety & Environment studies
 System process to IEC 61508
 IEC 61508 training
 IEC 61508 Consultancy
 IEC 61508 Assessment
 IEC 61508 life cycle management
 Product to IEC 61508
IEC 61508 and Plant Upgrades
Safety Case requires Instrumented Safety to be addressed

IEC61508 is the most effective route

ICS Safety Services can help you assess:

 Tolerable risk for your site
 Existing hazard level
 Risk Reduction (SIL’s) required
 Risk Reduction from existing equipment
 Compliant operational and maintenance strategies
 Minimum-cost solution to meet IEC61508

Our range of associated upgrade services includes:

 Hazard and Risk Assessment
 Site Surveys
 Compliant C&I Upgrade Design
 Upgrade Cost Estimation
 C&I Upgrade Project/Contract Management
 Documentation Upgrade

ICS SAFETY SERVICES

Summary

 “Trusted” Hardware designed to be integrated using

simple build rules.
 IEC 1131 programming tools to provide modular
application programs
 Secure Operating system which increases the
integrity of the software.
 Qualified engineers and in house systems to ensure
integrity of the application.
 Mixed SIL level systems are possible to reduce costs.
 ICS Triplex provide a full range of IEC 61508
services
We cannot do it on our own
 Designing and building for safety is a joint effort (Operator,
Contractor & ICS Triplex) which requires all parties to work
together.

 IEC 61508 provides the guidance and principles to meet the

safety life cycle requirements to protect your personnel, asset
and environment.

ICS Triplex are ready to provide the

solutions.