News

Title: The IEC 61511 – A standard for prozess industry
Author(s): Vic Maggioli, Feltronics Corp., USA
Abstract:
The speaker addressed the current status of the IEC 61511 draft standard.
Progress to date:
Parts 1, 2 and 3 of IEC 61511 have received a positive vote at CDV. The
current position is:
- IEC 61511-1, covering framework, definitions, system, hardware and software requirements, is being reviewed by the Task Group for editorial errors and will be submitted to SC65A Secretariat for processing as an FDIS in February 2002.
- IEC 61511-2, covering guidelines on the application of IEC 61511-1, is being updated to align with the FDIS version of IEC 61511-1 and will be submitted to SC65A Secretariat for processing as an FDIS in October 2002.
- IEC 61511-3, covering guidance for the determination of the required safety integrity levels, was submitted to SC65A Secretariat in January 2002 for processing as an FDIS.

Title: Revamping safety control systems of the ammonia plants at SKW
Author(s): Dirk van der Herten, Invensys Systems, D, Ulrich Jurth, SKW Piesteritz
Summary
As the result of a safety analysis of both ammonia plants at SKW Stickstoffwerke Piesteritz GmbH, it was decided that the safety control system needed to be modernized. Since the technical structure of the existing PLC-supported safety devices does not permit them to be retrofitted to meet requirements, the owner decided to completely replace the existing safety technology.

The safety of the switching functions to be implemented as well as the need for high availability of the ammonia plants due to economic considerations demanded that the safety technology selected should meet the specifications of requirement class 6 in accordance with DIN 19250. From a technological standpoint, the comprehensive technical solution of the brand TRICONEX from the company Invensys was deemed to be optimal for the ammonia plants' safety system. This PLC ensures uninterrupted operation, even if individual modules of the controller exhibit hardware errors or if transient interference from internal or external devices occurs.

Communication between the PLC and operation and monitoring panel occurs through fail-safe optical fiber cables; data is transferred to the control system (DCS) via a modbus. Signals that are also DCS measuring points are isolated and decoupled through isolating transformer modules. Most signals are verified for plausibility in the PLC. In addition to the usual 2-out-of-3 method, a programmed decision logic based on process relationships was also used to check the plausibility of the incoming measured value. This is done primarily for the purpose of machine protection.

Following initial hardware installation, programming and preliminary testing, within 4 weeks the system was connected to the plant while it was shut down. After extensive TÜV testing and acceptance, the new safety control systems were put into operation before the ammonia plants were started up and have been operating smoothly ever since.

Title: Programming safety-related PES with Standard IEC 61131-3, Application Burner control
Author(s): Uwe Jülly, HIMA GmbH+Co KG, D
Abstract:
In the standard IEC 61508 “Functional Safety of safety-related PES“ it is clearly said that the documentation shall be accurate and concise, easy to understand by those persons having to make use of it, suit the purpose for which it is intended, accessible and maintainable. One important step to fulfill these requirements was the implementation of the programming standard IEC 61131-3. Safety-related systems are not very complex. In the past simple fail-safe hardware modules or relays have been used and so many users implement the same “simple“ functions in their programs. Even more complex functions like voting, burner controls etc. are programmed with boolian elements ignoring the more powerful functions which are now available. A burner control is a typical sequence control because the purge, ignition and at last the normal operation are different status of the control. Steps cannot only be defined for the normal sequence but also for disturbances or errors. Several programmings are shown for voting, analog/digital converters, blocks for burner controls and valve blocks. Even more complex functions can be easily understood, maintained and modified. The complexity of a program does not depend on a high number of different function blocks, but on a small number and often used same function blocks! A small number of wellproofed function blocks in well-organized libraries are the right base for a powerful and economic engineering.

Title: How to use lifecycle models for Process Safety Management ?
Author(s): Bert Knegtering, Honeywell, NL, Jan Rouvroye, Eindhoven University of Technology, NL
Abstract:
In spite of the application of a wide variety of safeguarding measures, many accidents in the process industries still happen today. Experiences gained from these past accidents have led to the development of an increasing number of technical solutions. One of the best known and widely accepted technical solutions concerns the use of Safety-instrumented Systems (SIS). In order to control the design and implementation of these technical solutions, numerous safety-related standards have been written.
These safety standards are comprised of technology-oriented requirements concerning ‘adequate’ implementation of the designed solutions. Consequently, compliance with these standards is often considered to be ‘good engineering practice’. Compliance with these technical standards, however, did not prevent several major accidents. As a result of the continuously growing complexity of both industrial processes and the related safety-instrumented systems, it appears that new kinds of problems have arisen. As this paper will show, many of these specific problems are related to the control of safety-related business processes. This is illustrated by a study performed by the British HSE. The HSE investigated the extent to which failures contributed to explosions in gas-fired plants in 1997. The failures were categorized into four groups:
- Equipment failure 12.5%
- Lacking equipment 8.3%
- Poor Maintenance 8.3%
- Process Safety Management 70.9%

Review of recent studies on incidents and accidents shows problems regarding the quality of information on potential accidents and the related technological solutions. Therefore, adequate control of the quality of safety-related information seems to be of essential importance if realization of an acceptable safety level is to be achieved. As an answer to solve these problems related to business processes, recent standards on SIS have defined safety lifecycle models. Safety lifecycle models are considered to form an adequate framework to identify, allocate, structure, and control safety-related requirements. Standards on SIS often specify lifecycle phases of these models in terms of objectives, required inputs, and required outputs. A description of the objectives, inputs and outputs characterizes these aspects. It appears, however, that characterization itself is not always good enough to adequately achieve the defined objectives. This resulted in the definition of the following questions. The first question concerns the way in which lifecycle models can be used to improve safety-related business processes. It is subsequently questioned what exactly is included in each phase, and which other factors determine the quality of the objectives to be achieved in each phase. The third research question is how the lifecycle phases are mutually related, and how the quality of the completion of one phase influences the quality of the passing through of a subsequent phase, and how the quality of information exchanged between lifecycle phases could be controlled. A fourth question is how to measure these quality aspects in order to be able to control them.

Title: Opportunities and benefits of FMEA in the development process of software-intensive technical systems
Author(s): Oliver Mäckel, Siemens AG, D
Abstract:
Technical systems are prevalent in many areas of our society. Nowadays they often include a considerable amount of software. Identification and avoidance of technical risks is of major importance in the development of these softwareintensive technical systems. A powerful analysis technique in the development process for technical systems is the Failure Mode and Effects Analysis (FMEA). This technique has proved very effective in avoiding failures in many areas of industry. However, there is to date no widespread use of the FMEA technique for software-intensive systems. Objectives and benefits of carrying out FMEAs on software will be discussed along with advantages, areas of application, weaknesses and constraints.

Title: A comparison of different software certification schemes
Author(s): Hendrik Schäbe, TÜV Inter Traffic, D
Abstract:
The paper gives a short overview of existing software certification schemes. The IEC 61508 is discussed as a basis for a certification scheme. A new software certification scheme used in space technology is presented. This certification scheme is inspired at several places by IEC 61508.

Title: Justifying the use of software of uncertain pedigree (SOUP) in safety related applications
Author(s): Peter Bishop, Adelard, UK
Abstract:
This short paper is intended to serve as an introduction to a publicly available research study undertaken by Adelard for the UK Health and Safety Executive [1]. The main focus for this project was “software of uncertain pedigree” (SOUP) used in safety related applications. It outlines an overall safety justification approach and ways in which the use of SOUP can be incorporated within that approach. The full report is available from the HSE web site.

Title: Introduction to NetLinx safety
Author(s): Ed Korsberg, Rockwell, USA
Abstract:
This paper introduces a safety network protocol that is deployed on NetLinx networks that include DeviceNet., EtherNet/IP., ControlNet. and ControlBus.. This protocol, known as NetLinx Safety, is an extension of the DeviceNet safety protocol concept approved by BIA and TÜV. All NetLinx networks use a common application framework known as CIP (Control and Information Protocol). The scope of the design will be a safety protocol to be used on message passing buses.
Our approach uses the safety processes and coding as recommended by The German Safety Bus Committee for safety data transmission on a standard network. This method relies on providing measures for possible transmission errors as defined in prEN50159-1.

Title: Safety related communication, example IDA-safety
Author(s): Peter Wratil, innotec, D
Abstract:
This document gives an overview about the principle of operation of IDA-Safety. The focus is set to the safety-related data transfer, the format and the services. For more information concerning IDA, please find: www.ida-group.org. Within the IDA organization, the IDA Safety working group has undertaken the task of developing a data transfer profile, which can be used to transmit safety data. The necessary data format must meet the requirements of EN 954-1 (Category 4). An appropriate level of redundancy must also be provided in the protocol and a procedure should describe how errors can be detected and removed according to SIL 3 (see EN 61508).

Title: PROFIsafe, safety related configuration
Herbert Barthel, Siemens AG, D
Author(s): Wolfgang Stripf, Siemens AG, D
Abstract:
PROFIsafe gains growing popularity amongst users, device and system manufacturers. One reason may be its comprehensive and universal solutions not only covering the safe communication between controllers and field devices but support for features like integrated commissioning and diagnostics, manual and program controlled parameterization and its suitability for manufacturing and process industries also.

Title: User problems and solutions for the integration of safety-related programmable electronic systems
Author(s): Udo Hug, InfraServ, D
Abstract:
Safety-related programmable electronic systems (SSPC) have been in use in KALLE-Albert industrial park since 1988. InfraServ Wiesbaden noe supports 27 SPLC systems. The support extends from program modifications up to the maintenance of the SSPC. During the engineering and construction of new plants we cover the complete scope of services (concept preparation, planning of execution, programming, test procedure, erection of the plant etc.). More than 10 years of experience with SSPC's are reflected this lecture.

Title: Designing crane controls with applied mechanical and electrical safety features
Author(s): Thomas A. Walczak, GE Fanuc, USA
Abstract:
The use of overhead traveling bridge cranes in many varied applications is common practice. In particular, the use of cranes in the nuclear, military, commercial, aerospace, and other industries can involve safety critical situations. Considerations for Human Injury or Casualty, Loss of Assets, Endangering the Environment, or Economic Reduction must be addressed. Traditionally, in order to achieve additional safety in these applications, mechanical systems have been augmented with a variety of devices. These devices assure that a mechanical component failure shall reduce the risk of a catastrophic loss of the correct and/or safe load carrying capability.
ASME NOG-1-1998, (Rules for Construction of Overhead and Gantry Cranes, Top Running Bridge, and Multiple Girder), provides design standards for cranes in safety critical areas. Over and above the minimum safety requirements of todays design standards, users struggle with obtaining a higher degree of reliability through more precise functional specifications while attempting to provide “smart” safety systems.
Electrical control systems also may be equipped with protective devices similar to the mechanical design features. Demands for improvement of the cranes “control system” is often recognized, but difficult to quantify for this traditionally “mechanically” oriented market. Finite details for each operation must be examined and understood. As an example, load drift (or small motions) at close tolerances can be unacceptable (and considered critical). To meet these high functional demands encoders and other devices are independently added to control systems to provide motion and velocity feedback to the control drive. This paper will examine the implementation of Programmable Electronic Systems (PES). PES is a term this paper will use to describe any control system utilizing any programmable electronic device such as Programmable Logic Controllers (PLC), or an Adjustable Frequency Drive (AFD) ‘smart’ programmable motion controller. Therefore the use of the term Programmable Electronic Systems (PES) is an encompassing description for a large spectrum of programmable electronic control devices.

Title: The application of IEC 61508 in the automotive sector
Author(s): Günter Glöe, Folkert Jürgens, Gerhard Rabe, TÜV Nord e.V., D
Abstract:
With the IEC 61508 /IEC 61508/ there is an international standard available that provides profound guidelines for the development and use high quality embedded systems. On a first glance it looks as though the standard might be fit for practical application.
However, going into very detail of the standard and dealing with the requirements demanded there leads to severe problems which are based mainly on the size of the standard and the even high number of requirements. In addition a majority of requirements is ‘hidden’ somewhere in the text and not to be identified obviously.
To solve this problem it is recommended to use support tools. In the following presentation it will be demonstrated how IEC 61508 is being applied in a concrete project and which procedures have been developed to make work efficient and to meet customer’s time and cost requirements.

Title: SIS implementation practice Changes in the chemical industry (IEC 61511)
Author(s): Helmut Bezecny, DOW Deutschland GmbH & Co. OHG, D
Abstract:
IEC 61511 will change the way safety related functions were implemented according to DIN and VDE in Germany today. This paper addresses mainly differences in the selection of instrumentation. In particular the aspects of redundancy mean time to fail, diagnostic s and proof test interval related to the SIL. Starting with the basic PFD requirements of the SIL table, the relationship between these characteristics are shown on a typical PFD calculation formula. Differences resulting from variation of the characteristics are explained with examples. Another new aspect is the fault tolerance requirement, which is explained on basis of IEC 61511-1 table 5b. Finally a SIS example shows how a SIL 2 protection function is realized.

Title: IT security for safety-crirical automation systems
Author(s): Martin Naedele, ABB, CH
Abstract:
The protection of safety-critical and infrastructure systems (such as automation systems for utilities, but also for manufacturing plants) against electronic and communication network based attacks becomes more and more important. This paper investigates how such safety-critical plants and automation systems can be secured against information system and network based attacks. The two common approaches, hard perimeter, and defense-in-depth are discussed. Based on the defense-in-depth approach, a conceptional, generic security zone model for use in analysis and synthesis of a plant security architecture is proposed, and for each of its zones a survey of the available and appropriate security mechanisms is given. Using an example from the substation automation domain, it is shown how threats and counter-measures can be systematically derived and how the specific system and usage characteristics of automation systems (or at least their restricted safety critical sub-functions) can be exploited in a positive way to deploy security mechanisms that would in this form not be available and applicable to home or office information systems.

Title: ASI Safe Case Studies
Author(s): Keith Povey, Newfield Automation, UK

Title: Safe sensors become integral part of plant safety
Author(s): Thomas Kramer, Pilz GmbH, D
Abstract:
This article shows the state of art of safe sensors. A special focus is on the needs of designers and operators of process plants and factory automation. In addition the specific needs and challenges of safe sensors are discussed.

Title: Interbus safety – The fieldbus for standard and safety data
Author(s): Karsten Meyer-Gräfe, Phoenix Contact GmbH & Co. KG, D
Abstract:
Over the last few years safe bus systems have been increasingly used for communication in machine and system production. However, their application is only worthwhile if it can meet a large number of user requirements. Interbus Safety is consistently oriented towards the requirements of machine and system operators. In addition to the high degree of flexibility, ease of operation, and reduced cabling costs, the system offers comprehensive diagnostic functions, which significantly reduce failures or downtimes. Short process and response times complete the safety system profile, which is independent of the host and control system and can be retrofitted in existing machines.

Title: Interfacing safety fieldbus devices with safety relevant sensors and actuators
Author(s): Wolfgang Tausch, Heinz Scharlibbe, Bernstein AG, D
Abstract:
The conventional method of applying safety gear to automation processes is well known for some decades. On the other hand, numerous publications and congresses deal with the distribution of safety relevant data, safety fieldbus systems and safe PLCs. Interfacing the two worlds is a common task . but not very often talked about. Bernstein AG, as a known supplier of conventional safety technology, has learned a quite lot about these interface needs in our own recent safety fieldbus developements (especially with CANopen Safety):

- What are possible types of safety relevant input sources?
- What input circuitry is adequate to read safety switches or safety sensors?
- What are the properties of known safety output stages?
- Are there special wiring requirements for such safety outputs?
- What will be future developments?

Title: Improving processing plants safety with smart emergency valves and web-based data collection and distribution
Author(s): Jussi Mäkinen, Metso Automation, FIN
Abstract:
Safety is a heavily increasing issue in Process Industry. It can affect production efficiency by offering a reliable back-up in case of process upset. New IEC61508 is bringing a big challenge for the process operators to select correct ESD valves. Since that Neles metal seated valves have been used in various Industries and has always had an extremely long service life cycle. Measured MTBF = Mean Time Between Failure indicates the reliability of valve. In safety loop the Probability to Fail on Demand ( PFD )of the total loop is the key measure. This means that if the valves are reliable and their service life time is long it is safe to select Metso valve for safety loop. Metso has developed a digital valve monitoring device called Neles ValvGuard. This is totally new method to test and prove by on-line testing method the availability of a Safety/ Emergency valve. The Neles ValvGuard system automatically tests the valves based on programmed testing interval. The valves can make test strokes between every minute up to once a year or more if so desired. There are two different tests. Valve test, which physically moves the valve by desired stroke size. Pneumatic test , which measures the pressure change through the spool valve.
According new IEC 61508 safety standard Safety valve Diagnostics is a mandatory part of the testing procedure. Diagnostics is indicating how well the valves are operating. Not only that they move but also clearly indicating how much safety margin is still available. From every test the data is automatically collected. This data can be distributed to responsible persons and saved into the database. Whenever testing evidence is needed to Authorities or Insurance companies it is easily available even via e:mail if so desired. Also On-line warnings and distribution is available with Neles FieldBrowser.

Title: Safety related level sensors
Author(s): Heinz Gutmann, Endress+Hauser, D

Title: Practical experience with IEC 61508 in projects
Author(s): Arian Slagt, Yokogawa, NL
Abstract:
In this presentation I will look at the requirements of the IEC61508, and how to apply them in real life projects. In this case “project” is not limited to the delivery of a Safety Instrumented System, but the scope is including the “contractors” role.
In literature a lot of attention has been paid to technical details like PFD calculations and configuration of logic solvers (what is better : inherent safe, 1oo2D, 2oo3, 2oo4D, 3oo5D?). Note that all important PLC systems on the market are certified by TUV or other accepted certifying body for use in loops up to SIL3. Also the availability of these systems is comparable.
The big challenges of the safety lifecycle are not found in these technical details, but in the interaction between End-user, Contractor and Safety supplier to reach an acceptable and verifiable safety solution. From that point of view the following 3 items will be highlighted :
1. Safety function classification
2. Safety requirement specification
3. Safety loop integrity calculation

Title: Closed loop safety PLC Systems, Concepts for safe IEC 61131-3 compliant PLC Systems
Author(s): Stefan Angele, infoteam Software GmbH, D
Abstract:
The architecture of PLC systems for safety related applications is usually driven by hardware dependent safety issues. Programming and engineering software systems are developed with huge efforts to fulfill safety requirements focused on individual target environments. infoteam Software GmbH as a provider of standard IEC 61131-3 programming and runtime environments now presents hardware independent concepts as a closed loop of safety mechanisms affecting all layers of a universal safety PLC system architecture. The selective usage of diversity is “closing the gap” of traceability between the user and the running system.

Title: Requirements for the use of ASICS in safety related applications
Mario Mai, BIA, D
Author(s): Thomas Huber, TÜV Anlagentechnik GmbH, ASI, D
Abstract:
Cost reduction is a general request of nearly every company. For that reason circuit designers use more and more ASICs instead of large, cost intensive and less reliable printed wiring boards. When using ASICs in safety related applications special requirements have to be observed so that the products will achieve the required safety performance, e.g. a specified safety integrity level (SIL) according to IEC 61508. The use of one ASIC for a redundant architecture (fault tolerance greater than zero) may be possible under certain circumstances. Requirements for avoiding and controlling faults were discussed in a German working group and were proposed as input for the maintenance of IEC 61508. The working group consists of several members of research institutes, test houses and manufacturers of ASICs and safety devices. An ASIC lifecycle model describes all the steps that shall be realised in order to avoid faults. Additionally special architecture design rules have to be taken into consideration.

Title: Trip and alarm management in accordance with IEC 61508
Author(s): John Walkington, ABB Eutech, UK
Per Fjelldalen, ABB, N
Abstract:
In todays industry, operating companies are required to have a safety management system in place. For this purpose, many national and international standards have been composed.
One framework for the management of plant safety is provided by IEC61508, a new international standard form IEC. The safety lifecycle approach detailed in this standard takes into consideration every step of the life of the safety system. It is clear that any safety system designer should determine its Safety Integrity Level, or SIL, as part of the design process.
Safety Integrity Levels can be determined, and safety systems, managed, using Business Management Systems. The management systems come in several varieties, including bespoke and non-bespoke systems. As part of ABB’s Aspect Object architecture, several software packages have been developed for this purpose, including TRAC which is used to determine the design configuration and Safety Integrity Level of a safety system. Other software packages are the safety management package TRAMS, and the inspection and maintenance management software HAZAIR.

The papers are available on CD-rom for 18 Euros (+VAT) from TUVASI