- Email: [email protected]
Process control under safety aspects
Fusion Engineering and Design 48 (2000) 57 – 61 www.elsevier.com/locate/fusengdes
Process control under safety aspects T. Vollmer *, K. Borcherding, G. Hellriegel, R.-D. Penzhorn Forschungszentrum Karlsruhe, Tritium Laboratory (TLK), P.O. Box 3640, 76021 Karlsruhe, Germany Received 1 July 1999; received in revised form 17 December 1999; accepted 29 March 2000
Abstract The safety of people and the environment is increasingly important in the operation and, consequently, also in the project design of process equipment. Rules and regulations for safeguarding of industrial process plants (not-nuclear and nuclear) by means of process control engineering are either being developed or expanded. This includes the international harmonization of existing national codes. This article presents an introduction into the philosophy of ensuring plant safety by means of instrumentation and control protection systems. The methods of risk assessment are described, and various potential solutions are shown which are geared to achieving the necessary level of safety and, at the same time, allowing flexible operation to be maintained. Reference is made to the problems existing with respect to integrating people into this process, i.e. man-machine interaction, especially in view of possible interventions in emergencies. © 2000 Elsevier Science S.A. All rights reserved. Keywords: Plant safety; Safe operation; Risk analysis; Safety instrumentation; Safety related systems; Reliability; Availability; HMI-errors
1. Introduction The high degree of automation of modern plants demands detailed examination of all operational and safety aspects of the processes to be automated. The process control systems used for automation are also subject to the principles of safety technology when a potential of danger exists whose consequences need to be minimised by the automatic system. In such cases the automatic system assumes a safety role and has to fulfill all
* Corresponding author. Tel.: + 49-7247-822866; fax: +497247-822868. E-mail address: [email protected] (T. Vollmer).
the requirements for their correct execution. In particular, the system has to prevent safety related failures and the resulting accidents and damages, especially injuries to personnel and the public. The human–machine interactions require much attention. Interventions by operators under emergency situations require careful examination, Litz [1], Nix [2].
2. Development of safety technology (Engineering) As a result of severe accidents in the seventies and eighties (e.g. Flixborough, Great Britain 1974 and Seveso, Italy 1976), new laws and regulations concerning implementation of process control
0920-3796/00/$ - see front matter © 2000 Elsevier Science S.A. All rights reserved. PII: S 0 9 2 0 - 3 7 9 6 ( 0 0 ) 0 0 1 3 0 - 7
58
T. Vollmer et al. / Fusion Engineering and Design 48 (2000) 57–61
were adopted both nationally and internationally in order to enhance the safety of plants with potential hazards. These laws and regulations primarily serve to protect the operating personnel, the population living in the vicinity of industrial plants, and the environment from hazards associated with accidents, Fru¨h [3]. In Germany, the VDI/VDE Guideline 2180 was adopted in 1984– 1988, followed by the DIN V 19 250 and DIN V 19 251 as well as the DIN VDE 0801 standards in 1994 and 1995, among other regulations. The main international standard now applicable is IEC 61 508, this includes the essential features of the above mentioned German standards.
lines VDI/VDE 2180 [4] into four action ranges as shown in Fig. 1 taken from Ref. [4]. These are: 1. Basic process control systems 2. Process control monitoring systems 3. Safety instrumented systems 4. Process control damage limitation systems.
3. Process control systems for safety operation
3.1. Operation of process control systems as protecti6e measures for safety of plants In order to safeguard process engineering plants using process control technology, a clear distinction is made between safety related tasks and operating requirements. Therefore, process control technology systems are classified in the guide-
Basic process control systems are used for the correct operation of the plant within its normal operating range. They are used to achieve the automated functions necessary for production, which includes measurement, control and regulation of all the process variables relevant to operation, as well as registration and recording of status information, actions, alarms etc. Process control monitoring systems act during the specified operation of a process plant whenever one or more process variables leave the normal operating range but there is no objection to continue the operation for safety reasons. The task of safety instrumented systems is to prevent an impermissible fault state of the process plant. Process control damage limitation systems operate during non-specified operation and reduce the effect on personnel or the environment in the event of an unwanted occurrence.
Fig. 1. Schematic diagram showing the operation of process control systems.
T. Vollmer et al. / Fusion Engineering and Design 48 (2000) 57–61
59
Fig. 2. Risk graph, Standard IEC 61508.
Fig. 1 represents via three typical examples the operation of different types of process control systems. Curve K1 shows a process variable that cannot reach the impermissible fault range. For curve K2 the process variable cannot cross the limit to the impermissible fault range, because there is another protective device (for instance a safety release valve, bursting disc, etc.) that replaces a safety instrumented system. In the case of curve K3 the safety instrumented system prevents the process variable reaching the impermissible fault range. The use of safety instrumented systems for the protection of a plant and its function and structure must be decided in accordance to the safety review.
3.2. Systematic assessment of risks and protecti6e measures It is a demanding and complex challenge to make plants and processes safe by implementing safety instrumented systems. It requires a clear concept with a structured, systematic approach and standardized nomenclature. The technical complexity is a function of the risk. The risk to be evaluated is that which exists in the absence of the
safety instrumented system. Risk is normally determined by the qualitative method of risk graphs in accordance with IEC 61 508 [5] or an another appropriate national standard. The requirement category — Safety Integrity Level (SIL) — as determined from the risk graph as shown in Fig. 2 taken from Ref. [5], defines the requirements to be met by the safety instrumented system.
3.3. Separation of the computer systems In the DIN V VDE 0801 [6] the safety requirement to be met by a plant must be determined at an early stage, well before the control systems are designed. Next, it must be decided whether and in what way operating functions are to be separated from safety-related functions. Fig. 3 taken from Ref. [6] shows three basic possibilities of separating action ranges (a), (b), and (c) of Fig. 1 where computers are used. In solution I, no clear separation is made between safety-related and operational activities. In this case, the complete hardware and software must be subjected to safety assessments when it is built and whenever subsequent modifications are made.
60
T. Vollmer et al. / Fusion Engineering and Design 48 (2000) 57–61
In solution II, the safety-related software is separated from the non-safety related software by a decoupling interface. In solution III, the safety-related part is separated from the non-safety related part in both hardware and software. At TLK, see Vollmer et al. [7], solution III has proved to work satisfactorily. It has the following advantages: Flexibility in automated normal operation. This is especially important in research installations. Easier management and functional testing of the safety-related parts of the automation. Better adaptability of safety-related components to new laws, regulations and guidelines. Complete separation of hardware and software implying no mutual influence by the operating systems among each other. Custom made process instrumentation and control systems can be used for action ranges (a) and (b) in Fig. 1. Commercially available protection systems can also be used for action range (c). In recent years, protection systems have been introduced in many areas because they in the first place prevent damage from occurring. A variety of pas-
sive systems can be used to limit damage, as in (d), e.g. protective walls, differential pressures, variable ventilation rates in the event of hazard, etc. The systems installed for damage limitation are independent of and do not interfere with the operating processes.
3.4. Safety, reliability and a6ailability Proper operation of a plant requires a balance of safety, reliability, and availability. Safety is a situation in which the risk does not outweigh the limiting risk, VDI/VDE 2180 [4]. This level of safety is achieved by analysis using a risk graph in determine the appropriate Safety Integrity Level (SIL) for the automated measure of protection. Higher SILs require a higher level of reliability of the automated system. In this case, reliability as under VDI/VDE 2180 [4] implies the ability to fulfill a required function within preset limits and for a given period of time. Availability should be considered a measure of reliability. It is the probability of a unit under consideration being in a functioning state at a given point in time. A distinction must be made in this respect between safety-related availability and operations-related
Fig. 3. Solutions to separate normal operation and safety functions.
T. Vollmer et al. / Fusion Engineering and Design 48 (2000) 57–61
availability. The former is the probability of responding when required, while the latter denotes the probability of non-response in a non-requirement regime. Planning of a plant must always be based on a balance of safety, reliability, and availability.
4. The human factor in the overall system Human operators are known to make mistakes. Whenever there is a complex problem, they will not solve it in the same way each time. Their behavior is unpredictable in principle and is unverifiable, Litz [1]. Unless faulty, Computers always respond to a situation in the same way and rarely commit errors or produce inaccurate responses. However, should there be an unforeseen fault or a deviation beyond programmed limits, computers are unable to help themselves and may stall into an undefined state with potentially serious consequences. According to Montenegro [8], the probability of an accident occurring after a fault or an unforeseen situation is four times higher in a fully automated plant than in those cases where human operators can intervene in the operation. A suitable combination of both may produce the best combination. However, human operators and machines should interact with caution. For instance, a good early warning system may cause operators to become careless. On the other hand, human operators, with a complete overview of the whole facility, may be able to manage even unforeseen situations by creativity and flexibility. It is erroneous to say that 80% of aircraft crashes are caused by ‘human error.’ There are no detailed statistics on how often pilots had to manage technical failures and thus prevented accidents. A study by the US Air Force shows that only 10 out of 618 emergencies had been caused by pilot’s error, while in 659 cases technical defects had given rise to emergencies in which the pilot, by diligent intervention, had been able to avoid an .
61
accident. However, accident reports exist only of the 10 cases.
5. Conclusion As a consequence of severe accidents in the seventies and eighties the safe operation of plants is moved more at the foreground. This report explains how the process engineering plants can be safeguarded using process control technology. Process control equipment must be chosen in accordance with the requirements of a systematic study of the various risks, the requested protection measures and the safety review and must fulfil the recommended specifications of reliability, availability, safety, etc. The ‘Human Factor’ should be improved by correct motivation, education and training of the staff as well as stimulating the wanted balance between the safety of the whole industrial plant and its availability.
References [1] L. Litz, Grundlagen sicherheitsgerichteter Automatisierungstechnik, at — Automatisierungstechnik 46 (1998) 2, R. Oldenbourg Verlag Mu¨nchen Wien, pp. 56 – 68. [2] H. G. Nix, Sicherheitstechnik fu¨r Automatisierungssysteme, atp — Automatisierungstechnische Praxis 39 (1997) 10, R. Oldenbourg Verlag Mu¨nchen Wien, pp. 9, 10. [3] K. F. Fru¨h, Handbuch der Prozeßautomatisierung, R. Oldenbourg Verlag Mu¨nchen Wien 1977, pp. 564 – 567. [4] VDI/VDE 2180, Safeguarding of industrial process plants by means of process control engineering’’, December 1998, Beuth Verlag, 10772 Berlin. [5] IEC 61508, ‘Functional safety of electrical/electronic/programmable electronic safety-related-systems’, First Edition 1998-12, International Electrotechnical Commission, 3, rue de Varembe´, Geneva, Switzerland. [6] DIN V VDE 0801, ‘Grundsa¨tze fu¨r Rechner in Systemen mit Sicherheitsaufgaben’, Vornorm Januar 1999, VDEVerlag GmbH, Berlin 12. [7] T. Vollmer, U. Besserer, K. Borcherding, J. Dehne, H. Dilger, L. Do¨rr, M. Glugla, W. Hellriegel, E. Hutter, R. Kra¨mer, R.-D. Penzhorn, B. Reinhardt, D. Ro¨hrig, K. Schubert, Safety Concept for the Tritium Laboratory Karlsruhe (TLK), Fusion Technology, Volume 28, Number 3 Part 1, Oktober 1995, pp. 988 – 994. [8] S. Montenegro, Die Quellen des Bedienungsfehler, Elektronik 15 (1998) 88 – 94.
Process control under safety aspects T. Vollmer *, K. Borcherding, G. Hellriegel, R.-D. Penzhorn Forschungszentrum Karlsruhe, Tritium Laboratory (TLK), P.O. Box 3640, 76021 Karlsruhe, Germany Received 1 July 1999; received in revised form 17 December 1999; accepted 29 March 2000
Abstract The safety of people and the environment is increasingly important in the operation and, consequently, also in the project design of process equipment. Rules and regulations for safeguarding of industrial process plants (not-nuclear and nuclear) by means of process control engineering are either being developed or expanded. This includes the international harmonization of existing national codes. This article presents an introduction into the philosophy of ensuring plant safety by means of instrumentation and control protection systems. The methods of risk assessment are described, and various potential solutions are shown which are geared to achieving the necessary level of safety and, at the same time, allowing flexible operation to be maintained. Reference is made to the problems existing with respect to integrating people into this process, i.e. man-machine interaction, especially in view of possible interventions in emergencies. © 2000 Elsevier Science S.A. All rights reserved. Keywords: Plant safety; Safe operation; Risk analysis; Safety instrumentation; Safety related systems; Reliability; Availability; HMI-errors
1. Introduction The high degree of automation of modern plants demands detailed examination of all operational and safety aspects of the processes to be automated. The process control systems used for automation are also subject to the principles of safety technology when a potential of danger exists whose consequences need to be minimised by the automatic system. In such cases the automatic system assumes a safety role and has to fulfill all
* Corresponding author. Tel.: + 49-7247-822866; fax: +497247-822868. E-mail address: [email protected] (T. Vollmer).
the requirements for their correct execution. In particular, the system has to prevent safety related failures and the resulting accidents and damages, especially injuries to personnel and the public. The human–machine interactions require much attention. Interventions by operators under emergency situations require careful examination, Litz [1], Nix [2].
2. Development of safety technology (Engineering) As a result of severe accidents in the seventies and eighties (e.g. Flixborough, Great Britain 1974 and Seveso, Italy 1976), new laws and regulations concerning implementation of process control
0920-3796/00/$ - see front matter © 2000 Elsevier Science S.A. All rights reserved. PII: S 0 9 2 0 - 3 7 9 6 ( 0 0 ) 0 0 1 3 0 - 7
58
T. Vollmer et al. / Fusion Engineering and Design 48 (2000) 57–61
were adopted both nationally and internationally in order to enhance the safety of plants with potential hazards. These laws and regulations primarily serve to protect the operating personnel, the population living in the vicinity of industrial plants, and the environment from hazards associated with accidents, Fru¨h [3]. In Germany, the VDI/VDE Guideline 2180 was adopted in 1984– 1988, followed by the DIN V 19 250 and DIN V 19 251 as well as the DIN VDE 0801 standards in 1994 and 1995, among other regulations. The main international standard now applicable is IEC 61 508, this includes the essential features of the above mentioned German standards.
lines VDI/VDE 2180 [4] into four action ranges as shown in Fig. 1 taken from Ref. [4]. These are: 1. Basic process control systems 2. Process control monitoring systems 3. Safety instrumented systems 4. Process control damage limitation systems.
3. Process control systems for safety operation
3.1. Operation of process control systems as protecti6e measures for safety of plants In order to safeguard process engineering plants using process control technology, a clear distinction is made between safety related tasks and operating requirements. Therefore, process control technology systems are classified in the guide-
Basic process control systems are used for the correct operation of the plant within its normal operating range. They are used to achieve the automated functions necessary for production, which includes measurement, control and regulation of all the process variables relevant to operation, as well as registration and recording of status information, actions, alarms etc. Process control monitoring systems act during the specified operation of a process plant whenever one or more process variables leave the normal operating range but there is no objection to continue the operation for safety reasons. The task of safety instrumented systems is to prevent an impermissible fault state of the process plant. Process control damage limitation systems operate during non-specified operation and reduce the effect on personnel or the environment in the event of an unwanted occurrence.
Fig. 1. Schematic diagram showing the operation of process control systems.
T. Vollmer et al. / Fusion Engineering and Design 48 (2000) 57–61
59
Fig. 2. Risk graph, Standard IEC 61508.
Fig. 1 represents via three typical examples the operation of different types of process control systems. Curve K1 shows a process variable that cannot reach the impermissible fault range. For curve K2 the process variable cannot cross the limit to the impermissible fault range, because there is another protective device (for instance a safety release valve, bursting disc, etc.) that replaces a safety instrumented system. In the case of curve K3 the safety instrumented system prevents the process variable reaching the impermissible fault range. The use of safety instrumented systems for the protection of a plant and its function and structure must be decided in accordance to the safety review.
3.2. Systematic assessment of risks and protecti6e measures It is a demanding and complex challenge to make plants and processes safe by implementing safety instrumented systems. It requires a clear concept with a structured, systematic approach and standardized nomenclature. The technical complexity is a function of the risk. The risk to be evaluated is that which exists in the absence of the
safety instrumented system. Risk is normally determined by the qualitative method of risk graphs in accordance with IEC 61 508 [5] or an another appropriate national standard. The requirement category — Safety Integrity Level (SIL) — as determined from the risk graph as shown in Fig. 2 taken from Ref. [5], defines the requirements to be met by the safety instrumented system.
3.3. Separation of the computer systems In the DIN V VDE 0801 [6] the safety requirement to be met by a plant must be determined at an early stage, well before the control systems are designed. Next, it must be decided whether and in what way operating functions are to be separated from safety-related functions. Fig. 3 taken from Ref. [6] shows three basic possibilities of separating action ranges (a), (b), and (c) of Fig. 1 where computers are used. In solution I, no clear separation is made between safety-related and operational activities. In this case, the complete hardware and software must be subjected to safety assessments when it is built and whenever subsequent modifications are made.
60
T. Vollmer et al. / Fusion Engineering and Design 48 (2000) 57–61
In solution II, the safety-related software is separated from the non-safety related software by a decoupling interface. In solution III, the safety-related part is separated from the non-safety related part in both hardware and software. At TLK, see Vollmer et al. [7], solution III has proved to work satisfactorily. It has the following advantages: Flexibility in automated normal operation. This is especially important in research installations. Easier management and functional testing of the safety-related parts of the automation. Better adaptability of safety-related components to new laws, regulations and guidelines. Complete separation of hardware and software implying no mutual influence by the operating systems among each other. Custom made process instrumentation and control systems can be used for action ranges (a) and (b) in Fig. 1. Commercially available protection systems can also be used for action range (c). In recent years, protection systems have been introduced in many areas because they in the first place prevent damage from occurring. A variety of pas-
sive systems can be used to limit damage, as in (d), e.g. protective walls, differential pressures, variable ventilation rates in the event of hazard, etc. The systems installed for damage limitation are independent of and do not interfere with the operating processes.
3.4. Safety, reliability and a6ailability Proper operation of a plant requires a balance of safety, reliability, and availability. Safety is a situation in which the risk does not outweigh the limiting risk, VDI/VDE 2180 [4]. This level of safety is achieved by analysis using a risk graph in determine the appropriate Safety Integrity Level (SIL) for the automated measure of protection. Higher SILs require a higher level of reliability of the automated system. In this case, reliability as under VDI/VDE 2180 [4] implies the ability to fulfill a required function within preset limits and for a given period of time. Availability should be considered a measure of reliability. It is the probability of a unit under consideration being in a functioning state at a given point in time. A distinction must be made in this respect between safety-related availability and operations-related
Fig. 3. Solutions to separate normal operation and safety functions.
T. Vollmer et al. / Fusion Engineering and Design 48 (2000) 57–61
availability. The former is the probability of responding when required, while the latter denotes the probability of non-response in a non-requirement regime. Planning of a plant must always be based on a balance of safety, reliability, and availability.
4. The human factor in the overall system Human operators are known to make mistakes. Whenever there is a complex problem, they will not solve it in the same way each time. Their behavior is unpredictable in principle and is unverifiable, Litz [1]. Unless faulty, Computers always respond to a situation in the same way and rarely commit errors or produce inaccurate responses. However, should there be an unforeseen fault or a deviation beyond programmed limits, computers are unable to help themselves and may stall into an undefined state with potentially serious consequences. According to Montenegro [8], the probability of an accident occurring after a fault or an unforeseen situation is four times higher in a fully automated plant than in those cases where human operators can intervene in the operation. A suitable combination of both may produce the best combination. However, human operators and machines should interact with caution. For instance, a good early warning system may cause operators to become careless. On the other hand, human operators, with a complete overview of the whole facility, may be able to manage even unforeseen situations by creativity and flexibility. It is erroneous to say that 80% of aircraft crashes are caused by ‘human error.’ There are no detailed statistics on how often pilots had to manage technical failures and thus prevented accidents. A study by the US Air Force shows that only 10 out of 618 emergencies had been caused by pilot’s error, while in 659 cases technical defects had given rise to emergencies in which the pilot, by diligent intervention, had been able to avoid an .
61
accident. However, accident reports exist only of the 10 cases.
5. Conclusion As a consequence of severe accidents in the seventies and eighties the safe operation of plants is moved more at the foreground. This report explains how the process engineering plants can be safeguarded using process control technology. Process control equipment must be chosen in accordance with the requirements of a systematic study of the various risks, the requested protection measures and the safety review and must fulfil the recommended specifications of reliability, availability, safety, etc. The ‘Human Factor’ should be improved by correct motivation, education and training of the staff as well as stimulating the wanted balance between the safety of the whole industrial plant and its availability.
References [1] L. Litz, Grundlagen sicherheitsgerichteter Automatisierungstechnik, at — Automatisierungstechnik 46 (1998) 2, R. Oldenbourg Verlag Mu¨nchen Wien, pp. 56 – 68. [2] H. G. Nix, Sicherheitstechnik fu¨r Automatisierungssysteme, atp — Automatisierungstechnische Praxis 39 (1997) 10, R. Oldenbourg Verlag Mu¨nchen Wien, pp. 9, 10. [3] K. F. Fru¨h, Handbuch der Prozeßautomatisierung, R. Oldenbourg Verlag Mu¨nchen Wien 1977, pp. 564 – 567. [4] VDI/VDE 2180, Safeguarding of industrial process plants by means of process control engineering’’, December 1998, Beuth Verlag, 10772 Berlin. [5] IEC 61508, ‘Functional safety of electrical/electronic/programmable electronic safety-related-systems’, First Edition 1998-12, International Electrotechnical Commission, 3, rue de Varembe´, Geneva, Switzerland. [6] DIN V VDE 0801, ‘Grundsa¨tze fu¨r Rechner in Systemen mit Sicherheitsaufgaben’, Vornorm Januar 1999, VDEVerlag GmbH, Berlin 12. [7] T. Vollmer, U. Besserer, K. Borcherding, J. Dehne, H. Dilger, L. Do¨rr, M. Glugla, W. Hellriegel, E. Hutter, R. Kra¨mer, R.-D. Penzhorn, B. Reinhardt, D. Ro¨hrig, K. Schubert, Safety Concept for the Tritium Laboratory Karlsruhe (TLK), Fusion Technology, Volume 28, Number 3 Part 1, Oktober 1995, pp. 988 – 994. [8] S. Montenegro, Die Quellen des Bedienungsfehler, Elektronik 15 (1998) 88 – 94.