Alarm annunciators in safety related applications.
Introduction
In modern processing plants the issue of functional safety is steadily gaining importance. The adoption of EN61508 standard [1] has introduced a very broad but systematic framework which allows plant engineers to apply the functional safety concepts systematically to all modern control equipment.
Alarm annunciators are an integral part of safety planning, especially in processing plants where alarm conditions can be numerous. An alarm or combination of several alarm conditions will require a reaction of an operator in order to either investigate the cause of alarms or take the steps required by safety procedures in order to eliminate the condition.
Annunciators in risk reduction
The EN 61508 standard introduces a uniform and predictable approach to safety analysis of all electronic and programmable-electronic equipment. The FMEDA analysis provides tools for calculating the overall probability of failure of electronic assemblies and from there, the probability of failure on demand (PFD), diagnostic coverage (DC) and safe failure fraction (SFF) of the complete instrument can be calculated.
However, the most important concept in the standard is that of establishing the necessary safety integrity level (SIL) for the safety-related electronic equipment. Without repeating rather detailed requirements of the standard, the SIL level is conceptually determined by all the risks that cannot be eliminated by any other means. In other words all the risk reduction measures should be exhausted first. Once the risk cannot be reduced any further, the safety of that particular function will rely solely on the automatic process control equipment. The risk associated with the function will determine what SIL level is required of the equipment (see selection tables in EN61508-1). If the electronic controller has the required reliability, SFF and fulfils all other requirements of the standard, it can be used in the application. Here lies the important detail – the SIL level is associated with the specific safety function to be performed, not the equipment itself. Not only can different safety function on one plant have different SIL ratings but other equipment involved in the same safety function impacts on all safety calculations. For example, two safety loops using the same type of controller can have different PFD because the actuator used is different in each of them. Equipment can therefore only fulfil the necessary criteria for a particular SIL level but does not determine it.
It is quite common today to adopt the approach that all safety-related equipment on a given plant must be suitable for use in SIL1 or SIL2 applications. While SIL rating of all safety functions on the plant cannot be established this way, the approach reflects the target risk associated with the plant and its operations. Safety functions that have associated risk higher than the target, clearly require other risk reduction methods to bring the risk down. There is a genuine and substantiated concern that perhaps functions classified as SIL3 or SIL4 loops are not desirable on a chemical plant at all, where many employees can be at risk. The high risk to personnel, property and environment is simply not acceptable and also carries high cost associated with managing it with potential liability. Risk assessment and risk and reduction are therefore of great importance in order to ensure that they are not abnormally high at some spots and low at others.
Alarm annunciators, such as the Omniflex Omni16 product Range, fulfil a special role, quite different to automatic controllers. Controllers receive the signal from a sensor and usually drive (control) an actuator, such as a valve. Their safety-related function is to put this particular control element in a safe state when any kind of malfunction is detected. An Alarm annunciator receives an alarm signal, ie, TRUE/FALSE logic signal. It does not normally drive an actuator directly, hence is unable to put any specific loop in a safe state automatically. However, alarm annunciators are an integral part of a plant's safety systems hence their role should be analysed in more detail.
Their first and foremost role is to reduce the risk by informing operators of alarm conditions on the plant.
It is intuitively obvious that if all the unsafe conditions could be effectively monitored and early alarms were indicated to the operators, users could achieve SIL0 requirement. Reliability of equipment would not be critical as all unsafe conditions would be detected in time. This ideal scenario is not possible in reality but wherever unsafe conditions and equipment malfunction can be detected effectively, alarm annunciators are used. This reduces the need for special, approved process control equipment (and subsequently – reduces cost) as the highly reliable, SIL-rated equipment is only used where absolutely necessary.
To estimate what effect the monitoring of alarms will have on risk associated with a particular safety function, we use the layer of protection analysis (LOPA). This method is now widely described in literature, also in [2], a sector standard developed to complement the EN61508, which is a generic standard.
Let us consider the following example: alarm annunciator as part of a layer of protection.
A layer of protection function is used to reduce the frequency of the occurrence of the abnormal event. To calculate this frequency reduction, each of the components required for the layer of protection must be analysed to derive a total probability of failure on demand.
Let us say we have an alarm annunciator with PFD=2.02*10-3. The field alarm sensor would typically have a PFD of not greater than 10-4. The operator, who must react to the alarm, might typically have an associated PFD of 10-1. Since for one abnormal event the total PFD will be the sum of the component PFDs, it is obvious that the operator contributes the overriding value to the layer of protection.
In an example where an abnormal event will have a consequence of multiple injuries, the acceptable frequency of occurrence is established to be once in 1000 years. The estimated unmitigated frequency of occurrence is once in 70 years. The risk reduction factor can be calculated by the ratio of the estimated frequency and the acceptable frequency, thus 14.2.
By applying the layer of protection, the mitigated frequency of occurrence becomes
f = 1/70 * 0.0102 = 1.46E-03 with an associated risk reduction factor of 1,5. Thus the introduction of the layer of protection has reduced the initial risk reduction factor by an order of magnitude, (or SIL 1 to SIL 0).
Refer to IEC 61511 part 3, Annex F, [3] for further guidelines relating to layer of protection analysis, (LOPA).
The conclusion here is that all elements, even those with very modest PFD figures contribute to risk reduction. An operator is generally considered to have a PFD of only 0,1, as shown above. However, the calculation shows that still the overall effect on risk reduction in the example is quite significant. When an operator is given tools to observe and respond to alarms, the overall impact on risk reduction is actually very significant.
Total PFDavg = PFDavg sensor + PFDavg annunciator + PFDavg operator ……… (1)
Total PFDavg = 1E-04 + 2.02E-03 + 1E-01 = 1.02E-01 ……… (2)
Discrete annunciators vs scada alarm systems
Some time ago scada-based systems were considered the preferred alternative to discrete annunciators. The software-based solution, with its almost endless possibilities of analysing, presenting and processing alarms, seemed the best answer to the need for alarm processing.
However, the advent of the new functional safety awareness has brought with it a completely new perspective. Software carries with it higher reliability risk as there is no such thing as a reliability database for software. Also, being PC-based, the scada solutions rely heavily on application software, ie, written by the user or for the user, for a unique application. That almost invariably leads to the fact that every solution is different and has to be assessed individually. This is exacerbated by frequently changing computer hardware platforms and hence the need to modify existing software. Also the configuration management carries higher risk than hardware-based solutions.
Hardware-based alarm annunciators generally do not suffer from this kind of problem. Hardware reliability assessment is perhaps extensive but nevertheless clear.
Software comes only in the form of firmware or purely configuration software. Once written, it remains unchanged in the annunciator for the lifetime of the product. While scada based-solutions are here to stay, their analysis and safety lifecycle management are inherently much more complex than those of a dedicated alarm annunciator.
Conclusions
The role of alarm annunciators for dealing with critical alarms in modern plants is as important as ever. Their simple functionality allows manufacture of highly reliable instruments. Their failure modes and subsequently, device analysis and safety assessment, are far easier and more deterministic than that of software-based alarm systems.
References
1. IEC 61508: 2000 Parts 1-7. Functional safety of electrical/electronic/programmable electronic safety-related systems.
2. IEC 61511 Parts 1-7. Functional safety – safety instrumented systems for the process industry sector.
3. Omni16C report 035001. Failure modes, effects and diagnostic analysis. Safe failure faction and PFD determination. By O. Tavener-Smith, CSFE (TUV).
4. Omni16C_FMEDA_R06.xls. Detailed Omni-16C FMEDA analysis spreadsheet.
For more information contact Ian Loudon, Omniflex Automation Products, +27 (0)31 207 7466, [email protected], www.omniflex.com
Tel: | +27 31 207 7466 |
Email: | [email protected] |
www: | www.omniflex.com |
Articles: | More information and articles about Omniflex Remote Monitoring Specialists |
© Technews Publishing (Pty) Ltd | All Rights Reserved