Emerson’s Mike Boudreaux shares some misconceptions that automation and safety professionals have about functional safety. Here they are in Mike’s words:
Emerson has provided free safety lifecycle seminars to process industry companies around the world, including North America, Europe, India, Asia, and Australia. These seminars are being provided to help managers and business leaders understand how safety lifecycle management can be an effective way to safeguard against unwanted process safety incidents. While functional safety experts are familiar with these concepts, some misconceptions exist among non-experts. Here are the most common misconceptions that we have heard during safety lifecycle seminars.
Misconception: A CFSE is required to do work on a SIS.
Competency management is a very important part of safety lifecycle management. The IEC 61511 global safety standard says that people should be competent to do the work that they are performing. Many roles related to safety instrumented system (SIS) analysis, implementation, and operation do not require this level of expertise. In order to have a realistic approach to managing safety, roles need to be defined with competency requirements that apply to the activities that are performed.
For example, installing and troubleshooting devices, backplanes, wiring, power, and cabinets does not require a certified functional safety expert (CFSE). A CFSE would not necessarily have the right experience, knowledge, and training to do this kind of work. Instead, product training and trade skills are more important for these roles. On the other hand, a CFSE is an excellent way to demonstrate competence for activities such as safety instrumented function (SIF) conceptual design and safety integrity level (SIL) verification, where a deep understanding of functional safety concepts is critical to successfully engineering a SIS.
Misconception: A SIS can be SIL 3 certified.
Some people think that an entire SIS can be SIL 3 certified and that this is necessary for their process. SIL is a measure of the level of protection that is required for an individual safety function to protect against a specific process hazard. While it is theoretically possible for a SIS to have nothing but SIL 3 safety functions, this is not something that exists in the process industry. For a typical process, less than 10% of SIFs will be SIL 3. In fact, most companies try to avoid SIL 3 requirements by adding non-SIS safeguards or changing the process design.
Safety system products such as DeltaV SIS are certified for use in SIL 3 applications according to IEC 61508. This means that they can be used to implement safety functions with a SIL 3 requirement. However, the right combination of sensors, a logic solver, and final elements used in a SIF must deliver the level of safety integrity that is required for the SIF. It is not good enough to purchase a “SIL 3-certified” sensor, logic solver, or final element and assume that you are providing the right level of protection for your process.
Misconception: Redundancy is required for safety.
Redundancy can be an effective way to provide safety integrity, but it is not the only way. Many times redundancy is not required for safety, but instead it is used for availability. For example, a single Rosemount 3051S transmitter is certified as suitable for use in SIL 1 and 2 safety functions. Since this meets the needs of more than 90% of safety functions, in most cases, redundancy is not required for safety. Many times, redundancy may still be used, not for safety but for increased availability so that a failed device will not cause a process shutdown.
Misconception: HART cannot be used in a SIS.
It is correct that a HART digital process variable (PV) cannot be used instead of a hard-wired analog or discrete input signal. However, HART communications can be used to diagnose faults in a SIF. For example, DeltaV SIS compares a HART digital PV against the analog 4-20 mA signal and can diagnose an earth leakage failure if the two values do not match. Also, HART can be used to perform automatic diagnostics on field devices and to communicate device failures. In many cases, the logic solver can ignore a bad PV and monitor redundant devices to keep the process running, while passing the device status information to maintenance personnel so that the device can be troubleshot and repaired.
Misconception: Fire and gas systems (FGS) and burner management systems (BMS) don’t belong in a SIS.
ESD, BMS, and FGS are different types of SIS applications. ESD [emergency shutdown] is a system that will shut down a process to prevent a hazardous event from occurring. A BMS prevents explosions in boilers, furnaces, and fired heaters by preventing the dangerous buildup of hydrocarbons. A FGS will detect a fire or the release of gas and take actions to reduce the consequence of the hazardous event. All three of these applications can be implemented and in a single process safety system, with the different systems running in separate logic solvers and sharing information through the integrated system.