Process plants with safety functions are required to comply with the applicable safety standards IEC 61508 and IEC 61511 for functional safety. They build the base for planning and operation of the plant. Safety Lifecycle Management accompanies the complete lifecycle of the plant.
The standards specify and describe the steps that must be performed for assessing and planning a process plant with risk potential. The complete lifecycle of the plant is analyzed here. The lifecycle is subdivided into three phases: analysis, implementation and operation phase. Different persons are included in the different phases, and their interests differ. All those involved, however, usually aim to keep the costs as low as possible, especially the investment costs (Capex, Capital Expenditure) and the operating costs (Opex, Operational Expenditure).
It is extremely important to identify the potential for savings and to obtain the right support from the systems and tools used. When the complete lifecycle of the plant is analyzed, as in the standard, potential for savings can be found in every phase.
Possible savings
1. Safety requirement specification (SRS)
2. Implementation of the safety requirements
3. Acceptance test for the safety functions
4. Plant operation
5. Plant modifications
Safety requirements
During the analysis phase, a hazard and risk assessment is performed. The protection levels are also determined and the safety tasks are assigned.
The safety requirements are defined and described during the analysis phase and this forms the basis for planning, engineering and acceptance testing of the plant. A wide range of different people must be able to base their work on this specification. The requirements must therefore be recorded in a simple, clearly comprehensible form. A familiar descriptive format is the Cause & Effect method. This method was defined by the American Petroleum Institute and is used in a wide range of different sectors. The objective of this method is to describe the safety functions in a simple manner for all those involved. This saves time at the definition stage, because there is no unnecessary discussion between participants.
Siemens uses this method and provides a tool, the Simatic Safety Matrix, which can be used in this early phase to describe the safety requirements and functions. The Cause & Effect method in the form of a configuration language is ideally suited to bridge the semantic gap between process engineering and programming, because dependencies can be clearly organized and displayed graphically.
Implementation
The safety requirements specification is then transferred to the planning engineers who must implement the safety requirements and safety functions. This emphasizes how important it is to have a simple descriptive format; otherwise call-backs and discussions are necessary and this would cause delays in the implementation. It also takes time to implement the functions in the safety PLC with its specific programming language. The functions must be implemented in this specific programming language of the automation system.
There are a considerable possible savings if the Safety Matrix was already used for the safety requirement specification SRS to describe the safety functions, because the implementation is practically done already. Only the connection of the Cause & Effects to the IO-level of the Siemens automation system must be done then.
Any pre-processing that is necessary can be simply included in the Safety Matrix and automatically documented. The relevant function blocks can be directly integrated in the Safety Matrix from a user-defined library of safety functions and templates.
Acceptance test of the safety functions
Safety functions are usually verified by appropriate licensed bodies or authorities. These experts generally have little or no knowledge of the programming languages used in modern safety-related controls systems. Typical languages involve function blocks, ladder logics or structured text. This means that the description differs from the implementation. The auditor has the difficulty to verify the realized programming with original safety requirement specification. He needs to understand both. This increases the required time significantly.
Use of the Cause & Effect in this phase of the project also has a positive effect. Due to the clearly comprehensible format, the functions can be understood easily and quickly. When the Safety Matrix is used, description and implementation are almost identical. Using the viewer of the Safety Matrix, the functions and their mode of operation can be monitored and traced on-screen and on-line. The Safety Matrix viewer is seamlessly integrated in the PCS 7 process control system from Siemens. In this way, Causes can be simulated and the corresponding Effects can be verified easily. This accelerates the function and software verification. As a result acceptance tests can be conducted much more effectively.
Plant handling and normal operation
Other aspects are important for handling and operation of the plant. Plant operation depends on quick and easy user guidance. This means that the plant operator is informed about deviations in the process quickly and clearly, and is able to react accordingly. This is particularly important in the case of safety functions, because these will ultimately result in plant shutdown if there is no early notification and intervention. The operator must be able to recognize the alarm and localize the cause. The operator must be guided directly to the cause.
Using the Safety Matrix for example, pre-alarms can be generated directly from the matrix. The matrix can be configured such that when it is opened, the relevant cause is displayed with the associated effects in the plant display. The plant operator can then see at a glance the sensor of a 2-out-of-3 voting group of sensors that deviates and can directly initiate suitable measures to secure production. This could be simulation of the relevant sensor for the repair time or, if necessary, intervention in the process if the user's authorization level is sufficiently high.
The Safety Matrix, with its integrated maintenance functions, can also provide support for checking the functionality of the sensor. By activating the maintenance override switch the sensor can be replaced or tested independently from the process.
The integrated maintenance functions allows the operator to see the current value at the input module and the active value in the process even during the test on the sensor, regardless of whether it is a single sensor or part of a voting group. Plant shutdowns and emergency stops can be avoided in this way. An optimized solution can be obtained by integrating the safety sensors with pre-alarms into the Asset Management system.
Plant modifications
Plant modifications also have to pass through all phases of the safety lifecycle management and must be performed according to the requirements of the IEC 61511. The modification needs to be analyzed and the safety requirement specification needs to be extended by the new safety function, implementation and commissioning will follow.
All the points explained above also apply to modification. The Cause & Effect method and therefore the Simatic Safety Matrix can demonstrate their strengths. The modifications implemented are automatically documented by the Simatic Safety Matrix. The changes can be verified, so only acceptance and function testing of the changes is required.
Summary
Use of the Cause & Effect method is beneficial in every phase of the safety lifecycle and therefore has a positive effect on the investment costs (Capex) and the operating costs (Opex).
Advantages of the Cause & Effect method
Clear and simple definition and description of the safety functions
Uniform understanding of all those involved regarding the safety functions
Additional benefits when using the Simatic Safety Matrix
Quick and easy implementation
No programming know-how necessary
Integration of complex calculations through pre-processing
Pre-alarms with settable repeat cycle
Optimized operator guidance, cause or effect related displays
Matrix of SOE (Sequence of Event) display with first-out alarm
Simulation and bypass
Automatic change documentation.
With the Simatic Safety Matrix, Siemens offers an optimized solution for safety applications starting at the analysis phase. By using the tool, uniform and integrated description, implementation and display of the safety functions is ensured. The operation and alarm concepts provide optimum support for the plant operator with operating the plant, and reduce downtimes.
Safety Lifecycle Management
Safety Lifecycle Management
