Safety system passes Shell’s assessment tests

Shell recently performed comprehensive assessment tests of the HIMax safety system from HIMA. Upon successful completion of the tests, the system can be used worldwide in the oil company’s future projects, without additional evaluations. As with its chosen control systems, Shell performs assessment tests (acceptance tests) on safety systems. During the qualification process, the product is subjected to an extensive and demanding evaluation. The objective of the assessment testing is to evaluate and document the safety system’s strengths and weaknesses, as well as the project work of the system supplier.  If successful, the safety system is then considered an approved product and does not require additional testing by Shell or its numerous operating companies. Shell recently completed assessment testing of the HIMax safety system. The system for mid-size and large applications has been available worldwide since the autumn of 2008. HIMax allows uninterrupted system operation throughout a plant’s entire life cycle. It is based on HIMA’s ‘Nonstop XMR’ technology. This combines SIL 3 safety technology with a scalable, fault-tolerant architecture that eliminates spurious trips and allows unlimited changes, modifications, extensions, improvements and proof tests during system operation. The largest part of the assessment testing was performed in the spring of 2010 at HIMA’s headquarters in Brühl (Baden-Württemberg). Spotlight on Performance and Integration Capability
One of Shell’s main interests during the assessment testing was to determine to what extent HIMax meets the demands and safety requirements of end users. Questions about the safety system’s performance, how well it can be integrated into various control systems and the quality of its project management were emphasized. The first step was taken in September 2009, when an internal coordination meeting took place within HIMA to define responsibilities and to clarify the requirements prior to the planned practical training session. This session also considered the documentation offered to help Shell prepare and become familiar with the system. The contents and phases of the assessment testing were specified in Shell’s "Acceptance Evaluation Procedure for Safety Instrumented Systems" document. The specifications prescribed an initial training seminar, which lasted three days and took place in Brühl in October 2009. During this session, HIMax was presented to the Shell experts. The companies collaborated to define the contents of the HIMax safety system tests planned for spring 2010, their objectives, the necessary resources and an initial timeline. Positive Reception of Integration
HIMax can be integrated with all leading control systems as it  completely separates the safety system from the control system. Customers are free to choose the safety system that can be best tailored to their respective application, both technically and economically, e.g., with respect to number and type of I/Os, availability and redundancy requirements, reaction time and Ex-capability. Separating the hardware and software ensures technical decoupling, which guarantees non-interaction. Thus errors related to safety-critical design, programming and operating (human common-cause faults) within complex software or decentralized systems are avoided. “If no common mode failures may occur, one solution is a standalone safety system with a communication interface to the DCS,” explains Audun Gjerde from Shell Global Solutions. He mentions an additional advantage of HIMA’s integration concept: “In this way, HIMA learns how to handle complex issues such as OPC interfaces. HIMA probably has more experience in this area than a typical DCS manufacturer.” During the assessment testing, four HIMax systems were tested with four different control systems (Yokogawa, Siemens, Honeywell, Emerson) – double the number set forth in the specification. As the Shell safety expert pointed out, “this is more than Shell prescribes and was therefore more compelling than a test with only a single DCS.” Extensive Communication Test
Essential components of the assessment testing included a communication test, a hardware stress test, a FAT stress test, a temperature test and an asset management test. The communication test was performed over the course of five days. The most extensive test was the DCS integration test with the Yokogawa system, which included 10,000 I/Os. Communication with the Emerson control system was tested with 5,000 I/Os. “In both tests, there were no problems whatsoever due to issues such as cycle time or communication load. Everything reacted as expected,” said Gjerde. “The performance of HIMax is impressive, above all the performance between two safety controllers. The reaction rate of the controller under load is remarkable, as well as the fact that the configuration can be adjusted to the desired rate.” HIMax was able to demonstrate its diagnostic capability during the diagnostic checks performed as part of the tests. Fast and transparent diagnosis is an important feature of HIMax. Up to 2,500 diagnostic data are automatically stored in the processor module, as well as 500 diagnostic data per I/O module. All maintenance actions such as reloading, downloading, running, stopping and forcing are logged automatically. HIMax also offers advantages in the transmission of diagnostic information to the control system, and in-the-state monitoring of relay modules. Tests Completed Successfully
As with the communication test, the stress and temperature tests were also completed to Shell’s satisfaction. Finally, the asset management test validated how well the HIMA solution exchanges data with third-party systems over a variety of interfaces. HIMA demonstrated a partial stroke test and the use of FDT/DTM as well as additional factors associated with DTMs and asset management. After successful completion of the assessment test, HIMax is technically qualified to be used on Shell projects. Looking back at the testing period, Audun Gjerde noted, “During the tests, we usually try to take systems beyond their limits, but this was admittedly difficult with HIMax.” With respect to the stress test, he has particular mention the availability of HIMax. If a system fault occurs, the system’s XMR architecture allows the user to replace the faulty module during operation, at any time and without restrictions. “The option to perform changes online and replace the hardware during system operation avoids undesirable process shutdowns,” says Gjerde. He also points to the function blocks for the SILworX engineering tool as additional advantages. The function blocks meet the requirements of  IEC 61508 and IEC 61511 and can be used in applications up to SIL 3. They represent a fully integrated software platform for efficient engineering, and complement the intuitive user interface of SILworX. “The function blocks are an advantage for Shell. We prefer working with libraries and like to use the same solution in follow-up projects. For this reason, we value providers that are able to offer a library that we can use rather than having to develop a new one for each project,” explains Gjerde. Cyber Security Advantages
The HIMA safety system also scored well in the important area of cyber security. The networks for enterprise IT and industrial automation continue to grow together, which leads to an increased risk of cyber attacks on plants via their networks. For this reason, HIMA tests all operating systems of its safety controllers HIMatrix, HIQuad and HIMax during the development process to determine their reaction to cyber attacks. For instance, the Achilles testing device from the Canadian company Wurldtech Security Technologies Ind. was used during the development of HIMax. Wurldtech issued the Achilles Level I Security Certificate in 2009.
 
“With this certification, HIMA demonstrated that they know how to handle cyber security. We have been requiring the Achilles test for several years. HIMA was familiar with our requirements and was able to meet them”, concludes Audun Gjerde. Edited by Constanze Schmitz