The contrasting requirements of intrinsic and functional safety: IEC61508 vs IEC60079
23 March 2012
There are many situations in the industrial sphere where a multitude of different standards, guidelines, site or company rules, etc., must be considered to ensure safe operation of the plant or equipment. Here we shall look at some of the considerations to be made when the requirements of both ‘intrinsic’ and ‘functional‘ safety are to be applied.
Figure 1: Example variations for functional safety loops
Primarily this will concern the basic architecture of instrument loops but also touch upon the issue of plant maintenance.
There is increased acceptance of the need to implement the requirements of Functional Safety standards when applying a safety system to reduce the risks on plant. Thus, in general, we consider the philosophy expounded in IEC 61508 and within the process industries follow the guide of the derivative standard IEC 61511.
When there is an explosion hazard at a plant within the European Union, compliance with the ATEX Directive is required to implement the appropriate protection concept. For a particular product this specifically means that a manufacturer must declare how the “Essential Health and Safety Requirements” (ESHRs) given in the ATEX directive are achieved which enable the CE mark to be affixed.
So, in the process industries, where there is also an explosion hazard, there are the additional aspects of the EN 60079 series of standards to contend with. Are the requirements of all these safety standards complementary or contradictory? Does one take precedence over another?
Loop structures to implement Functional Safety
We are led to consider both intrinsic safety and functional safety aspects by analysing a complete process loop. In other words, both safety systems involve the combination of various parts to achieve their goals.
Figure 2:Example functional safety loop (with I.S. interface)
For Functional Safety applications, the availability of a particular loop operation aiming to achieve the required Safety Integrity Level (SIL) may be improved by duplicating or triplicating the signal path and its component parts. Some possible examples of instrument safety loops are shown in Figure 1. The representation of the elements here is not intended to define the scope of practical safety installations but is merely intended to portray some of the elements involved.
Single devices of field equipment may be employed in a simplex logic chain and the suitability to meet the needs of the safety loop satisfied by evaluation of the failure rate data (assuming that the systematic integrity of each element in the loop has been checked).
If, or rather when, this simplex chain of elements does not achieve the required level of performance, then various levels of redundancy of the elements can be introduced to increase the availability of the overall safety function. Thus the connection from the process sensor may be duplicated into separate channels of the input electronics of the logic solver. Another step may be to introduce a second sensor into a separate channel of the input card. The feed to the process actuator may be derived from redundant channels of the output stage of the logic solver, or a further step supporting individual actuators.
There are many articles and books on the subject of safety which discuss the aspects of ‘reliability’, ‘availability’ and ‘integrity' to try and explain the ways in which the combination of paths can be assessed for suitability. The purpose of identifying some alternative loop structures here is not to debate the relative merits but simply to show that such options are possible. Now let us add the requirements of intrinsic safety to the mix.
Loop structures to implement Intrinsic Safety
Figure 3: Simplex nature of I.S. connectivity
Intrinsic safety is dependent on ensuring that the amount of energy that can be released within a hazardous area is below the level at which ignition of the material would occur due to sparking or through hot surfaces. The concept depends upon restricting the electrical energy that is passed into the hazardous area under fault conditions to below the critical level, whilst enabling normal instrument signalling to be conducted without hindrance.
A certified interface device such as a zener barrier or intrinsic safety isolator ensures the limitation of energy passed into the hazardous area. The very nature of IS protection through an interface device is to clamp the voltage and limit the current to non-hazardous values, followed by blowing the loop fuse to protect the safety components if the energy levels exceed the ratings.
How does this affect a safety loop design? Well, one consequence is that in most cases the loop connections into the field must be simplex in nature. Figure 2 shows our simple instrument safety loop, but now with the additional intrinsic safety interfaces for the signals to the sensor and actuator. It is not obvious from this depiction that we are now dealing with the additional considerations of connection into a hazardous area and Figure 3 may make this clearer.
Whilst in a non-IS design the connections to and from the field equipment might easily be duplicated, the considerations of intrinsic safety mean that may not be possible. The safety parameters of the interface device and the field device must meet the requirements of intrinsic safety. Duplication of the interface device in its connection into the field would usually mean that the intrinsic safety parameters of the loop are exceeded.
In this case the duplication of the field device with separate connection to its own interface device would enable the integrity of the intrinsic safety requirements to be maintained. The additional cost that this would incur often means that further pressure is applied on the suitability of the individual elements for use in a simplex loop to achieve the required safety levels. This approach of trying to squeeze more out of a given situation is common to all walks of life. Although it is not always possible on a particular plant, many considerations point to the fact that complete duplication of the instrument loop would be a better solution.
Maintenance of F.S. and I.S. loops
Figure 4: Which standard takes preference?
One of the key benefits of applying intrinsic safety is that live maintenance of the installation can be carried out, without the need for gas-clearance certificates and work permits to be obtained. But for all protection concepts against an explosion in a hazardous area then a regular inspection regime is necessary to ensure the continued integrity of the precautions that have been put in place. Thus, for an intrinsic safety installation, regular inspections and checking of the explosion safety issues are still required. The interval at which this inspection and recording takes place is affected by site requirements and the nature of the installation, but in many instances a yearly time frame would be suitable. Such an inspection could almost be considered as non-intrusive since there is no ‘test’ that can be made of the health of the safety components, save that of checking the resistance to ground of the safety earth connection, for example. If an instrument loop is in use and working normally, then simply checking the tightness of signal connections together with recording all the relevant safety information is clear and correct may be all there is to be done.
Contrast this situation with that pertaining to functional safety. Here the requirement is to conduct a particular ‘proof test’ to confirm the operation of the safety loop is as defined and commissioned. This often involves taking the instrument loop out of service to conduct operational trials, then re-commissioning the installation. Depending upon the safety integrity level that the equipment is intended to support and the nature of the hazard, the frequency of carrying out the proof test can be a significant burden. Thus the specifics of how to conduct the regular proof test on a given process loop is an important consideration during the design phase of any safety system.
We are all familiar with this requirement to conduct active testing of safety-related equipment, with the regular fire-alarm checks that are carried out in all industrial plants and offices. Proving the correct functioning of an instrument safety loop is not always so simple, but the ability to live-work with intrinsic safety can help.
The need for competence in all who design, install, commission and maintain intrinsic safety and functional safety equipment has thankfully now become recognised and made a requirement within the standards. The application of both intrinsic safety and functional safety demands individuals who understand the complexity of the issues concerned and apply the necessary rigour to all aspects of the project lifecycle. Here it is not simply a question of considering which standard takes precedence, but of ensuring that all relevant considerations are made for all issues that affect the safety of individuals, process and plant. The requirements of functional safety and intrinsic safety can best be met through careful design at the outset of the project.