Using Alarm Annunciators in IEC61508 SIL rated Safety Systems
Ian Loudon
In modern processing plants the issues of functional safety are steadily gaining importance. The introduction of IEC61508 standard introduced a very broad but systematic framework, which allows plant engineers to apply the functional safety concepts systematically to all modern control equipment.
WHAT IS SIL? Safety Integrity Level (SIL)- Defines the probability level of the safety loop operating as intended during operation
Safety Integrity Level |
Safety Availablity Required |
SIL 4 |
>99.99% |
SIL 3 |
99.9 - 99.99% |
SIL 2 |
99 - 99.9% |
SIL 1 |
90 - 99% |
The purpose of the Annunciator is to initiate human intervention to a plant condition.
Alarm annunciators are an integral part of safety planning, especially in processing plants where alarm conditions can be numerous. An alarm, or combination of several alarm conditions, will require a reaction of an operator in order to either investigate the cause of alarms or take the steps required by safety procedures in order to eliminate the condition.
Alarm annunciators today are seldom included as an integral part of true safety-related shutdown systems, as reliability of the human operator is generally considered insufficient to meet the high reliability requirements.
The IEC61508 standard does not exclude the possibility of a person being part of a safety-related system but human factor requirements are not considered in detail in the standard. The reliability associated with a human operator is most often considered to have an associated PFD (Probability of Failure on Demand) of 1E-01 (90% probability that the operator will successfully respond to the alarm). This would make even a SIL1 system impossible to design where a human operator is involved (1E-01 to 1E-02 is required for a SIL1 safety-related system).
However, with a high level of training and clear procedures in place, it can be accepted that the operator PFD can be as good as 1E-02, in which case using an alarm annunciator in a SIL1 safety loop is possible. When applying IEC61508 to assess safety-related systems it therefore becomes clear that alarm annunciators, which involve the human operator in safety functions, can only be targeted at SIL1 level at best.
It is possible for alarm annunciators to include a secondary relay output that complies with the requirements of the IEC61508 standard in a true PES (Programmable-Electronic System), where the relay output is used to implement an automatic safety function, which can then be reliably assessed without including the operator reliability. The practice of mixing the automatic safety-related system with functions that are part of the Layer of Protection (such as an Alarm Annunciator) is considered problematic at best, as the complexity of the alarm annunciator is to the detriment of the safety loop and creates a higher chance for common-mode failures that affect the PFD of the Safety Loop.
The preferred engineering practice is therefore always to separate the safety functions from the alarm annunciator as an independent Layer of Protection.
The Purpose of a shut down system is to detect dangerous conditions and automatically safely shut the plant saving lives and equipment.
The Purpose of the Annunciator is to initiate human intervention to a process condition.
Omniflex World First - Omni Series Annunciators Assessed by UK Nuclear Industry on Emphasis Program
Sellafield Ltd substantiates first SMART Annunciator in compliance with requirements of the UK NII.
The Omniflex Omni series alarm annunciator range is the first SMART annunciator to have been assessed as part of the EMPHASIS project to satisfy the NII (Nuclear Industry Inspectorate) for the product to be used in SIL1 applications and is now used extensively throughout the UK's Nuclear industry. It has also been independently assessed for use in SIL1 applications both by TUV and Evaluation International.
A key component in nuclear safety systems is the alarm annunciator. Alarm annunciators are considered vital tools in modern safety systems because they provide an additional layer of protection in the safety strategy on the plant. Modern alarm annunciators such as the Omni series range are SMART instruments, and so the verification of these products to meet nuclear requirements is imperative.
After extensive research by the Control & Instrumentation Nuclear Industry Forum (CINIF), the EMPHASIS program was developed. Originally intended as a set of written guidelines, the EMPHASIS program soon evolved into a software tool that can be used for assessment of SMART instruments for the nuclear industry. EMPHASIS has been subjected to extensive validation, and has been adopted by the Nuclear Industry smart Instruments Working Group (NISIWG) comprising the major players from the UK Nuclear Industry. EMPHASIS is based upon a lifecycle approach as specified in IEC61508, and provides an evidence gathering tool in the form of a comprehensive set of questions covering all relevant aspects relating to the company and the product under review.
What is EMPHASIS and why was it needed?
The nuclear industry is aware that there are a growing number of ‘Smart’ instruments on the market and many claim to have certification to a Safety Integrity Level (e.g. SIL). However going back to the late 1990’s the regulators were becoming aware of the significance of software/firmware in these devices and the possibility, however small, of introducing ‘systematic’ failure of the device. The methods of dealing with random hardware failures had been well established, but systematic (designed in) flaws in the software are a real concern, especially when looking at consequences in nuclear installations.
Certification and assessment companies with competence in functional safety have been working with end users and vendors around the world and offer varying levels of assessment and ‘certification’. This has been very valuable to engineers and designers in having confidence in selection.
However there is no common framework for assessment for suitability of use of these devices in IEC 61508 applications and this can lead to confusion in interpretation of what is a ‘certified IEC 61508 device’: is it hardware assessment only? What about software? Are proven-in-use IEC 61511 arguments used? The situation is certainly improving and leading functional safety certifying bodies are consolidating on the fundamental requirements ‘to meet certification to a SIL’, but still the expertise and process they use is proprietary and not transparent to the nuclear industry.
For manufacturers themselves, there is a real challenge of risk and reward to consider when engaging with the nuclear industry on such a rigorous assessment program. The purchase order in real terms may be ‘small’ but the time and money to undertake an assessment has been onerous. In addition, what if something unpleasant is found in the process or product during the assessment?
EMPHASIS aims to reduce some of these problems.
The assessment tool itself was part of a long and intensive research and development project undertaken by the UK Control & Instrumentation Nuclear Industry Forum [CINIF], which included nuclear licensees and oversight by the Nuclear Installations Inspectorate. |
The Omni Series Annunciator Range Overview
Omni8 Micro
The Omni8 micro is the smallest alarm annunciator available. This is a fully self-contained panel-mount alarm annunciator with integrated power supply, control push-buttons and audible device. Ideal for Motor Control Centres and space restricted applications Connect power and up to eight dry contact inputs for full alarm annunciator capability. You need nothing else.
Omni8 C
The Omni8C annunciator offers full industrial strength reliable alarm annunciation in a small compact package. Half the width of Omni16C i.e. 4 row by 2 columns of alarm windows.
Omni8P
The Omni8P annunciator offers full width Omni16 size annunciator of 2 Rows by 4 columns alarm annunciation with integral pushbutton and audible in a compact package.
Omni16C
The Omni16C is the latest upgrade in the series of field-proven popular Omni16 alarm annunciators. Completely redesigned to take advantage of the latest technologies, this latest release offers backlit LED displays, and serial communications.
Omni30
The Omni30 annunciator series is designed as replacement for the RIS UC30 series products. Based upon the field-proven Omni series technology, this product range provides state-of-the-art annunciation to fit existing installations.
Remote Logic Series
The Omni16 series also provide split unit solutions with display and logic separated from one another, ideal for panel work where display are door mounted and the logic units are rear of panel mounted with I/O Marshalling.
- Remote Logic Units 8 or 16 Points
- Remote Display Units 8 or 16 Points
OmniX Remote Display Solutions
The Omni-X Remote Displays provide from 8 to 124 points of annunciator display in a stand-alone panel-mount package. Use with remote alarm annunciator logic such as the Omni16C RLU series for your safety critical alarms, or connect to your PLC or SCADA computer for friendly operator friendly simple display of essential alarm information.
Available in dual incandescent lamps or ultra-reliable solid state LED backlighting, these displays provide panel indication where no integral alarm handling logic is required. Common positive or common negative switching options are catered for. These displays provide an ideal low cost alternative to individual panel.
Optional Pushbutton Station and audible device can be installed to drive alarm logic (Silence, Acknowledge, Reset, Test buttons). These occupy the bottom right window position if installed.
Legacy System Replacements
Omniflex provides design and integration services for legacy annunciator replacements. Consult your local agent or representative for advise.
- Robinson Systems
- RIS UC Series
- Highland MPAS90
- Your Legacy Annunciator System!
The Omni Annunciator Series Summary
- Wide range of Flexible Options
- SCADA, DCS, and PLC compatible
- Certified to IEC61508 for safety related alarms
- Field-proven - 35 years of experience
- No software programming required
- Modbus Communications
- High reliability redundant display illumination
Last Month:
Last month we talked about several important topics including:
- Using Alarm Annunciators in IEC61508 SIL rated Safety Systems
- Omniflex World First - Omni Series Annunciators Assessed by UK Nuclear Industry on Emphasis Program
- The Omni Series Annunciator Range Overview
If you missed these or other key discussions,
you can find the back issues on the newsletters
page of our website:
Subscribe/Unsubscribe
Subscribe to Omniflex News
Unsubscribe from Omniflex News
This publication may be freely redistributed if copied in its ENTIRETY. Portions
of this newsletter may be reprinted with permission.
(c)
Copyright 2003 OMNIFLEX PTY LTD |