Safety Wireless Equipment

[majesus]

When you have an emergency/safety system using a safety PLC and remote safety I/O via a wireless link. Does the wireless equipment itself have to be rated as a "safety" device.

I'm curious on how the fail-safe is established.

IE, the safety PLC talks to the Safety I/O to maintain the fail safe link, and the wirless equipment is irrelvant as it is just a means to transport the communication link.

 

[itsmoked]

I would assume that the wireless link must be continuously monitored so a loss of link results in an "open contact", or the alarm condition.

Keith Cress
Flamin Systems, Inc.-

http://www.flaminsystems.com

 

[majesus]

I see, so the answer is no, it doesn't have to be rated as a safety device, provided that the communitcation link between the safety PLC and the safety I/O can be monitor so a loss of communication between the two results in an alarm condition.

 

[danw2]

Wireless would be part of the risk assessment as would any other part. Do the vendors even have failure mode data and stats?

Some people are beginning to look at wireless, as evident from the statements on HART protocol's web site:

SAFETY INSTRUMENTED SYSTEMS
During the past couple of years, process industry safety standard IEC 61511/ANSI/ISA 84.0.1 and its related safety instrumented systems (SIS) have been grabbing more and more headlines. At the same time, ever-increasing energy demands are forcing companies like Giganto Refining to seek ways to extend the interval between planned maintenance shutdowns (outages) while remaining OSHA regulation-compliant.

While examining what will be required to extend the interval between planned outages, one of the problems Giganto engineers have identified is the safety criteria used to design its SISs. Unless Giganto’s engineers can find a way to extend the interval between when the SIS is fully proof-tested – a complex test that requires the process to be shut down – it will not be possible to extend the interval between planned outages.

Consistent with good engineering practices, Giganto uses hardwired instruments as SIS inputs. To facilitate commissioning and calibration efforts, HART instruments have been purchased and installed. Though Giganto’s engineers are aware of the process and device diagnostics available in HART devices, efforts to collect and analyze the information have yet to be undertaken.

Now, with an urgency to extend the interval between full proof-testing, Giganto’s engineers are taking a hard look at HART information, especially clause 3 of the IEC 61511 standard.

Clause 3 defines, among other things, the safe failure fraction (SFF): the fraction of safe failures and dangerous detected failures in relation to the total failures. After consulting with safety system consultants, Giganto’s engineers are convinced that by adding asset management software and WirelessHART™ adapters to its existing SIS HART devices, they will be able to use the HART process and device diagnostics to improve the system’s SFF and thereby extend the time between full proof-testing.

What makes the WirelessHART™ adapters especially attractive is that each can be added anywhere along the transmitter wires, and the new devices do not introduce any common-cause faults.

To minimize the possibility that the HART configuration variables of the safety system transmitters might be inadvertently changed via a handheld communicator, Giganto engineers will place each safety system transmitter in a double-locked instrument enclosure and place one key under the control of the maintenance shop foreman and the second under that of the operations supervisor.

Through the use of WirelessHART™ asset management software and some clever physical transmitter configuration security plans, Giganto Refining will be able to improve the SFF of its safety systems, thereby extending the interval between full proof-testing and, in turn, extending the interval between planned maintenance shutdowns (outages), all while remaining OSHA regulation- and IEC 61511- conformant.

http://www.hartcomm2.org/hart_protocol/wireless_hart/control/wirelesshart_can_do.html

Then again, here's some of the comments from people attending an SIS seminar:

Safety Systems Roundtable Raises as Many Questions as Answers
Almost forty people, the vast majority end users in the chemical and refining industries, from companies like Shell, Chevron, ChevronPhillips, Lyondell and others gathered for a roundtable discussion on safety instrumented systems (SIS) today at the Triconex track of the Invensys Process Systems Customer Conference this week.

As each previously contributed question was displayed on the screen, the end users took turns trying to answer them. One of the questions that kept coming back in several iterations was about competency. How do you define competency, how do you define who is a "competent person" and a "senior competent person" as called for in IEC standard 61511 and ANSI/ISA84.00.01-2004?

"We're sending our people through the Tricon course, does that qualify?" was the query from one participant. "Then we validate them through test procedures we have in place, because we have two people dedicated to SIS," she concluded.

"Our hourly people have to pass safety systems training," another participant began, "but one person will do a job differently than another. With a step-by-step instruction set you don't have variation. Competence is important, and so is consistency," he said.

Another participant noted that TUV certifies competence. "Yes," argued another, "but if they're certified but they can't size an orifice, then what?" Yet another participant pointed out that more and more countries are going for certification, while another commented, "the competency programs out there aren't looking at the instrument engineer part of the equation."

"I'm not sure training is the only way," began another participant. "We've had 'trained' people with five years' experience force a global point instead of a local point and shut the whole unit down. Then there's that 'pucker factor' if you've been trained but nothing's gone wrong for years, and then alarms start to sound. What do you do?"

Most of the participants appeared to be considerably more conservative in their outlook than many SIS vendors would like. "I understand the failure modes of a solenoid valve," said one participant from a major refinery, "and I don't understand the failure modes of smart positioners. I'm not satisfied that smart positioners don't have issues that need working out."

"We're planning to," was the response to the question of who is using analog outputs with smart positioners. "Are you people really comfortable with the failure modes on smart positioners?" argued another participant. "I keep trying," he went on, "to get vendors to give me data, but they give me lots of numbers and no failure data."

"Safety fieldbus won't get us any advantage I can see," added one engineer. "Diagnostics are available from HART and we've all got that, so why do it?"

But on the other hand, many of the participants shared their reluctance to use digital communications buses like HART, Modbus, TCP, and OPC communications to perform SIS functions—from bypasses to even closed loop control. "You can use HART to initiate partial stroke testing," one engineer bravely began, but he was nearly shouted down by people who said that HART was too slow, and not safe enough.

The discussion was passionate, lively, informed, and showed the level of detailed thought, planning and engineering necessary to implement the SIS standards. This is not "plug and play."

http://www.putman.net/newsletter/cge/06/061205_ips.html

Note that wireless appears to not even be on the table at the Triconex talks, just the use of digital comm protocols.

 

[dV8r]

It would be if I were inspecting your system.

 

[roydm]

An interesting use of wireless I have seen in Canada is railroad shunting (switching) the driverless locomotive is operated from the ground by joystick. This wireless link must be very secure otherwise there would be some monumental pile-ups.